Journal of Engineering Science and Technology Vol. 15, No. 5 (2020) 2906 - 2923 © School of Engineering, Taylor’s University

2906

DOLPHIN AND ELEPHANT HERDING OPTIMIZATION SWARM INTELLIGENCE ALGORITHMS USED

TO DETECT NERIS BOTNET

MAISIRREEM A. KAMAL1,*, LAHEEB M. IBRAHIM2, ABDULSATTAR A. AL-ALUSI3

1College of Computer Sciences and Mathematics, University of Mosul, Aljamia , Mosul, Nenava, Iraq

2College of Computer Sciences and Mathematics, University of Mosul, Aljamia , Mosul, Nenava, Iraq

3Dean, College of Security and Global Studies, American University in the Emirates, DIAC, Dubai, UAE

*Corresponding Author: maisirreem_alsaigh@uomosul.edu.iq

Abstract

As of late, botnets can be categorized among malicious vectors, which are rapidly developing and changing the underground economy. They present major security threats and vulnerabilities to enterprises, citizens, and governments in this world of technology. Botnet is one of the most important and serious security problems facing companies and countries. The master of the bot spies on the victim, the master of the bot can fully see what the victim is doing; numerous on-going countermeasures use Artificial intelligence methodologies because of its “model-free” and adaptability properties. In this paper, the utilization of two algorithms of swarm intelligent known as Elephant and Dolphin Herding algorithms for optimization for scalable and accurate detection of attacks of the Neris botnet is proposed because swarm intelligent algorithms have low total cost, derivative free optimization, robustness, easy implementation, flexibility. The proposed technique can detect the Neris botnet quickly and precisely.

Keywords: Botnets, Dolphin swarm intelligence, Elephant Herding optimization, Neris botnet, Swarm intelligence.

Dolphin and Elephant Herding Optimization Swarm Intelligence . . . . 2907

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

1. Introduction With various technological advancements and the IoT (Internet of Things) technology, everything in our lives, from appliances used at home to class, watches, and even in vehicles is linked online. It is projected that on 2020, there will be nearly 30 billion gadgets linked with the Internet. Because of the enormous number of technological devices expected to be internet-connected, the rate of cyber-insecurities is expected to increase too at a rapid pace. This is because more cyber-attackers and hackers will be attracted with the main aim of bypassing passwords of organizations or people, steal confidential data and sell for money. The presence of attackers and hackers is depicted as the consequence of the rapid growth rate in the information technology (IT) sector. Even though the internet and technology were at first positively utilize, everything has its disadvantageous side, in this case, the exploitation of networks by hackers for their malicious use. Botnets are a series of personal Computer (PC) linked together to play a particular role in performing a specific task of controlling your PC, and it is one of the numerous risks on the Internet, as botnet also controls the callers of the PC. The botnet can gain accessibility to the PC through the use of some bypassing codes. Sometimes, the PC is automatically hacked directly. Botnets can be utilized to execute pretty much any cyber-attacks.

At the point when a hacker needs the PC user to add their device to the internet of the hacker, he/she can achieve this generally, ensuring certain worms and viruses are downloaded on the victim’s computer. When the malicious software is downloaded, the Botnet will connect automatically to their main PC and inform them that everything is prepared, and everything in the victim’s PC, phone, or any technological device is now under the accessibility of the botnet hacker. Sometimes the user of the hacked computer is locked out. Botnet design has advanced after some time with an end goal to evade disruption and detection. Generally, both programs are built as clients who convey their message using the existing servers. This permits the bot herder (the individual controlling the botnet) to take all control from a remote area, which muddles their traffic [1, 2]. Several on-going botnets now depend on existing distributed systems to impart. These Peer to Peer (P2P) bot programs play out indistinguishable activities from the client-server model. However, they do not require a central server to impart.

The steps below show how a botnet is functioned. • A hacker builds a program (a malicious application the bot.) and utilizes it in

infecting other users' computers. • The bot Indicates the computer which is infected to link to a certain C&C

(command-and-control) server. • The botmaster utilizes the created and connected botnet to plural keystrokes to

obtain the confidential online credentials illegally.

The first designed and developed botnet was firstly used at a lawsuit by Earthlink with Khan C. Smith, who is a notorious spammer in 2001 for accounting bulk spam of about 25% of all spam at the time [3-5].From 2001 until now, many types of botnet appeared, like MaXiTE in 2003, Bagle, Marina Botnet, Torpig, Storm in 2004, Rustock, Donbot in 2006, Cutwail, Akbot, Srizbi in 2007, Sality, Mariposa, Gumblar in 2008, etc.

2908 M. A. Kamal et al.

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

The botnet harms the user of the Internet in many ways by Spy and steal confidential information Distributed Service Blocking and Send spam to internet user and steal his information [3-5].

Intelligence techniques add precision to the new botnet detection and prediction techniques. Some researchers have used Swarm Intelligence (SI) algorithms and found that SI has a better performance, faster convergence rate, as well as a better predicting ability. Because Swarm intelligent can present similar intelligent collective behaviour and shared “information” discovered individually and communicated to the swarm by many ways, the intelligent solutions to problems naturally emerge from the self-organization and communication of these simple individuals, swarm intelligence have many advantages also like Easy implementation, dynamic optimization, low total cost, self-organization, robust performance, easy implementation, and because the botnet is considered as one of the biggest dangers for Internet users, in this paper, a study for Neris botnet is done and proposed a system to detect it using Dolphin and Elephant Herding Optimization swarm intelligence Algorithms.

