Top

International Journal of Information Security

Published in:

30-08-2023 | Survey

A review on graph-based approaches for network security monitoring and botnet detection

Authors: Sofiane Lagraa, Martin Husák, Hamida Seba, Satyanarayana Vuppala, Radu State, Moussa Ouedraogo

Published in: International Journal of Information Security | Issue 1/2024

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

This survey paper provides a comprehensive overview of recent research and development in network security that uses graphs and graph-based data representation and analytics. The paper focuses on the graph-based representation of network traffic records and the application of graph-based analytics in intrusion detection and botnet detection. The paper aims to answer several questions related to graph-based approaches in network security, including the types of graphs used to represent network security data, the approaches used to analyze such graphs, the metrics used for detection and monitoring, and the reproducibility of existing works. The paper presents a survey of graph models used to represent, store, and visualize network security data, a survey of the algorithms and approaches used to analyze such data, and an enumeration of the most important graph features used for network security analytics for monitoring and botnet detection. The paper also discusses the challenges and limitations of using graph-based approaches in network security and identifies potential future research directions. Overall, this survey paper provides a valuable resource for researchers and practitioners in the field of network security who are interested in using graph-based approaches for analyzing and detecting malicious activities in networks.

previous article Cybersecurity challenges in IoT-based smart renewable energy

next article SDN as a defence mechanism: a comprehensive survey

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

https://grasec.uni.lu/.

https://www.fvv.um.si/eicc2022/cnacys.html.

A network is said to be assortative when high degree nodes are, on average, connected to other nodes with high degree and low degree nodes are, on average, connected to other nodes with low degree [85].

Akoglu, L., Tong, H., Koutra, D.: Graph based anomaly detection and description: a survey. Data Min. Knowl. Disc. 29(3), 626–688 (2014)MathSciNetCrossRef

Amini, P., Araghizadeh, M.A., Azmi, R.: A survey on botnet: classification, detection and defense. In: International Electronics Symposium (IES), pp. 233–238 (2015)

Amrouche, F., Lagraa, S., Kaiafas, G., State, R.: Graph-based malicious login events investigation. In: IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 63–66 (2019)

Apache Software Foundation: Apache Spark. https://spark.apache.org/. Accessed 1 Nov 2021

Apache Software Foundation: Apache TinkerPop. https://tinkerpop.apache.org/. Accessed 1 Nov 2021

Apache Software Foundation: GraphX. https://spark.apache.org/graphx/. Accessed 1 Nov 2021

Apruzzese, G., Pierazzi, F., Colajanni, M., Marchetti, M.: Detection and threat prioritization of pivoting attacks in large networks. IEEE Trans. Emerg. Top. Comput. 8(2), 404–415 (2020)CrossRef

ArrangoDB. https://www.arangodb.com. Accessed 1 Nov 2021

Bai, J., Shi, Q., Mu, S.: A malware and variant detection method using function call graph isomorphism. Secur. Commun. Netw. 2019, 1043,794:1-1043,794:12 (2019)CrossRef

10.

Berger, A., D’Alconzo, A., Gansterer, W.N., Pescapé, A.: Mining agile DNS traffic using graph analysis for cybercrime detection. Comput. Netw. 100, 28–44 (2016)CrossRef

11.

Böhm, F., Menges, F., Pernul, G.: Graph-based visual analytics for cyber threat intelligence. Cybersecurity 1(1), 16 (2018)CrossRef

12.

Bou-Harb, E., Debbabi, M., Assi, C.: Big data behavioral analytics meet graph theory: on effective botnet takedowns. IEEE Netw. 31(1), 18–26 (2017)CrossRef

13.

Bowman, B., Laprade, C., Ji, Y., Huang, H.H.: Detecting lateral movement in enterprise computer networks with unsupervised graph AI. In: 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), pp. 257–268 (2020)

14.

Bowman, B., Huang, H.H.: Towards next-generation cybersecurity with graph AI. SIGOPS Oper. Syst. Rev. 55(1), 61–67 (2021)CrossRef

15.

Bunke, H., Allerman, G.: Inexact graph matching for structural pattern recognition. Pattern Recognit. Lett. 1(4), 245–253 (1983)CrossRef

16.

Caswell, B., Foster, J.C., Russell, R., Beale, J., Posluns, J.: Snort 2.0 Intrusion Detection. Syngress Publishing, Oxford (2003)

17.

