{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,27]],"date-time":"2026-02-27T12:54:33Z","timestamp":1772196873966,"version":"3.50.1"},"reference-count":32,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2021,2,25]],"date-time":"2021-02-25T00:00:00Z","timestamp":1614211200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,2,25]],"date-time":"2021-02-25T00:00:00Z","timestamp":1614211200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100012172","name":"Double First Class University Plan","doi-asserted-by":"publisher","award":["3307012001A"],"award-info":[{"award-number":["3307012001A"]}],"id":[{"id":"10.13039\/501100012172","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62073074"],"award-info":[{"award-number":["62073074"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Complex Intell. Syst."],"published-print":{"date-parts":[[2022,4]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>A botnet is a network of remotely-controlled infected computers that can send spam, spread viruses, or stage denial-of-service attacks, without the consent of the computer owners. Since the beginning of the 21st century, botnet activities have steadily increased, becoming one of the major concerns for Internet security. In fact, botnet activities are becoming more and more difficult to be detected, because they make use of Peer-to-Peer protocols (eMule, Torrent, Frostwire, Vuze, Skype and many others). To improve the detectability of botnet activities, this paper introduces the idea of association analysis in the field of data mining, and proposes a system to detect botnets based on the FP-growth (Frequent Pattern Tree) frequent item mining algorithm. The detection system is composed of three parts: packet collection processing, rule mining, and statistical analysis of rules. Its characteristic feature is the rule-based classification of different botnet behaviors in a fast and unsupervised fashion. The effectiveness of the approach is validated in a scenario with 11 Peer-to-Peer host PCs, 42063 Non-Peer-to-Peer host PCs, and 17 host PCs with three different botnet activities (Storm, Waledac and Zeus). The recognition accuracy of the proposed architecture is shown to be above 94%. The proposed method is shown to improve the results reported in literature.<\/jats:p>","DOI":"10.1007\/s40747-021-00281-5","type":"journal-article","created":{"date-parts":[[2021,2,25]],"date-time":"2021-02-25T06:02:34Z","timestamp":1614232954000},"page":"761-769","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Unsupervised detection of botnet activities using frequent pattern tree mining"],"prefix":"10.1007","volume":"8","author":[{"given":"Siqiang","family":"Hao","sequence":"first","affiliation":[]},{"given":"Di","family":"Liu","sequence":"additional","affiliation":[]},{"given":"Simone","family":"Baldi","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3755-179X","authenticated-orcid":false,"given":"Wenwu","family":"Yu","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,2,25]]},"reference":[{"key":"281_CR1","doi-asserted-by":"publisher","unstructured":"Ali I, Ahmed AIA, Almogren A, Raza MA, Shah SA, Khan A, Gani A (2020) Systematic literature review on iot-based botnet attack. IEEE Access 1. https:\/\/doi.org\/10.1109\/ACCESS.2020.3039985","DOI":"10.1109\/ACCESS.2020.3039985"},{"key":"281_CR2","doi-asserted-by":"publisher","first-page":"182309","DOI":"10.1109\/ACCESS.2019.2960398","volume":"7","author":"Z Chu","year":"2019","unstructured":"Chu Z, Han Y, Zhao K (2019) Botnet vulnerability intelligence clustering classification mining and countermeasure algorithm based on machine learning. IEEE Access 7:182309\u2013182319","journal-title":"IEEE