The reset of research is an introduction for Botnet, Section Two is for related work, in section Three, Neris botnet is discussed in detail. Section Four explain what Dolphin and Elephant Herding Optimization Algorithm, Section five for proposed work, Section six for experiment result, and at last part is the conclusion and future work.

2. Related Work

Khan et al. [6] proposed a study to exhibits some proficient outcomes by breaking down the network traffic concerning the occurred cyber-attacks: SPAM, DDoS, IRC, etc. Compiled and Controlled record by HTTP, CTU, Storm, Waledac. The outcomes demonstrate the centrality of the proposed structure when contrasted with the outcomes acquired from various categorized. It was seen algorithm of Decision Tree had a high exactness for detecting P2P botnet traffic.

Chen et al. [7] proposed the use of a distributed scheme of detection that was based on the optimization algorithm of the Ant Colony Optimization (ACO), which finds the ways to C2 servers to bots. The outcomes illustrated that the proposed scheme of detection could determine botnet servers. The studies of Chia-Mei Chen et al. builds up a novel perceive ability capacity of the ACO algorithm, which is dependent on the traffic irregularity; consequently, the network pathways to malicious servers get high pheromones. The ACO proposed detection strategy needs no previous data of the entire topology network or information flow of different network routers. It could also detect C&C malicious servers in the beginning period when the botnet virus starts infecting a specific network with a modest quantity of malicious traffic.

Lingxia et al. [8] studied a software-defined networking (SDN) system and a logically centralized control plane that maintains a global network view and enables network-wide management, optimization, and innovation. Network-wide management and they found that optimization problems are typically very complex with a huge solution space, a large number of variables, and multiple objectives. Heuristic algorithms can solve these problems in an acceptable time but are usually limited to some particular problem circumstances. On the other hand, evolutionary algorithms (EAs), which are general stochastic algorithms inspired by the natural

Dolphin and Elephant Herding Optimization Swarm Intelligence . . . . 2909

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

biological evolution of the social behaviour of species, can theoretically be used to solve any complex optimization problems, including those found in SDNs. The researcher views four types of EAs that are widely applied in current SDNs: GAs (Genetic Algorithms), PSO (Particle Swarm Optimization). ACO (Ant Colony Optimization) and SA (Simulated Annealing) by discussing their techniques, summarizing their typical applications. To the best of their knowledge, the work is the first that compares the methods and categorizes the applications of these four EAs in SDNs.

Li et al. [9] presented a theoretical model based on MAS that is used as a basic model to typify botnets with intelligent bots. According to the analysis, the researcher can point to a dangerous evolution of botnets, which can have a high impact on security systems. On the other hand, the researcher call attention to the fact that for combating this new kind of botnet, new tools will be necessary, and intelligent techniques, as ML (Machine learning), can be a valuable asset to their development. Finally, they strongly recommend security researchers to review their security systems and applications and apply threat modelling to evaluate the impact of attacks by tools and methods using ML.

Chen and Huang [10] proposed an Ant Colony Optimization (ACO) -based detection framework to identify low-rate Distributed Denial of Service (DDoS) attacks. The framework comprises three stages, and the ACO algorithm is applied to collect information heuristic from the network traffic.

Castiglione et al. [11] proposed a new botnet-based command and control approach which relies on ACO (ant colony optimization) to improve botnets scalability and survivability. Castiglione et al. (2014) claims that this might be a new evolutionary and future scheme of malware-based control.

Lin et al. [12] proposed a method for botnet feature characterization, which classified the model using an artificial fish swarm algorithm and a support vector machine that is combined. A LAN environment with several computers which has infected by the botnet virus was simulated for testing this model; the packet data of network flow was also collected. The proposed method was used to identify the critical features that determine the pattern of the botnet. The experimental results indicated that the technique can be used for identifying the essential botnet features and that the performance of the proposed method was superior to that of genetic algorithms.

Huseynov et al. [13] presented a semi-supervised botnet detection method and evaluation of the new type of bio-inspired algorithm in the context of network traffic analysis. Since there haven't been similar approaches in botnet detection, they aimed to measure the effectiveness of the ATTA-C algorithm in botnet detection. The researcher approach was shown to be payload independent, meaning that it can detect the bots employing encrypted communication. Furthermore, the existence of botnet can be detected within a short amount of time, around 300s. This is much faster compared to the methods using flows only.

Satoshi et al. [14] used only one function of bots, the remote-control channel (C&C session). The researcher propped a technique for classification of the C&C session from the traffic data by identify computers compromised by the bot program, they using a support vector machine (SVM). The accuracy result is 95% in the identification of the C&C session by using SVM.

2910 M. A. Kamal et al.

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

After the completion of reading the previous research and studies in the field of detect botnet using traditional, intelligence, and swarm methods. The authors proposed a method to detect Neris botnet using an intelligent swarm algorithm, which is Dolphin and Elephant Herding Optimization Algorithm.

3. Neris Botnet The Neris Botnet is a centralized botnet used an HTTP based C&C channel, the Neris botnet dangers by Send spam, spam are messages that may appear to be from people. Still, they are either propaganda or an attempt to take personal information and are also a fundamental way to add more devices to the botnet network. The activity of the Neris botnet by:

• Communication using C&C channels. • Send SPAM or Spy and steal confidential information or Distributed Service

Blocking. • Execute click-cheat using some announcement services.

