41 research outputs found
Machine learning based botnet identification traffic
The continued growth of the Internet has resulted in the increasing sophistication of toolkit and methods to conduct computer attacks and intrusions that are easy to use and publicly available to download, such as Zeus botnet toolkit. Botnets are responsible for many cyber-attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. Most of existence botnet toolkits release updates for new features, development and support. This presents challenges in the detection and prevention of bots. Current botnet detection approaches mostly ineffective as botnets change their Command and Control (C&C) server structures, centralized (e.g., IRC, HTTP), distributed (e.g., P2P), and encryption deterrent. In this paper, based on real world data sets we present our preliminary research on predicting the new bots before they launch their attack. We propose a rich set of features of network traffic using Classification of Network Information Flow Analysis (CONIFA) framework to capture regularities in C&C communication channels and malicious traffic. We present a case study of applying the approach to a popular botnet toolkit, Zeus. The experimental evaluation suggest that it is possible to detect effectively botnets during the botnet C&C communication generated from new updated Zeus botnet toolkit by building the classifier using machine learning from an earlier version and before they launch their attacks using traffic behaviors. Also, show that there is similarity in C&C structures various Botnet toolkit versions and that the network characteristics of botnet C&C traffic is different from legitimate network traffic. Such methods could reduce many different resources needed to identify C&C communication channels and malicious traffic
Visual analytics with decision tree on network traffic flow for botnet detection
Visual analytics (VA) is an integral approach combining visualization, human factors, and data analysis. VA can synthesize information and derive insight from massive, dynamic, ambiguous and often conflicting data. Thus, help discover the expected and unexpected information. Moreover, the visualization could support the assessment in a timely period on which pre-emptive action can be taken. This paper discusses the implementation of visual analytics with decision tree model on network traffic flow for botnet detection. The discussion covers scenarios based on workstation, network traffic ranges and times. The experiment consists of data modeling, analytics and visualization using Microsoft PowerBI platform. Five different VA with different scenario for botnet detection is examined and analysis. From the studies, it may provide visual analytics as flexible approach for botnet detection on network traffic flow by being able to add more information related to botnet, increase path for data exploration and increase the effectiveness of analytics tool. Moreover, learning the pattern of communication and identified which is a normal behavior and abnormal behavior will be vital for security visual analyst as a future reference
Machine learning based botnet identification traffic
The continued growth of the Internet has resulted in the increasing sophistication of toolkit and methods to conduct computer attacks and intrusions that are easy to use and publicly available to download, such as Zeus botnet toolkit. Botnets are responsible for many cyber-attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. Most of existence botnet toolkits release updates for new features, development and support. This presents challenges in the detection and prevention of bots. Current botnet detection approaches mostly ineffective as botnets change their Command and Control (C&C) server structures, centralized (e.g., IRC, HTTP), distributed (e.g., P2P), and encryption deterrent. In this paper, based on real world data sets we present our preliminary research on predicting the new bots before they launch their attack. We propose a rich set of features of network traffic using Classification of Network Information Flow Analysis (CONIFA) framework to capture regularities in C&C communication channels and malicious traffic. We present a case study of applying the approach to a popular botnet toolkit, Zeus. The experimental evaluation suggest that it is possible to detect effectively botnets during the botnet C&C communication generated from new updated Zeus botnet toolkit by building the classifier using machine learning from an earlier version and before they launch their attacks using traffic behaviors. Also, show that there is similarity in C&C structures various Botnet toolkit versions and that the network characteristics of botnet C&C traffic is different from legitimate network traffic. Such methods could reduce many different resources needed to identify C&C communication channels and malicious traffic
Hybrid Approach for Botnet Detection Using K-Means and K-Medoids with Hopfield Neural Network
In the last few years, a number of attacks and malicious activities have been attributed to common channels between users. A botnet is considered as an important carrier of malicious and undesirable briskness. In this paper, we propose a support vector machine to classify botnet activities according to k-means, k-medoids, and neural network clusters. The proposed approach is based on the features of transfer control protocol packets. System performance and accuracy are evaluated using a predefined data set. Results show the ability of the proposed approach to detect botnet activities with high accuracy and performance in a short execution time. The proposed system provides 95.7% accuracy rate with a false positive rate less than or equal to 3%
Botnet Detection Using Recurrent Variational Autoencoder
Botnets are increasingly used by malicious actors, creating increasing threat
to a large number of internet users. To address this growing danger, we propose
to study methods to detect botnets, especially those that are hard to capture
with the commonly used methods, such as the signature based ones and the
existing anomaly-based ones. More specifically, we propose a novel machine
learning based method, named Recurrent Variational Autoencoder (RVAE), for
detecting botnets through sequential characteristics of network traffic flow
data including attacks by botnets. We validate robustness of our method with
the CTU-13 dataset, where we have chosen the testing dataset to have different
types of botnets than those of training dataset. Tests show that RVAE is able
to detect botnets with the same accuracy as the best known results published in
literature. In addition, we propose an approach to assign anomaly score based
on probability distributions, which allows us to detect botnets in streaming
mode as the new networking statistics becomes available. This on-line detection
capability would enable real-time detection of unknown botnets
Revealing the Feature Influence in HTTP Botnet Detection
Botnet are identified as one of most emerging threats due to Cybercriminals work diligently to make most of the part of the users’ network of computers as their target. In conjunction to that, many researchers has conduct a lot of study regarding on the botnets and ways to detect botnet in network traffic. Most of them only used the feature inside the system without mentioning the feature influence in botnet detection. Selecting a significant feature are important in botnet detection as it can increase the accuracy of detection. Besides, existing research focusses more on the technique of recognition rather than uncovering the purpose behind the selection. Therefore, this paper will reveal the influence feature in botnet detection using statistical method. The result obtained showed the accuracy is about 91% which is approximately acceptable to use the influence feature in detecting botnet activity
Deep fused flow and topology features for botnet detection basing on pretrained GCN
Nowadays, botnets have become one of the major threats to cyber security. The
characteristics of botnets are mainly reflected in bots network behavior and
their intercommunication relationships. Existing botnet detection methods use
flow features or topology features individually, which overlook the other type
of feature. This affects model performance. In this paper, we propose a botnet
detection model which uses graph convolutional network (GCN) to deeply fuse
flow features and topology features for the first time. We construct
communication graphs from network traffic and represent nodes with flow
features. Due to the imbalance of existing public traffic flow datasets, it is
impossible to train a GCN model on these datasets. Therefore, we use a balanced
public communication graph dataset to pretrain a GCN model, thereby
guaranteeing its capacity for identify topology features. We then feed the
communication graph with flow features into the pretrained GCN. The output from
the last hidden layer is treated as the fusion of flow and topology features.
Additionally, by adjusting the number of layers in the GCN network, the model
can effectively detect botnets under both C2 and P2P structures. Validated on
the public ISCX2014 dataset, our approach achieves a remarkable recall rate
92.90% and F1-score 92.76% for C2 botnets, alongside recall rate 94.66% and
F1-score of 92.35% for P2P botnets. These results not only demonstrate the
effectiveness of our method, but also outperform the performance of the
currently leading detection models