Access"},{"issue":"1","key":"281_CR3","doi-asserted-by":"publisher","first-page":"107","DOI":"10.1145\/1327452.1327492","volume":"51","author":"J Dean","year":"2008","unstructured":"Dean J, Ghemawat S (2008) Mapreduce: simplified data processing on large clusters. Commun ACM 51(1):107\u2013113","journal-title":"Commun ACM"},{"key":"281_CR4","unstructured":"Grizzard JB, Sharma V, Nunnery C, Kang BB, Dagon D (2007) Peer-to-peer botnets: Overview and case study. HotBots"},{"key":"281_CR5","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/TSMC.2020.3034765","volume":"1","author":"HX Hu","year":"2020","unstructured":"Hu HX, Wen G, Yu X, Wu ZG, Huang T (2020) Distributed stabilization of heterogeneous mass in uncertain strong-weak competition networks. IEEE Trans Syst Man Cybern Syst 1:1\u201313. https:\/\/doi.org\/10.1109\/TSMC.2020.3034765","journal-title":"IEEE Trans Syst Man Cybern Syst"},{"issue":"4","key":"281_CR6","doi-asserted-by":"publisher","first-page":"2271","DOI":"10.1109\/COMST.2015.2459015","volume":"17","author":"WZ Khan","year":"2015","unstructured":"Khan WZ, Khan MK, Bin Muhaya FT, Aalsalem MY, Chao H (2015) A comprehensive study of email spam botnet detection. IEEE Commun Surveys Tutor 17(4):2271\u20132295","journal-title":"IEEE Commun Surveys Tutor"},{"issue":"4","key":"281_CR7","doi-asserted-by":"publisher","first-page":"217","DOI":"10.1007\/s11416-014-0228-5","volume":"11","author":"N Kheir","year":"2015","unstructured":"Kheir N, Han X, Wolley C (2015) Behavioral fine-grained detection and classification of p2p bots. J Comput Virol Hack Tech 11(4):217\u2013233","journal-title":"J Comput Virol Hack Tech"},{"key":"281_CR8","unstructured":"Kumar S, Spafford EH (1994) An application of pattern matching in intrusion detection"},{"key":"281_CR9","doi-asserted-by":"publisher","first-page":"94658","DOI":"10.1109\/ACCESS.2019.2927355","volume":"7","author":"W Li","year":"2019","unstructured":"Li W, Jin J, Lee J (2019) Analysis of botnet domain names for iot cybersecurity. IEEE Access 7:94658\u201394665","journal-title":"IEEE Access"},{"key":"281_CR10","doi-asserted-by":"crossref","unstructured":"Liao WH, Chang CC (2010) : Peer to peer botnet detection using data mining scheme. In: 2010 international conference on internet technology and applications. pp 1\u20134. IEEE","DOI":"10.1109\/ITAPP.2010.5566407"},{"key":"281_CR11","doi-asserted-by":"crossref","unstructured":"Liu F, Li Z, Nie Q (2009) A new method of p2p traffic identification based on support vector machine at the host level. In: 2009 international conference on information technology and computer science, pp 579\u2013582","DOI":"10.1109\/ITCS.2009.257"},{"key":"281_CR12","unstructured":"Masud MM, Gao J, Khan L, Han J, Thuraisingham B (2008) Mining concept-drifting data stream to detect peer to peer botnet traffic. Univ. of Texas at Dallas, Tech. Report# UTDCS-05-08"},{"key":"281_CR13","doi-asserted-by":"publisher","first-page":"1668","DOI":"10.1016\/j.procs.2018.05.137","volume":"132","author":"L Mathur","year":"2018","unstructured":"Mathur L, Raheja M, Ahlawat P (2018) Botnet detection via mining of network traffic flow. Proc Comput Sci. 132:1668\u20131677","journal-title":"Proc Comput Sci."