Table 1 shows a sample of Neris Botnet can find it in CTU-13 Dataset, CTU-13 consists of 13 various captured scenarios of different botnet samples. There are multiple forms of attacks included in the dataset of CTU-13, for example, Spam traffic, IRC, Click Fraud such as DDoS; Port Scan, and Fast Flux contained in CTU dataset. The files captured were monitored and stored in the form of a pcap. Below is a sample of the CTU-13 dataset with a botnet traffic background. [6, 15].

Figure 1 explains whom Wireshark used to capture network traffic for further analysis and experimentation.

Table 1. Description of Neris botnet found its own CTU-13 Dataset. Data set CTU- malware-

capture botnet-42 CTU-malware- capture botnet-42

Botnet Neris Neris Type of attack SPAM, IRC, and CF IRC, SPAM, CF Packets captured

323,154 176.064

Size (GB) 52 60 Duration (h) 6.15 4.21 Number of Infected nodes

1 1

Display 100% 100% Remarks The botnet used an

HTTP based not an IRC C&C channel and C&C channel. The bot sent spam, and do some ClickFraud

The bot sent spam, connected to an HTTP CC, and use HTTP to do some ClickFraud.

Dolphin and Elephant Herding Optimization Swarm Intelligence . . . . 2911

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

Fig. 1. Network traffic captured with Wireshark tool.

Characteristics of the Neris botnet packet captured to create Dataset used for the Detection phase are as follows below [16-18].

Binary used Neris .exe Md5: Bf08e6b02e00d2bc6dd493e93e698 Name: Neris Capture duration: 6.15 hours Complete Pcap size: 52 GB Botnet Pcap size: 56 MB NetFlow Size: 369 MB Infected Virtual Environment Windows named "SARUMAN" IP address: 147.32.84.165 The label of this IP in the Net Flows files "Botnet"

4. Swarm Intelligent Algorithms Swarm intelligence is one of intelligent interactive multi-agent systems development and design which come together for main purpose of achieving a shared goal. Dorigo has defined swarm intelligence: "The emergent collective intelligence of groups of simple agents". All Swarm algorithms are simulated by behaviours of social living beings that live to gather in a group of colonies [19]. Several SI principles have been supposedly from real collective behaviour systems in the nature including Ant Colony Optimizations (ACO) by M. Dorgo in 1992, Particles Swarm Optimizations (PSO) by Eberhart and Kenedy in 1995 [11],

2912 M. A. Kamal et al.

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

Artificial Bee Colony (ABC) by Karabaga in 2005, Glowworm Swarm Optimization, Firefly Algorithm by Xin-She Yang in 2009, and other optimization algorithms. [19] An intelligent swarm algorithm, Dolphin and Elephant Herding optimization algorithms are used to detect Neri's botnet.

4.1. Dolphin swarm intelligent The dolphin swarm algorithm is one of swarm intelligent algorithms have some good features, like first-slow-then-fast convergence, periodic convergence, local-optimum free and the dolphin swarm algorithm is appropriate to optimization problems, with more calls of fitness functions and fewer individuals. The dolphin has numerous significant natural attributes and living propensities worth being leaned out from and reproduced, for example, division of labour and cooperation, echolocation, and information exchanges. A few stages, including the call, search, predation, and reception stages, contain the predatory process of dolphin, and these habits and attributes assist the dolphin in accomplishing its objective during the process of predation. By recreating the biological habits and attributes appeared in the predatory process of dolphins [20, 21].

The algorithm of dolphin swarm has some incredible characteristics, for example, periodic convergence, no specific on-demand on the benchmark, first slow then fast convergence and local-optimum functions. Besides, the algorithm of dolphin swarm is especially suitable for problems related to improvement, with more and fewer fitness functions and individuals, respectively [20, 21]. These simulated habits and characteristics in the algorithm of dolphin swarm comply with the considerations of swarm intelligence; the algorithm of dolphin swarm exploits echolocation. It embraces various procedures to get the solutions more successfully, which might be an achievement.

4.1.1. Behavior of dolphin swarm Dolphin is commonly recognized as perhaps the sharpest creature, and it has a great deal of fascinating biological living habits and characteristics worth our consideration [20, 21].

• Echolocation: The dolphin utilizes the method of echolocation which is an uncommon ability when searching for prey. Dolphin uses their made sounds to gauge the area, distance, and also prey state as per the intensity of the echo. Echolocation gives dolphins a superior impression of the encompassing environment.

• Division of work and cooperation: during predation, dolphins call each other through echolocation to assist with process. Work cooperation and division is illustrated in various areas while preying. For example, the dolphins near the prey are responsible for attacking while the distant dolphins circle the prey to prevent it from escaping.

• Information exchange: Dolphins have the capability of communicating with other dolphins by exchanging information. Dolphins have capabilities of expressing various thoughts by utilizing multiple sounds frequencies that relates to their system of language. In the dolphin’s predation process, particularly under cooperation and division of labor, communication capabilities are now and again used to connect with different dolphins and update prey’s location.

Dolphin and Elephant Herding Optimization Swarm Intelligence . . . . 2913

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

With the assistance of data exchange, the dolphin can take more qualified activities to make the predation progressively powerful and effective. The entire predation process of dolphins comprises of three phases. Firstly,

every dolphin freely exploits sounds to look for close by preys and to assess the encompassing environment through the utilization of echoes. Secondly, dolphins exchange with each other their data. The dolphins that discover large prey call different dolphins for assistance. The dolphins that received the exchanged information through echo moves towards the prey and encompassed it alongside different dolphins. Lastly, the prey is circled by the dolphins, and afterward, what the dolphins need to do is to alternate between appreciating the nourishment. This implies that the process of predation is achieved.

