Botnet detection: A cooperative game theoretical correlation-based model

In this paper, we address the problem of botnet detection by correlating information from trusted hosts and network. Botnets are groups of compromised computers controlled by a botmaster through a command and control (C&C) channel. They are noted as one of the foremost security threat causing large scale attacks such as Distributed Denial of Service (DDoS), Spam, mass identity theft and click fraud. Various approaches are used to detect botnets and they range from network to host level detection. To enhance the detection rate, a correlation based model was proposed that combines both host and network level information. Such a model is valid in a network made of trusted hosts. The emergence of smartphones with the capability of mobility and being hosts in different networks, open the door of having untrusted hosts that can reveal fake information. As a solution, we propose a trust-based model that uses cooperative game theory to cluster trusted hosts. The trust is built using the reputation value and it is computed using the hosts' marginal contribution which is derived from Shapley value. Simulation results show that our model improves the detection score compared to the traditional correlation model. Where in one of the simulated scenarios we are able to detect a benign cluster of hosts faster than the traditional correlation model.