Cayley. https://cayley.io. Accessed 1 Nov 2021

18.

Čermák, M., Šrámková, D.: GRANEF: utilization of a graph database for network forensics. In: Proceedings of the 18th International Conference on Security and Cryptography, pp. 785–790. SCITEPRESS (2021)

19.

CESNET and Masaryk University: SABU. https://sabu.cesnet.cz/en/start. Accessed 1 Nov 2021

20.

Chowdhury, S., Khanzadeh, M., Akula, R., Zhang, F., Zhang, S., Medal, H., Marufuzzaman, M., Bian, L.: Botnet detection using graph-based feature clustering. J. Big Data 4(1), 14 (2017)CrossRef

21.

CISCO: global—2021 forecast highlights. https://www.cisco.com/c/dam/m/en_us/solutions/service-provider/vni-forecast-highlights/pdf/Global_2021_Forecast_Highlights.pdf (2021)

22.

Data Collection, C., Sharing. https://www.caida.org/data/. Accessed 1 Nov 2021

23.

Daya, A.A., Salahuddin, M.A., Limam, N., Boutaba, R.: A graph-based machine learning approach for bot detection. In: IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 144–152 (2019)

24.

Daya, A.A., Salahuddin, M.A., Limam, N., Boutaba, R.: BotChase: graph-based bot detection using machine learning. IEEE Trans. Netw. Serv. Manag. 17(1), 15–29 (2020)CrossRef

25.

DGraph. https://dgraph.io. Accessed 1 Nov 2021

26.

Essawy, B.T., Goodall, J.L., Voce, D., Morsy, M.M., Sadler, J.M., Choi, Y.D., Tarboton, D.G., Malik, T.: A taxonomy for reproducible and replicable research in environmental modelling. Environ. Model. Softw. 134, 104,753 (2020)CrossRef

27.

Evrard, L., François, J., Colin, J.: Attacker behavior-based metric for security monitoring applied to darknet analysis. In: IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 89–97 (2019)

28.

Fitch, J.A., III., Hoffman, L.J.: A shortest path network security model. Comput. Secur. 12(2), 169–189 (1993). https://doi.org/10.1016/0167-4048(93)90100-JCrossRef

29.

Fredj, O.B.: A realistic graph-based alert correlation system. SEC Commun. Netw. 8(15), 2477–2493 (2015)CrossRef

30.

Gamachchi, A., Boztas, S.: Insider threat detection through attributed graph clustering. In: IEEE Trustcom/BigDataSE/ICESS, pp. 112–119 (2017)

31.

Gamachchi, A., Sun, L., Boztas, S.: Graph based framework for malicious insider threat detection. In: 50th Hawaii International Conference on System Sciences, HICSS, pp. 1–10 (2017)

32.

García, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. Comput. Secur. 45, 100–123 (2014)CrossRef

33.

García, S., Zunino, A., Campo, M.: Survey on network-based botnet detection methods. Secur. Commun. Netw. 7(5), 878–903 (2014)CrossRef

34.

Gligor, V.D.: A note on denial-of-service in operating systems. IEEE Trans. Softw. Eng. SE–10(3), 320–324 (1984). https://doi.org/10.1109/TSE.1984.5010241CrossRef

35.

Grover, A., Leskovec, J.: node2vec: scalable feature learning for networks. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, CA, USA, pp. 855–864 (2016)

36.

Haas, S., Fischer, M.: GAC: graph-based alert correlation for the detection of distributed multi-step attacks. In: Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC ’18, pp. 979–988. Association for Computing Machinery (2018)

37.

Haas, S., Wilkens, F., Fischer, M.: Efficient attack correlation and identification of attack scenarios based on network-motifs. In: 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC) (2019). https://doi.org/10.1109/IPCCC47392.2019.8958734

38.

Haas, S., Fischer, M.: On the alert correlation process for the detection of multi-step attacks and a graph-based realization. SIGAPP Appl. Comput. Rev. 19(1), 5–19 (2019)CrossRef

39.

Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)CrossRef

40.

Husák, M., Čermák, M.: A graph-based representation of relations in network security alert sharing platforms. In: 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 891–892 (2017)

41.

Husák, M., Komárková, J., Bou-Harb, E., Celeda, P.: Survey of attack projection, prediction, and forecasting in cyber security. IEEE Commun. Surv. Tutor. 21(1), 640–660 (2019)CrossRef

42.