4.1.2. Dolphin Swarm Algorithm The method of the dolphin algorithm is simulated from the dolphin population’s hunting process. In this algorithm, dolphins accomplish hunting operations by doing four steps (search step, call step, reception step, and predation step). The corresponding search links are designed by using the behaviour of four joint steps, and the optimum solution is reached through continuous iteration. The simulated predatory process is Main pivotal, and definition phases are introduced. [11, 21].

Main definition phase: In this step, each dolphin assimilates a feasible solution. The dolphin has defined a feasible D-Diminution solution as Dolphin [y1, y2, ….yD]T (1=1, 2, …., N), the number of dolphins is denoted by N, and xj (j= 1,2,…, D) is the component of each dimension to be optimized. Two variables are used to initialization steps, these variables are Z:The individual optimum solution X: The neighbourhood optimum solution

Also, two corresponding variables for each dolphin in D-Diminution; these variables are: Zi: Zi (i = 1, 2, …, N), the optimum solution that Dolphini calculated in a single time. Xi: Xi (i = 1, 2, …, N), stands for the optimum solution of what Dolphini calculated by itself or gets from others. Fitness: E denotes the solution is better, and the fitness function calculates it, ae, and the better solution is proved when E is closed to zero.

In initialization step three kind of distance are used as: Distance 1: The distance between Dolphini and Dolphinj, named DDi, j, and DDi,

j = ║Dolphini - Dolphinj ║, i, j = 1, 2, …, N, i not equal j. Distance 2:The distance between Dolphini and Xi, named DXi, and DXi=

║Dolphini- Ki ║, i= 1, 2, …,N. Distance 3: The distance between Zi and Xi, named DZX, and DKL = ║Zi- Xi ║,

i= 1, 2, …,N.

Pivotal phase: In the pivotal phase, there are four steps (search step, call level, reception step, and predation step).

• Search step: Each dolphin in search step searches for the neighborhood dolphin using the sound wave. Vi = [v1, v2, …, vD ]T (i = 1, 2, …, M) is a sound, where T is search time the number of sounds is represented by M and the direction attribute of the sound is defined as Vj = ( j = 1, 2, …, D). The characteristic speed

2914 M. A. Kamal et al.

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

attribute of sound is defined by ║Vi║ = speed (i = 1, 2, …, M). The maximum search time is T1. In maximum search time T1, the sound Vj that Dolphini = (i = 1, 2, …, N) makes at time t will search for a new solution Pijt, which can be formulated as in Eq. (1).

𝑃𝑃𝑖𝑖𝑖𝑖𝑖𝑖 = 𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷ℎ𝑖𝑖𝑖𝑖𝑖𝑖 + 𝑉𝑉𝑖𝑖𝑡𝑡 (1)

For the new solution Pijt that Dolphini gets, its fitness Eijt is calculated as in Eq. (2):

𝐸𝐸𝑖𝑖𝑖𝑖𝑖𝑖 = 𝐹𝐹𝑖𝑖𝑡𝑡𝑖𝑖𝐹𝐹𝐹𝐹𝐹𝐹(𝐷𝐷𝑖𝑖𝑖𝑖𝑖𝑖)𝑖𝑖𝑖𝑖 𝐸𝐸𝑖𝑖𝑖𝑖𝑏𝑏 = 𝑚𝑚𝑖𝑖𝑖𝑖𝑖𝑖=1,2,...𝑀𝑀,𝑖𝑖𝑖𝑖𝑖𝑖;t=1,2,…,T1)𝐸𝐸𝑖𝑖𝑖𝑖𝑖𝑖 𝐸𝐸𝑖𝑖𝑖𝑖𝑏𝑏 𝑚𝑚𝑖𝑖𝑖𝑖𝑖𝑖=1,2,...𝑀𝑀,𝑖𝑖𝑖𝑖𝑖𝑖;t=1,2,…,T1)𝐹𝐹𝑖𝑖𝑡𝑡𝑖𝑖𝐹𝐹𝐹𝐹𝐹𝐹(𝐷𝐷𝑖𝑖𝑖𝑖𝑖𝑖) (2)

The individual optimum solution Li of Dolphini is determined as in Eq. (3):

𝑍𝑍𝑖𝑖 = 𝑍𝑍𝑖𝑖𝑖𝑖𝑏𝑏 𝑖𝑖𝑖𝑖 𝑖𝑖𝑖𝑖𝑡𝑡𝑖𝑖𝐹𝐹𝐹𝐹𝐹𝐹 (𝑍𝑍𝑖𝑖 ) < 𝑖𝑖𝑖𝑖𝑡𝑡𝑖𝑖𝐹𝐹𝐹𝐹𝐹𝐹 (𝑃𝑃𝑖𝑖 ) (3)

Where Pi is replaced by Zi; otherwise, Pi does not change.

• Call step: Each dolphin in this step sends out a sound and informs other dolphins the search results, including a better solution.

• Reception step: In this step, other dolphins try to compare the optimum information received from dolphins with their optimum solutions after that, they chose the best solution, Xi. TS (transmission time matrix) is a N x N order matrix where call and predation steps are implemented, j represents the rest of the voice from Dolphinj to Dolphini. For Xi, Xj, and TSi, j.

if Fitness (𝑋𝑋𝑖𝑖 ) < Fitness (𝑋𝑋𝑖𝑖 ) and 𝑇𝑇𝑇𝑇𝑖𝑖𝑖𝑖 > 𝐷𝐷𝐷𝐷𝑖𝑖𝑖𝑖

𝐴𝐴×𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 then

𝑇𝑇𝑇𝑇𝑖𝑖𝑖𝑖 − 𝐷𝐷𝐷𝐷𝑖𝑖𝑖𝑖

𝐴𝐴×𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 (4)

Where A is acceleration constant that can make sound faster. At this point, TSi, j is re-labelled as maximum contact time T2, where.

