BotChase: Graph-Based Bot Detection Using Machine Learning

Bot detection using machine learning (ML), with network flow-level features, has been extensively studied in the literature. However, existing flow-based approaches typically incur a high computational overhead and do not completely capture the network communication patterns, which can expose additional aspects of malicious hosts. Recently, bot detection systems which leverage communication graph analysis using ML have gained traction to overcome these limitations. A graph-based approach is rather intuitive, as graphs are true representations of network communications. In this thesis, we propose BotChase, a two-phased graph-based bot detection system that leverages both unsupervised and supervised ML. The first phase prunes presumable benign hosts, while the second phase achieves bot detection with high precision. Our prototype implementation of BotChase detects multiple types of bots and exhibits robustness to zero-day attacks. It also accommodates different network topologies and is suitable for large-scale data. Compared to the state-of-the-art, BotChase outperforms an end-to-end system that employs flow-based features and performs particularly well in an online setting

Botnets and how to automatic detect them: exploring new ways of dealing with botnet classification: Botnets e como detectá-los automaticamente: explorando novas maneiras de lidar com a classificação botnet

Threats such as Botnets have become very popular in the current usage of the Internet, such as attacks like distributed denial of services (DoS) which can cause a significant impact on the use of technology. One way to mitigate such issues can be a focus on using intelligent models that can attempt to identify the existence of Botnets in the network traffic early. Thus, this work aims to evaluate the current state of the art on threats related to Botnets and how intelligent technology has been used in real-world restrictions such as real-time deadlines and increased network traffic. From our findings, we have indications that Botnet detection in real-time still is a more significant challenge because the computation power has not grown at the same rate that Internet traffic. This has pointed out other restrictions that must be considered, like privacy legislation and employing cryptography methods for all communications. In this context, we discuss the following steps to deal with the identified issues

Contramedidas para técnicas de detección de Bots en RR.SS.

Los Bots son programas que realizan acciones automáticamente en internet, ejemplo de ellos son los usados para indexar contenido para motores de búsqueda, publicar noticias en Twitter, o con fines menos morales, como propagar desinformación o hacer trampas en juegos online. Estos últimos han supuesto que se cree una industria basada en desarrollar medidas para detectar estos Bots y detenerlos, de tal forma que no influyan en la experiencia de los usuarios legítimos en estos servicios en internet. Este proyecto estudia las medidas de detección más prevalentes, y trata de desarrollar un toolkit (caja de herramientas) en Python, que ayuda a programadores con intenciones benignas a crear Bots que son detectados más difícilmente.Bots are programs that automatically perform actions on the Internet, examples of which are those used to index content for search engines, publish news on Twitter, or for less moral purposes, such as spreading misinformation or cheating in online games. The latter has meant that an industry has been created based on developing measures to detect these Bots and stop them, so that they do not influence the experience of legitimate users of these Internet services. This project studies the most prevalent detection measures and seeks to develop a toolkit in Python that will help programmers with benign intentions to develop Bots that go unnoticed.Grado en Ingeniería de Computadore

A Machine Learning Approach for RDP-based Lateral Movement Detection

Detecting cyber threats has been an on-going research endeavor. In this era, advanced persistent threats (APTs) can incur significant costs for organizations and businesses. The ultimate goal of cybersecurity is to thwart attackers from achieving their malicious intent, whether it is credential stealing, infrastructure takeover, or program sabotage. Every cyberattack goes through several stages before its termination. Lateral movement (LM) is one of those stages that is of particular importance. Remote Desktop Protocol (RDP) is a method used in LM to successfully authenticate to an unauthorized host that leaves footprints on both host and network logs. In this thesis, we propose to detect evidence of LM using an anomaly-based approach that leverages Windows RDP event logs. We explore different feature sets extracted from these logs and evaluate various supervised and unsupervised machine learning (ML) techniques for classifying RDP sessions with high precision and recall. We also compare the performance of our proposed approach to a state-of-the-art approach and demonstrate that our ML model outperforms in classifying RDP sessions in Windows event logs. In addition, we demonstrate that our model is robust against certain types of adversarial attacks

Detecting Network Intrusions from Authentication Logs

Recently, network infiltrations due to advanced persistent threats (APTs) have grown significantly, resulting in considerable loses to businesses and organizations. APTs are stealthy attacks with the primary objective of gaining unauthorized access to network assets. They often remain dormant for an extended period of time, which makes their detection challenging. In this thesis, we leverage machine learning (ML) to detect hosts in a network that are a target of an APT attack. We evaluate a number of ML classifiers to detect susceptible hosts in the Los Alamos National Lab (LANL) dataset. We (i) leverage graph-based features extracted from multiple data sources i.e., network flows and host authentication logs, (ii) use feature engineering to reduce dimensionality, (iii) explore balancing the training dataset using numerous over- and under-sampling techniques, (iv) compare our model to the state-of-the-art approaches that leverage the same dataset, and show that our model outperforms them with respect to prediction performance and overhead, and (v) perturb the attack patterns of LMs, study the influence of change in attack frequency and scale on classification performance, and propose a solution for such adversarial behavior