Jaikumar, P., Kak, A.C.: A graph-theoretic framework for isolating botnets in a network. Secur. Commun. Netw. 8(16), 2605–2623 (2015)CrossRef

43.

JanusGraph. http://janusgraph.org. Accessed 1 Nov 2021

44.

Kaiafas, G., Varisteas, G., Lagraa, S., State, R., Nguyen, C.D., Ries, T., Ourdane, M.: Detecting malicious authentication events trustfully. In: 2018 IEEE/IFIP Network Operations and Management Symposium (NOMS) (2018)

45.

Kao, M.Y.: Encyclopedia of Algorithms. Springer, New York (2007)

46.

Kaynar, K.: A taxonomy for attack graph generation and usage in network security. J. Inf. Secur. Appl. 29, 27–56 (2016)

47.

Kent, A.D.: Comprehensive, Multi-Source Cyber-Security Events. Los Alamos National Laboratory (2015). https://doi.org/10.17021/1179829

48.

Kiouche, A.E., Lagraa, S., Amrouche, K., Seba, H.: A simple graph embedding for anomaly detection in a stream of heterogeneous labeled graphs. Pattern Recognit. 112, 107,746 (2021)CrossRef

49.

Lagraa, S., François, J., Lahmadi, A., Minier, M., Hammerschmidt, C.A., State, R.: BotGM: unsupervised graph mining to detect botnets in traffic flows. In: Cyber Security in Networking Conference, CSNet (2017)

50.

Lagraa, S., François, J.: Knowledge discovery of port scans from darknet. In: 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 935–940 (2017)

51.

Lagraa, S., State, R.: What database do you choose for heterogeneous security log events analysis? In: 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 812–817. IEEE (2021)

52.

Lagraa, S., Chen, Y., François, J.: Deep mining port scans from darknet. Int. J. Netw. Manag. 29(3), e2065 (2019)CrossRef

53.

Lal, M.: Neo4J Graph Data Modeling. Packt Publishing, Birmingham (2015)

54.

Lallie, H.S., Debattista, K., Bal, J.: A review of attack graph and attack tree visual syntax in cyber security. Comput. Sci. Rev. 35, 100,219 (2020)MathSciNetCrossRef

55.

Leichtnam, L., Totel, E., Prigent, N., Mé, L.: Sec2graph: network attack detection based on novelty detection on graph structured data. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 238–258. Springer (2020)

56.

Li, Z., Chen, Q.A., Yang, R., Chen, Y., Ruan, W.: Threat detection and investigation with system-level provenance graphs: a survey. Comput. Secur. 106, 102,282 (2021)CrossRef

57.

Li, S., Zhou, Q., Zhou, R., Lv, Q.: Intelligent malware detection based on graph convolutional network. J. Supercomput. 78(3), 4182–4198 (2022)CrossRef

58.

Liu, L., De Vel, O., Han, Q., Zhang, J., Xiang, Y.: Detecting and preventing cyber insider threats: a survey. IEEE Commun. Surv. Tutor. 20(2), 1397–1417 (2018)CrossRef

59.

Neo4j. https://neo4j.com/. Accessed 1 Nov 2021

60.

Neo4j: cypher query language. https://neo4j.com/developer/cypher/. Accessed 1 Nov 2021

61.

Newman, M.E.: Modularity and community structure in networks. Proc. Natl. Acad. Sci. USA 103, 8577–8582 (2006)CrossRef

62.

Noel, S., Harley, E., Tam, K.H., Gyor, G.: Big-Data Architecture for Cyber Attack Graphs Representing Security Relationships in NoSQL Graph Databases (2015)

63.

Noel, S., Harley, E., Tam, K.H., Limiero, M., Share, M.: CyGraph: graph-based analytics and visualization for cybersecurity. In: Handbook of Statistics, vol. 35, pp. 117–167. Elsevier (2016)

64.

Noel, S.: A Review of Graph Approaches to Network Security Analytics, pp. 300–323. Springer, New York (2018)

65.

OrientDB. https://orientdb.org. Accessed 1 Nov 2021

66.

Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)CrossRef

67.

Perozzi, B., Al-Rfou, R., Skiena, S.: DeepWalk: Online Learning of Social Representations, pp. 701–710. ACM (2014)

68.