If Fitness (𝑋𝑋i ) > Fitness (𝑋𝑋𝑖𝑖 ) 𝑋𝑋𝑖𝑖 is replaced with 𝑋𝑋𝑖𝑖

otherwise 𝑋𝑋𝑖𝑖 remain the sam𝐹𝐹 (5)

• Predation step: Each dolphin in this step calculate the surround radius Rafter that calculate the distance between the neighborhood of dolphin optimum solution and the position after the predation step based on the known information to get a new location.

4.2. Elephant Herding optimization (EHO) One of the largest land mammals is Elephants. Both the Asian and African elephants are recognized as traditional species. One amongst many representative features in an elephant is a long trunk which has various functionalities for example lifting water, breathing and grasping objects [22].

EHO is an intelligent swarm-based meta-heuristics search method proposed by Wang at the end of 2015. For solving optimization problems. The EHO algorithm is a relatively novel population-based optimization technique, which mimics herding behaviour and can be modelled into two operators: clan updating operators and separating operators. Also, in the literature, EHO has received a great deal of attention

Dolphin and Elephant Herding Optimization Swarm Intelligence . . . . 2915

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

from researchers since it was proposed applied to many application fields for its advantages of excellent global optimization ability and ease of implementation.

The algorithm arises from the modelling of the herding behaviour of real elephants in nature. The herding behaviour can be summarized as follows: [19, 23] • Elephant's swarms consist of several sub-groups, called clans, which are

comprised of several Female elephants and Calves, clans live together led by a matriarch. Each clan has a fixed number of elephants.

• Every clan moves under the supervision (leadership) of a matriarch (female adult elephant). The positions of the elephants in a clan are updated based on their relationship to the matriarch.

• Male calves that reach adulthood leave the clan whom they belong to. Generally, the matriarch in each clan is the eldest female elephant. For modeling and solving the optimization problems, the matriarch is considered the fittest elephant individual in the clan. EHO models the herding behaviors of elephants in two operations [22]:

1. Clan Updating Operator: In each clan the matriarch (leadership) lead all elephants and live together, each elephant k in clan ei can be updated as in Eq. (6) [19, 23, 24].

𝐸𝐸𝐷𝐷𝑛𝑛𝑠𝑠𝑒𝑒,𝑠𝑠𝑖𝑖,𝑘𝑘 = 𝐹𝐹𝑖𝑖,𝑘𝑘 + 𝛼𝛼 × 𝐸𝐸𝐷𝐷𝑏𝑏𝑠𝑠𝑠𝑠𝑖𝑖,𝑐𝑐𝑠𝑠𝑖𝑖 − 𝐸𝐸𝐷𝐷𝑠𝑠𝑖𝑖,𝑘𝑘 × 𝑟𝑟 (6)

Now ei, k and ELnew, ei, k are updated. The scale factor set the value of ei on ELei, k is α ϵ [0,1]. Matriarch ei, is defined by ELbest, ei which is the fittest elephant individual in clan ei. r ϵ [0, 1]. Uniform distribution is used. The fittest elephant cannot be updated by Eq. (6). i.e., EL ei, kj= EL best, ei. For the fittest one, it can be updated as in Eq. (7).

𝐸𝐸𝐸𝐸𝑛𝑛𝑠𝑠𝑒𝑒,𝑠𝑠𝑖𝑖,𝑘𝑘 = 𝛽𝛽 × 𝐸𝐸𝐸𝐸𝑐𝑐𝑠𝑠𝑛𝑛𝑖𝑖𝑠𝑠𝑐𝑐,𝑠𝑠𝑖𝑖 (7)

A factor to locate the influence of the ELcenter, ei on ELnew, ei, k is β ϵ [0,1], in Eq. (7) a new individual ELnew, ei, k generated by the information for all elephants in clan ei. The centre of clan ei is ELcenter, ei and for the n-th dimension it can be calculated as in Eq. (8).

𝐸𝐸𝐸𝐸𝑐𝑐𝑠𝑠𝑛𝑛𝑖𝑖𝑠𝑠𝑐𝑐,𝑠𝑠𝑖𝑖,𝑛𝑛 = � 1 1𝑛𝑛𝑒𝑒𝑖𝑖� × ∑ 𝐸𝐸𝐸𝐸 𝑠𝑠𝑖𝑖,𝑘𝑘,𝑛𝑛 𝑛𝑛𝑠𝑠𝑖𝑖

1 (8)

The n-th dimension, and N it’s a total dimension for 1≤n≤N. mei is the number of elephants in clan ei. ELei, k, n is the n-th of the elephant individual ELei, k. The centre of clan ei,ELcenter, ei, calculated by Eq. (8).

The clan updating operator is described in Algorithm 1.

