2 research outputs found
Optimized Random Forest Model for Botnet Detection Based on DNS Queries
The Domain Name System (DNS) protocol plays a major role in today's Internet
as it translates between website names and corresponding IP addresses. However,
due to the lack of processes for data integrity and origin authentication, the
DNS protocol has several security vulnerabilities. This often leads to a
variety of cyber-attacks, including botnet network attacks. One promising
solution to detect DNS-based botnet attacks is adopting machine learning (ML)
based solutions. To that end, this paper proposes a novel optimized ML-based
framework to detect botnets based on their corresponding DNS queries. More
specifically, the framework consists of using information gain as a feature
selection method and genetic algorithm (GA) as a hyper-parameter optimization
model to tune the parameters of a random forest (RF) classifier. The proposed
framework is evaluated using a state-of-the-art TI-2016 DNS dataset.
Experimental results show that the proposed optimized framework reduced the
feature set size by up to 60%. Moreover, it achieved a high detection accuracy,
precision, recall, and F-score compared to the default classifier. This
highlights the effectiveness and robustness of the proposed framework in
detecting botnet attacks.Comment: 4 pages, 3 figures, 1 table, Accepted and presented in IEEE 32nd
International Conference on Microelectronics (IEEE-ICM2020
Ensemble-based Feature Selection and Classification Model for DNS Typo-squatting Detection
Domain Name System (DNS) plays in important role in the current IP-based
Internet architecture. This is because it performs the domain name to IP
resolution. However, the DNS protocol has several security vulnerabilities due
to the lack of data integrity and origin authentication within it. This paper
focuses on one particular security vulnerability, namely typo-squatting.
Typo-squatting refers to the registration of a domain name that is extremely
similar to that of an existing popular brand with the goal of redirecting users
to malicious/suspicious websites. The danger of typo-squatting is that it can
lead to information threat, corporate secret leakage, and can facilitate fraud.
This paper builds on our previous work in [1], which only proposed
majority-voting based classifier, by proposing an ensemble-based feature
selection and bagging classification model to detect DNS typo-squatting attack.
Experimental results show that the proposed framework achieves high accuracy
and precision in identifying the malicious/suspicious typo-squatting domains (a
loss of at most 1.5% in accuracy and 5% in precision when compared to the model
that used the complete feature set) while having a lower computational
complexity due to the smaller feature set (a reduction of more than 50% in
feature set size).Comment: 6 pages, 2 figures, 6 tables, Accepted in 2020 IEEE CANADIAN
CONFERENCE ON ELECTRICAL AND COMPUTER ENGINEERING (CCECE 2020