Quiña Mera, A., Fernandez, P., García, J.M., Ruiz-Cortés, A.: GraphQL: a systematic mapping study. ACM Comput. Surv. 55(10), 25 (2023). https://doi.org/10.1145/3561818CrossRef

69.

Roussinov, D.G., Chen, H.: A scalable self-organizing map algorithm for textual classification: a neural network approach to thesaurus generation (1998)

70.

Sadreazami, H., Mohammadi, A., Asif, A., Plataniotis, K.N.: Distributed-graph-based statistical approach for intrusion detection in cyber-physical systems. IEEE Trans. Signal Inf. Process. Netw. 4(1), 137–147 (2018)MathSciNet

71.

Sanfeliu, A., Fu, K.: A distance measure between attributed relational graphs for pattern recognition. IEEE Trans. Syst. Man Cybern. B 13(3), 353–363 (1983)CrossRef

72.

SANS Internet Storm Center: DShield. https://secure.dshield.org/. Accessed 1 Nov 2021

73.

Shang, Y., Yang, S., Wang, W.: Botnet detection with hybrid analysis on flow based and graph based features of network traffic. In: Cloud Computing and Security, pp. 612–621. Springer (2018)

74.

Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018), pp. 108–116 (2018)

75.

Shevchenko, S., Zhdanova, Y., Skladannyi, P., Spasiteleva, S.: Mathematical methods in cybersecurity: graphs and their application in information and cybersecurity. Cybersecur. Educ. Sci. Tech. 1, 25 (2021). https://doi.org/10.28925/2663-4023.2021.13.133144CrossRef

76.

Sinha, K., Viswanathan, A., Bunn, J.: Tracking temporal evolution of network activity for botnet detection (2019). https://doi.org/10.48550/ARXIV.1908.03443. arXiv:1908.03443

77.

Stratosphere Lab: The CTU-13 Dataset. A Labeled Dataset with Botnet, Normal and Background traffic. https://www.stratosphereips.org/datasets-ctu13. Accessed 1 Nov 2021

78.

Tiddi, I., Schlobach, S.: Knowledge graphs as tools for explainable machine learning: a survey. Artif. Intell. 103627 (2021)

79.

Umer, M.F., Sher, M., Bi, Y.: Flow-based intrusion detection: techniques and challenges. Comput. Secur. 70, 238–254 (2017)CrossRef

80.

Venkatesh, B., Choudhury, S.H., Nagaraja, S., Balakrishnan, N.: BotSpot: fast graph based identification of structured P2P bots. J. Comput. Virol. Hack. Tech. 11(4), 247–261 (2015)CrossRef

81.

Wang, J., Paschalidis, I.C.: Botnet detection using social graph analysis. In: 2014 52nd Annual Allerton Conference on Communication, Control, and Computing (Allerton), pp. 393–400 (2014)

82.

Wang, J., Paschalidis, I.C.: Botnet detection based on anomaly and community detection. IEEE Trans. Control Netw. Syst. 4(2), 392–404 (2017)MathSciNetCrossRef

83.

Wang, W., Shang, Y., He, Y., Li, Y., Liu, J.: BotMark: automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors. Inf. Sci. 511, 284–296 (2020)CrossRef

84.

Wüchner, T., Ochoa, M., Pretschner, A.: Malware detection with quantitative data flow graphs. In: 9th ACM Symposium on Information, Computer and Communications Security, pp. 271–282. ACM (2014)

85.

Yang, R.: Adjusting assortativity in complex networks. In: Proceedings of the 2014 ACM Southeast Regional Conference, Kennesaw, GA, USA, pp. 2:1–2:5 (2014)

86.

Zeek: Zeek Network Security Monitor tool. https://zeek.org/. Accessed 1 Nov 2021

Title: A review on graph-based approaches for network security monitoring and botnet detection
Authors: Sofiane Lagraa
Martin Husák
Hamida Seba
Satyanarayana Vuppala
Radu State
Moussa Ouedraogo
Publication date: 30-08-2023
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 1/2024
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-023-00742-7

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 1/2024

Simulation extractable versions of Groth’s zk-SNARK revisited

RLET: a lightweight model for ubiquitous multi-class intrusion detection in sustainable and secured smart environment

On private information retrieval supporting range queries

Cybersecurity challenges in IoT-based smart renewable energy

Simulating all archetypes of SQL injection vulnerability exploitation using reinforcement learning agents

Cyber threat assessment and management for securing healthcare ecosystems using natural language processing

Premium Partner