Algorithm 1: Clan Updating Operation for ei= 1 to mClan(elephant population) do for k = 1 to mei(elephant individuals in clan ei) do Update ELei, k and generate ELnew, ei, k according to Eq. (6). if ELei, k = ELbest, ei then Update ELei, k and generate ELnew, ei, k by Eq. (7) end if end for k end for ei

2916 M. A. Kamal et al.

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

2. Separae operator: male elephants leave their families in the elephants group when they reach puberty to go live alone. This isolating procedure of male elephants can be modelled into an operator of the separation when solving problems related to solving optimization. To additionally improve the method of EHO ability to search, the elephant assumes that as people with most noticeably awful fitness actualize the separating operator at every age, as illustrated in Eq. (9). [19, 24]

𝐸𝐸𝐸𝐸worst,ei = 𝐸𝐸𝐸𝐸min + 𝐸𝐸𝐸𝐸maEL − 𝐸𝐸𝐸𝐸𝑚𝑚𝑖𝑖𝑛𝑛 × 𝑟𝑟𝑟𝑟𝑖𝑖𝑟𝑟 (9)

The upper and lower bound of the position of elephant individual are ELmax and ELmin , the worst elephant individual is ELworst, ei. A stochastic distribution is Rand ϵ [0, 1] is a, and the range of uniform distribution is between [0,1] used in [1, 6], algorithm 2 represent the separating operator and Algorithm 3 describe Elephant Herd Optimization (EHO) Algorithm 2: Separating operator [14, 19] Begin For ei= 1 to m Clan (elephant population (all of the clans )) do Replace the worst elephant individual in clan ei using Eq. (9). end for ci End.

Algorithm 3: Elephant Herd Optimization (EHO) [23]

Begin Step 1: Initialization. Set the generation counter t = 1. Initialize the population P of

NP elephant individuals randomly, with uniform distribution in the search space. Set the number of the kept elephants mKEL, the maximum generation MaxGen, the scale factor α, and β, the number of clans mClan, and the number of elephants for the ei-th clan mei.

Step 2: Fitness evaluation: Evaluate each elephant individual according to its position.

Step 3: While t <MaxGendo the following: Sort all of the elephant individuals according to their fitness. Save the mKELelephant individuals. Implement the clan updating operator, (Algorithm 1). Implement the separating operator, (Algorithm 2). Evaluate the population according to the newly updated positions. Replace the worst elephant individuals with the nKELsaved ones. Update the generation counter, t = t + 1.

Step 4: End while Step 5: Output the best solution. End.

5. Proposed Work The proposed work using a Dolphin and Elephant Herding Optimization Algorithm to detect Neris botnet by. The proposed work consists of three steps (see Fig. 2.)

i. Captured step: To get Neri's botnet packets used in the proposed work, CTU-13 (CTU-MALWARE- CAPTURE -BOTNET-42 and CTU-MALWARE- CAPTURE -BOTNET-43) dataset is used, and the Winshark tool Ver. 2.6.4 is

Dolphin and Elephant Herding Optimization Swarm Intelligence . . . . 2917

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

used to capture normal network traffic. The captured traffics are stored in Neri's data file.

ii. Filtering step: After traffics are captured in the captured step and stored the captured traffics in the Neris Data file, the Neris data file is used to in this step to extracted the essential features. The extracted features are analysis to select the following attributes (source IP, destination IP, Protocol, Timeline, Length … etc.), after attributes are selected, the attributes are derived to use in the detection step (see Table 2.)

iii. Detection step: In the detection step, two swarm intelligent algorithms Dolphin and Elephant Herding Optimization Algorithm are used to detect Neris botnet on the network traffic using the attributes in Filtering steps.

Fig. 2. Diagram of proposed work.

2918 M. A. Kamal et al.

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

Table 2. Derived attributes from the captured file. Feature name Feature contents Length Size of the whole packet includes header, trailer, and data

that send on the packet Snapshot length The amount of data for each frame that captured by the

network capturing tool and stored into the capture file The last packet elapse

Capture time and duration of the last packet

Packet The number of protocol packet from the total capture packet

Timespan/s Is the time between the first and last packet Average App Average app: information about Wireshark hardware. Average size The average size of the header on the packet Bytes The number of protocol bytes from the total capture

packets Average Byte/s The average number of protocol bytes from the total

capture packets Average Bits/s The average bandwidth of this protocol in relation to the

capture time

6. Experimental Result The proposed work to detect Neris botnet was implemented in MATLAB version R2015a and executed on the computer have operating system was Microsoft Windows 10, the coprocessor was Intel Core 5, the memory was 2 GB an experiment.

The proposed work performed Dolphin and Elephant Herding Optimization Algorithm on the set of packets stored in the Neris data file. After the filter phase was done, the packets are now used to detect if it is Normal packets or Neris botnet packet. Table 3 explains an example of Normal and Neris botnet packets.

Table 3. Example of Normal packet and Neris botnet packet. Neris botnet Packet #1 Normal Packet #1 Length 14 MB Length 1073 MB Snapshot length 65535 Snapshot length 4096 1-Last packet lapse 00:18:58 1-Last packet elapse 00:24:08 Packets 88144 Packets 2776813 Timespan/s 1138,172 Timespan/s 1448.730 Average app 77,4 Average app 1961.7 Average packet Size, B

151 Average packet size, B

371

Bytes 13351412 Bytes 102912773 Average Byte/s 11K Average Byte/s 710K Average Bits/s 93K Average Bits/s 5683k

The underlying conveyances and the parameters that Dolphin and Elephant Herding Optimization Algorithm use in the tests are likewise significant. To get better outcomes, the initial value of parameters distribution of these two calculations is consistently the equivalent in a single test. Also, the parameters of Dolphin and Elephant Herding Optimization Algorithms are chosen after running a few tests. The best value of parameters of them is illustrated in Table 4.