},{"issue":"3","key":"281_CR14","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1109\/MPRV.2018.03367731","volume":"17","author":"Y Meidan","year":"2018","unstructured":"Meidan Y, Bohadana M, Mathov Y, Mirsky Y, Shabtai A, Breitenbacher D, Elovici Y (2018) N-baiot-network-based detection of iot botnet attacks using deep autoencoders. IEEE Pervasive Comput 17(3):12\u201322","journal-title":"IEEE Pervasive Comput"},{"key":"281_CR15","doi-asserted-by":"crossref","unstructured":"Mythili MS, Shanavas ARM (2013) Performance evaluation of apriori and fp-growth algorithms. Int J Comput Appl","DOI":"10.5120\/13779-1650"},{"issue":"1","key":"281_CR16","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1186\/s13635-014-0015-3","volume":"2014","author":"P Narang","year":"2014","unstructured":"Narang P, Hota C, Venkatakrishnan V (2014) Peershark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification. EURASIP J Inf Secur 2014(1):15","journal-title":"EURASIP J Inf Secur"},{"key":"281_CR17","doi-asserted-by":"crossref","unstructured":"Narang P, Ray S, Hota C, Venkatakrishnan V (2014) Peershark: detecting peer-to-peer botnets by tracking conversations. In: 2014 IEEE security and privacy workshops, pp 108\u2013115. IEEE","DOI":"10.1109\/SPW.2014.25"},{"issue":"8","key":"281_CR18","doi-asserted-by":"publisher","first-page":"329","DOI":"10.3844\/jcssp.2017.329.336","volume":"13","author":"AA Obeidat","year":"2017","unstructured":"Obeidat AA, Al-Kofahi MM, Bawaneh MJ, Hanandeh ES (2017) A novel botnet detection system for p2p networks. J Comput Sci 13(8):329\u2013336","journal-title":"J Comput Sci"},{"key":"281_CR19","unstructured":"Obeidat AA, Bawaneh MJ (2016) Survey of the p2p botnet detection methods. Int J Emerg Trends Technol Comput Sci (IJETTCS)"},{"issue":"5","key":"281_CR20","doi-asserted-by":"publisher","first-page":"28","DOI":"10.1109\/MIC.2017.3481345","volume":"21","author":"MG P\u00e9rez","year":"2017","unstructured":"P\u00e9rez MG, Celdr\u00e1n AH, Ippoliti F, Giardina PG, Bernini G, Alaez RM, Chirivella-Perez E, Clemente FJG, P\u00e9rez GM, Kraja E, Carrozzo G, Calero JMA, Wang Q (2017) Dynamic reconfiguration in 5g mobile networks to proactively detect and mitigate botnets. IEEE Internet Comput 21(5):28\u201336","journal-title":"IEEE Internet Comput"},{"issue":"9","key":"281_CR21","doi-asserted-by":"publisher","first-page":"682","DOI":"10.1631\/jzus.C1300053","volume":"14","author":"Y Qiao","year":"2013","unstructured":"Qiao Y, Yang Yx, He J, Tang C, Zeng Yz (2013) Detecting p2p bots by mining the regional periodicity. J Zhejiang Univ Sci C 14(9):682\u2013700","journal-title":"J Zhejiang Univ Sci C"},{"issue":"3","key":"281_CR22","first-page":"194","volume":"19","author":"B Rahbarinia","year":"2014","unstructured":"Rahbarinia B, Perdisci R, Lanzi A, Li K (2014) Peerrush: mining for unwanted p2p traffic. J Inf Secur Appl 19(3):194\u2013208","journal-title":"J Inf Secur Appl"},{"key":"281_CR23","doi-asserted-by":"crossref","unstructured":"Saad S, Traore I, Ghorbani A, Sayed B, Zhao D, Lu W, Felix J, Hakimian P (2011) Detecting p2p botnets through network behavior analysis and machine learning. In: 2011 Ninth annual international conference on privacy, security and trust, pp 174\u2013180. IEEE","DOI":"10.1109\/PST.2011.5971980"},{"key":"281_CR24","doi-asserted-by":"publisher","first-page":"213","DOI":"10.1007\/s40747-018-0068-x","volume":"4","author":"D Torres","year":"2018","unstructured":"Torres D (2018) Cyber security and cyber defense for venezuela: an approach from the soft systems methodology. Complex Intell Syst 4:213\u2013226","journal-title":"Complex Intell Syst"},{"issue":"4","key":"281_CR25","doi-asserted-by":"publisher","first-page":"2768","DOI":"10.1109\/COMST.2017.2749442","volume":"19","author":"G Vormayr","year":"2017","unstructured":"Vormayr G, Zseby T, Fabini J (2017) Botnet communication patterns. IEEE Commun Surveys Tutor 19(4):2768\u20132796","journal-title":"IEEE Commun Surveys Tutor"},{"key":"281_CR26","doi-asserted-by":"crossref","unstructured":"Wang B, Li Z, Tu H, Ma J (2009): Measuring peer-to-peer botnets using control flow stability. In: 2009 International conference on availability, reliability and security, pp 