|
| | The basic idea | Advantage | Disadvantage |
|
| Deep learning | (i) Using neural network to extract network traffic features based on temporal and spatial similarity. Map the network traffic into a grayscale image or feature vector and send it to the neural network model, extract distinguishable features and patterns from the two dimensions of time, space, or time and space, and automatically learn network traffic characteristics | (i) It does not rely on any prior knowledge about the protocol and topology, does not need to manually select features, and automate feature extraction | (i) Attackers can use anti-machine learning ideas to escape |
| (ii) Using reinforcement learning for new feature extraction, or detector distributed strategy placement | (ii) It has certain detection capabilities against unknown botnets and encryption protocol botnets | (ii) For massive data, the training speed is slightly slower |
| (iii) High accuracy | (iii) Difficult to detect deep latent botnets |
| (iv) Improve the detection and prediction of unknown “zero-day” online Fast-Flux botnets |
| Complex network | (i) Graph-based methods are mainly aimed at the behavior of executable files, such as control flow graphs, call graphs, and code graphs, to model graphs; or to graph based on node behaviors in network traffic, such as IP-domain mapping relationships modeling, classification and detection are carried out on this basis | (i) Better display of behavioral associations, combined with visualization methods to help researchers detect | (i) Pre-established rules are required to detect botnets from the graph |
| (ii) Based on the relatively frequent communication activities of zombies, a correlation graph will be formed, and based on the analysis of abnormal community behaviors, the complex network method is used to mine to detect botnets | (ii) Effectively detect invisible botnets without a lot of traffic | (ii) The accuracy of determining the behavioral association threshold is unstable—if the dataset is large, the computational cost of the detection method is usually high |
| Swarm intelligence | (i) Using heuristic biological behavior to search, feature extraction, and then combined with classifiers for detection | (i) It can be extracted from multiple aspects, without prior knowledge of system behavior, with high accuracy | (i) The disadvantage is the high time complexity. The heuristic rules require a lot of time to check the data against all the rules. |
| (ii) Can detect unknown botnets |
| Statistical analysis | (i) Modeling based on the statistical properties of zombie behaviors and estimating samples | (i) Statistical analysis can be quantified and analyzed relatively quickly | (i) Botnets change quickly and have complex features, which adds difficulty to statistical analysis |
| (ii) Statistics cannot be applied to heterogeneous data, only quantitative data |
| Distributed detection | (i) Design and deploy multiple detectors to improve the flexibility of the detection system and collect massive and multidimensional data for detection | (i) Improve accuracy | (i) It is difficult to choose a comprehensive deployment strategy |
| (ii) Improve the flexibility of the detection system | (ii) Time-consuming |
| Combination method | (i) Multidimensional | (i) Helps to detect under high-speed network environment | (i) Lack of proper combination may lead to high computational cost |
| (ii) Multiagent | (ii) Helps to detect at an early stage |
| (iii) Multiple technologies | (iii) Has good flexibility |
| (iv) Can detect unknown attacks. |
|