Dolphin and Elephant Herding Optimization Swarm Intelligence . . . . 2919

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

Table 4. Parameters utilized for dolphin and elephant herding optimization algorithms.

Feature name Feature contents Dolphin swarm intelligent algorithm

T1=3, T2=1000, Speed=1, A=5, M=3, e=4

Elephant Herding optimization swarm intelligent algorithm

Parameters α= 0.6, β= 0.001, Population size N=100, maximal fitness function evaluations number maxEval = 10. 000. The population was divided into 5 clans

To measure the performance of Dolphin and Elephant Herding Optimization Algorithm to detect Neris botnet packets Two formula are used [6]. i. Accuracy of Detection packets: The percentage of correctly classified packets if

it Normal or Neris packet among the total number of packets calculated using Eq. (10) [6]:

𝐴𝐴cc = 𝑇𝑇𝑇𝑇 + 𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇 + 𝐹𝐹𝑇𝑇 + 𝐹𝐹𝑇𝑇 + 𝐹𝐹𝑇𝑇

(10)

ii. False Alarm Rate (FAR): The FAR is referred to as the FPR (False Positive Rate) or sensitivity calculated by Eq. (11).

𝐹𝐹𝐴𝐴𝐹𝐹 = 𝐹𝐹𝑇𝑇𝑇𝑇𝑇𝑇+𝐹𝐹𝑇𝑇

(11)

where TP (True positive): correct identified Neris Botnet, TN (True Negative): incorrect identified NerisBotnet, FP (False Positive): correct rejected (NerisBotnetm, FN (False Negative): incorrect rejected Neris Bot. Tables 5 and 6 explain the Accuracy of Dolphin and Elephant Herding Optimization Algorithms to detection packets if it is Neris or Normal Packets.

Table 5. Accuracy of Detection packets using dolphin swarm intelligent. No. Data set Total

botnets False Alarm Rate%

Accuracy %

1 Botnet-42 323154 7.8 92.2% 1 2 Botnet-43 176064 4 96%

Table 6. Accuracy of detection packets using elephant herding optimization algorithm.

No. Data set Total botnets

False Alarm Rate%

Accuracy %

1 Botnet-42 323154 10 90.5% 1 2 Botnet-43 176064 7 93%

From Tables 5 and 6 the detection accuracy result for proposed work using Dolphin and Elephant Herding Optimization Algorithms are shown in Figs. 3 and 4.

2920 M. A. Kamal et al.

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

Fig. 3. Detection accuracy result for detect

Neris botnet using Dolphin swarm intelligent.

Fig.4. Detection accuracy result for detect

Neris botnet using elephant herding optimization algorithm.

Figures 3 and 4 show that the result to detect Neris botnet using a Dolphin swarm intelligent algorithm have an accuracy detection rate higher than using Elephant Herding Optimization Algorithm, because Dolphin swarm intelligent algorithm achieve better and potentially faster convergence and good and fast algorithm, it can converge prematurely, especially in complex problems.

When we compare the proposed work using Dolphin swarm intelligent algorithm and Elephant Herding Optimization Algorithm to detect Neris botnet with traditional method to detect Neris botnet [17], we find that the proposed method achieved a success detection rate that also with [17], as shown in Table 7.

Table 7. Accuracy of Detection packets using for proposed work and [17]. No. Data set Detection method Accuracy% 1 CTU-13 Dolphin Swarm Intelligent Algorithm 93.5% 2 CTU-13, Elephant Herding Optimization Algorithm 96% 3 CTU-13 Naïve Bayes [17] 72.75% 4 CTU-13 k-nearest Neighbor (KNN) [17] 98.19% 5 CTU-13 Support Vector Machine (SVM) [17] 98.04% 6 CTU-13 Decision Tree [17] 99.90%

Dolphin and Elephant Herding Optimization Swarm Intelligence . . . . 2921

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

7. Conclusions In this paper, Dolphin and Elephant Herding Optimization Algorithm used to detect Neris botnet, using Dolphin and Elephant Herding Optimization Algorithm gives a higher accuracy detection rate. Using a Dolphin swarm intelligent algorithm have an accuracy detection rate higher than using Elephant Herding Optimization Algorithm, There are two main factors taken into consideration to measure the validity of the Dolphin and Elephant Herding Optimization Algorithm for Neris botnet detection. These two parameters are detection accuracy and, from experimental results using Dolphin and Elephant Herding Optimization Algorithms to detect Neris botnet, give a high detection rate and low False Alarm Rate. For future work, the authors proposed an algorithm to detect another type of botnet virus. Another Swarm Intelligent Algorithms used to detect Neris botnet.

Nomenclatures A An acceleration constant that can make sound faster Dolphin The dolphin has defined a feasible D-Diminution solution as

Dolphin DDi The distance between Dolphini and Dolphinj ELbest, ei Matriarch ei, is defined by ELbest, ei Li Individual optimum solution M Number of sounds is represented by M TN True Negative TP True positive TS Transmission time matrix TSi, j Represents the rest of the voice from Dolphinj to Dolphini Vj The direction attribute of the sound is defined as Vj X The neighbourhood optimum solution yn The number of dolphins is denoted by N Z The individual optimum solution Greek Symbols α The scale factor set the value of eion ELei, k is α ϵ [0,1] β A factor to locate the influence of the ELcenter, eion ELnew, ei, k is β ϵ

[0,1] Abbreviations

ACO Ant Colony Optimizations ABO Artificial Bee Colony C&C Command-and-Control DDoS Distributed Denial-of-Service Attacks EHO Elephant Herding Optimization IoT Internet of Things P2P Peer to Peer PSO Particles Swarm Optimizations SI Swarm Intelligence WHO World Health Organization

2922 M. A. Kamal et al.

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

References

1. Samson, F.; and Vaidehi, V.( 2017).Hybrid botnet detection using ensemble approach. Journal of Theoretical and Applied Information Technology, 95(8), 1646- 1654.

