Improving intrusion detection on snort rules for botnets detection

Abstract

The Botnets has become a serious problem in network security. An organization should find the solutions to protect the data and network system to reduce the risk of the Botnets. The Snort Intrusion Detection System (Snort-IDS) is the popular usage software protection of the network security in the world and utilizes the rules to match the data packets traffic. There are some existing rules which can detect Botnets. This paper, improves the Snort-IDS rules for Botnets detection and we analyze Botnets behaviors in three rules packet such as Botnets_attack_1.rules, Botnets_attack_2.rules, and Botnets_ attack_3- .rules. Moreover, we utilize the MCFP dataset, which includes five files such as CTU-Malware-Capture-Botnet-42, CTU-Malware-Capture-Botnet-43, CTU-Malware-Capture-Botnet-47, CTU-Malware- Capture-Botnet-49, and CTU-Malware-Capture-Botnet-50 with three rule files of the Snort-IDS rules. The paper has particularly focused on three rule files for performance evaluation for efficiency of detection and the performance evaluation of fallibility for Botnets Detection. The performance of each rule is evaluated by detecting each packet. The experimental results shown that, the case of Botnets_attack_1.rules file can maximally detect Botnets detection for 809075 alerts, the efficiency of detection and fallibility for Botnets detection are 94.81% and 5.17%, respectively. Moreover, in the case of Botnets_attack_2.rules file, it can detect Botnets up to 836191 alerts, having efficiency of detection and fallibility for Botnets detection are 97.81% and 2.90%, respectively. The last case Botnets_attack_3.rules file can detect Botnets 822711 alerts, it can 93.72% of efficiency of detection and the value of fallibility is 6.27%. The Botnets_attack_2.rules file is most proficient rule for Botnets detection, because it has a high efficiency of detection for detection and a less of fallibility.