663\u2013669","DOI":"10.1109\/ARES.2009.59"},{"key":"281_CR27","doi-asserted-by":"crossref","unstructured":"Wang J, Paschalidis IC (2017) Botnet detection based on anomaly and community detection. IEEE Trans Control Netw Syst 4(2):392\u2013404","DOI":"10.1109\/TCNS.2016.2532804"},{"issue":"8","key":"281_CR28","doi-asserted-by":"publisher","first-page":"7470","DOI":"10.1109\/JIOT.2020.2984662","volume":"7","author":"H Xia","year":"2020","unstructured":"Xia H, Li L, Cheng X, Cheng X, Qiu T (2020) Modeling and analysis botnet propagation in social internet of things. IEEE Internet Things J 7(8):7470\u20137481","journal-title":"IEEE Internet Things J"},{"issue":"2","key":"281_CR29","doi-asserted-by":"publisher","first-page":"1373","DOI":"10.1109\/TII.2019.2940742","volume":"16","author":"L Yin","year":"2020","unstructured":"Yin L, Luo X, Zhu C, Wang L, Xu Z, Lu H (2020) Connspoiler: Disrupting c c communication of iot-based botnet through fast detection of anomalous domain queries. IEEE Trans Industr Inf 16(2):1373\u20131384","journal-title":"IEEE Trans Industr Inf"},{"issue":"6","key":"281_CR30","doi-asserted-by":"publisher","first-page":"1068","DOI":"10.1109\/TDSC.2016.2641441","volume":"15","author":"J Zhang","year":"2018","unstructured":"Zhang J, Zhang R, Zhang Y, Yan G (2018) The rise of social botnets: attacks and countermeasures. IEEE Trans Dependable Secure Comput 15(6):1068\u20131082","journal-title":"IEEE Trans Dependable Secure Comput"},{"key":"281_CR31","doi-asserted-by":"publisher","first-page":"2","DOI":"10.1016\/j.cose.2013.04.007","volume":"39","author":"D Zhao","year":"2013","unstructured":"Zhao D, Traore I, Sayed B, Lu W, Saad S, Ghorbani A, Garant D (2013) Botnet detection based on traffic behavior analysis and flow intervals. Comput Secur 39:2\u201316","journal-title":"Comput Secur"},{"issue":"6","key":"281_CR32","doi-asserted-by":"publisher","first-page":"1485","DOI":"10.1109\/TIFS.2018.2881657","volume":"14","author":"D Zhuang","year":"2019","unstructured":"Zhuang D, Chang JM (2019) Enhanced peerhunter: detecting peer-to-peer botnets through network-flow level community behavior analysis. IEEE Trans Inf Forensics Secur 14(6):1485\u20131500","journal-title":"IEEE Trans Inf Forensics Secur"}],"container-title":["Complex &amp; Intelligent Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s40747-021-00281-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s40747-021-00281-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s40747-021-00281-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,4,29]],"date-time":"2022-04-29T17:28:13Z","timestamp":1651253293000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s40747-021-00281-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,2,25]]},"references-count":32,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2022,4]]}},"alternative-id":["281"],"URL":"https:\/\/doi.org\/10.1007\/s40747-021-00281-5","relation":{},"ISSN":["2199-4536","2198-6053"],"issn-type":[{"value":"2199-4536","type":"print"},{"value":"2198-6053","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,2,25]]},"assertion":[{"value":"7 September 2020","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"19 January 2021","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"25 February 2021","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Compliance with ethical standards"}},{"value":"The authors declare no conflict of interest. No author has a financial or personal relationship with a third party whose interests could be positively or negatively influenced by the article\u2019s content. On behalf of all authors, the corresponding author states that there is no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}