2. Schiller, C.A.; Binkley, J.; Harley, D.; Evron, G.; Bradley, T.; Willems, C.; and Cross; M. (2007). Botnets: The killer Web Application (1th ed.). Syngress.

3. Lee, W.; Wang, C.; and Dagon, D (2002). Botnet Detection: Countering the Largest Security Threat (Advances in Information Security), (1th ed.). Springer-Verlag

4. Author, Credeur M. J. (2002). EarthLink wins $25 million lawsuit against junk e-mailer. Retrieved Jul 22, 2002, from https://www.bizjournals.com/atlanta/ stories/2002/07/22/story4.html

5. Author, Bass, C. House of committee on the Judiciary: crime, terrorism, and homeland security, Retrieved November 2018, https://judiciary.house.gov/ subcommittees/crime-terrorism-homeland-security-and-investigations-116th-congress/

6. Khan, R.U.; Zhang, X.; Kumar, R.; Sharif, A. ; Golilarz, N.A.; and Alazab, M. (2019). An adaptive multi-layer botnet detection technique using machine learning classifiers. Applied Science, 9.

7. Chen, C.M.; Lai, G.H.; and Lin, J. (2018). Detection of C&C servers based on swarm intelligence approach. Journal of Computers, 29(5), 190-201.

8. Lingxia, L.I.; Leung, V.C.M.; and Chin Feng, L. (2017). Evolutionary algorithms in software defined networks: techniques, applications, and issues. Zte Communications, 15( 3).

9. Li, J.; Guo, L.; Li, Y.; and Liu, C. (2019). Enhancing Elephant Herding Optimization with novel individual updating strategies for large-scale optimization problems. Mathematics, 7(5).

10. Chen, H.H.; and Huang, S.K. (2016). LDDoS attack detection by using ant colony optimization algorithms. Journal of Information Science and Engineering, 32(4), 995-1020.

11. Castiglione, A.; Prisco, R.D.; Santis, A.D.; Fiore, U.; and Palmier, I.F. (2014). A Botnet-Based command and control approach relying on swarm intelligence. Journal of Network and Computer Applications, 3822(33).

12. Lin, K.C.; Chen, S.Y.; and Hung, J.C. (2014). Botnet detection using support vector machines with artificial fish swarm algorithm. Journal of Applied Mathematics , 4, 1-9.

13. Huseynov, K.; Kim, K.; and Yoo, P.D. (2014). Semi-supervised botnet detection using ant colony clustering, The 31th Symposium on Cryptography and Information security Kagoshima, Japan, Jan. 21-24, 2014, The Institute of Electronics, Information and Communication Engineers.

14. Satoshi, K.; and Naoshi, S. (2007). Botnet traffic detection techniques by C&C session classification using SVM. Computer Science, International Workshop on Security IWSEC 2007: Advances in Information and Computer Security , 91-104.

15. Chowdhury, S.; Khanzadeh, M.; Akula, R.; Zhang, F.; Zhang S.; Medal, H.; Marufuzzaman, M.; and Bian, L. (2017). Botnet detection using graph-based feature clustering. Journal of Big Data, 4(214).

Dolphin and Elephant Herding Optimization Swarm Intelligence . . . . 2923

Journal of Engineering Science and Technology October 2020, Vol. 15(5)

16. Pallaw, S.A.B. (2016). Bitcoin mining based botnet analysis. International Journal of Computer Applications, 145(6).

17. Chinta, S.R.; Polinati, V.B.; and Srinivas, P.N. ( 2018). Detecting bots inside a host using network behavior analysis. International Journal of Computer Applications, 180(47).

18. García S. CTU-13 dataset. a labeled dataset with botnet, normal and background traffic. Retrieved 2013, https://mcfp.weebly.com/mcfp-dataset.html

19. Almufti, S.M.; Asaadm R.R.; and Salim, B.W. (2018). Review on elephant herding optimization algorithm performance in solving optimization problems. International Journal of Engineering &Technology, 7(4), 6109-6114.

20. Tian-qi, W.; Min, Y.; and Jian-hua, Y. (2016). Dolphin swarm algorithm. Frontiers of Information Technology & Electronic Engineering, 17(8), 717-729.

21. LI, Y.; and Wang, X. (2019). Improved dolphin swarm optimization algorithm based on information entropy. Technical Sciences, 67(4).

22. Tuba, E.; Dolicanin, D.; Jovanovic, R.; Simian, D.; and Tuba, M. (2018). Combined elephant herding optimization algorithm with K-means for data clustering. Proceedings of ICTIS 2018 Information and Communication Technology for Intelligent Systems, 2.

23. Li, Jiang.; Guo, L.; Li, Y.; and Liu, C. (2019). Enhancing elephant herding optimization with novel individual updating strategies for large-scale optimization problems. Mathematics, 7(5), 395.

24. Gai-Ge, W.; Suash, D.; and Leandro, D.S.C. (2015). Elephant herding optimization, 3rd International Symposium on Computational and Business Intelligence 2015.