Mining Concept-Drifting Data Stream to Detect Peer to Peer Botnet Traffic

We propose a novel stream data classification technique to detect Peer to Peer botnet. Botnet traffic can be considered as stream data having two important properties: infinite length and drifting concept. Thus, stream data classification technique is more appealing to botnet detection than simple classification technique. However, no other botnet detection approaches so far have applied stream data classification technique. We propose a multi-chunk, multi-level ensemble classifier based data mining technique to classify concept-drifting stream data. Previous ensemble techniques in classifying concept-drifting stream data use a single data chunk to train a classifier. In our approach, we train an ensemble of v classifiers from r consecutive data chunks. K of these v-classifier ensembles are used to build another level of ensemble. By introducing this multi-chunk, multi-level ensemble, we significantly reduce error compared to the singlechunk, single level ensemble. We have established the justification of using our algorithm theoretically. We have also tested our technique on both botnet traffic and simulated data, and obtained better detection accuracies compared to other published works.