A Method Aware of Concept Drift for Online Botnet Detection

Botnets deeply threaten cybersecurity due to their distributed and dynamic nature, causing attacks with severe consequences for users and companies, such as Distributed Denial of Service. Detecting botnets is challenging once they constantly evolve, resulting in fast behavior changes in network. Current techniques usually detect botnets without considering these changes and their fast adaptation to new behavior. Hence, this paper presents CONFRONT, a method aware of concept drift (fast changes in network behavior) for online botnet detection. Different from the literature, this paper introduces a new technique to detect concept drift and optimize botnet classification. CONFRONT employs features from network flow on the unsupervised concept drift detector and a supervised incremental botnet classifier. Results show CONFRONT feasibility, reaching 95% of accuracy in less than 1 ms.