149 research outputs found
An evaluation of DGA classifiers
Domain Generation Algorithms (DGAs) are a popular technique used by contemporary malware for command-and-control (C&C) purposes. Such malware utilizes DGAs to create a set of domain names that, when resolved, provide information necessary to establish a link to a C&C server. Automated discovery of such domain names in real-time DNS traffic is critical for network security as it allows to detect infection, and, in some cases, take countermeasures to disrupt the communication and identify infected machines. Detection of the specific DGA malware family provides the administrator valuable information about the kind of infection and steps that need to be taken. In this paper we compare and evaluate machine learning methods that classify domain names as benign or DGA, and label the latter according to their malware family. Unlike previous work, we select data for test and training sets according to observation time and known seeds. This allows us to assess the robustness of the trained classifiers for detecting domains generated by the same families at a different time or when seeds change. Our study includes tree ensemble models based on human-engineered features and deep neural networks that learn features automatically from domain names. We find that all state-of-the-art classifiers are significantly better at catching domain names from malware families with a time-dependent seed compared to time-invariant DGAs. In addition, when applying the trained classifiers on a day of real traffic, we find that many domain names unjustifiably are flagged as malicious, thereby revealing the shortcomings of relying on a standard whitelist for training a production grade DGA detection system
Artificial intelligence in the cyber domain: Offense and defense
Artificial intelligence techniques have grown rapidly in recent years, and their applications in practice can be seen in many fields, ranging from facial recognition to image analysis. In the cybersecurity domain, AI-based techniques can provide better cyber defense tools and help adversaries improve methods of attack. However, malicious actors are aware of the new prospects too and will probably attempt to use them for nefarious purposes. This survey paper aims at providing an overview of how artificial intelligence can be used in the context of cybersecurity in both offense and defense.Web of Science123art. no. 41
Enabling Quantum Cybersecurity Analytics in Botnet Detection: Stable Architecture and Speed-up through Tree Algorithms
For the first time, we enable the execution of hybrid machine learning
methods on real quantum computers, with 100 data samples, and also with
real-device-based simulations, with 5,000 data samples and thereby
outperforming the current state of research of Suryotrisongko and Musashi from
the year 2022 who were dealing with 1,000 data samples and not with simulations
on quantum real devices but on quantum simulators (i.e. pure software-based
emulators) only. Additionally, we beat their reported accuracy of 76.8% by an
average accuracy of 89.0%, all of this in a total computation time of 382
seconds only. They did not report the execution time. We gain this significant
progress by a two-fold strategy: First, we provide a stabilized quantum
architecture that enables us to execute HQML algorithms on real quantum
devices. Second, we design a new form of hybrid quantum binary classification
algorithms that are based on Hoeffding decision tree algorithms. These
algorithms lead to the mentioned speed-up through their batch-wise execution in
order to drastically reduce the number of shots needed for the real quantum
device compared to standard loop-based optimizers. Their incremental nature
serves the purpose of big data online streaming for DGA botnet detection. These
two steps allow us to apply hybrid quantum machine learning to the field of
cybersecurity analytics on the example of DGA botnet detection and how
quantum-enhanced SIEM and, thereby, quantum cybersecurity analytics is made
possible. We conduct experiments using the library Qiskit with quantum
simulator Aer as well as on three different real quantum devices from MS Azure
Quantum, naming IonQ, Rigetti and Quantinuum. It is the first time that these
tools have been combined.Comment: 33 pages, 6 figures, 6 table
Benchmark-Based Reference Model for Evaluating Botnet Detection Tools Driven by Traffic-Flow Analytics
Botnets are some of the most recurrent cyber-threats, which take advantage of the wide
heterogeneity of endpoint devices at the Edge of the emerging communication environments for
enabling the malicious enforcement of fraud and other adversarial tactics, including malware, data
leaks or denial of service. There have been significant research advances in the development of
accurate botnet detection methods underpinned on supervised analysis but assessing the accuracy
and performance of such detection methods requires a clear evaluation model in the pursuit of
enforcing proper defensive strategies. In order to contribute to the mitigation of botnets, this paper
introduces a novel evaluation scheme grounded on supervised machine learning algorithms that
enable the detection and discrimination of different botnets families on real operational
environments. The proposal relies on observing, understanding and inferring the behavior of each
botnet family based on network indicators measured at flow-level. The assumed evaluation
methodology contemplates six phases that allow building a detection model against botnet-related
malware distributed through the network, for which five supervised classifiers were instantiated
were instantiated for further comparisons—Decision Tree, Random Forest, Naive Bayes Gaussian,
Support Vector Machine and K-Neighbors. The experimental validation was performed on two public
datasets of real botnet traffic—CIC-AWS-2018 and ISOT HTTP Botnet. Bearing the heterogeneity of
the datasets, optimizing the analysis with the Grid Search algorithm led to improve the classification
results of the instantiated algorithms. An exhaustive evaluation was carried out demonstrating the
adequateness of our proposal which prompted that Random Forest and Decision Tree models are the
most suitable for detecting different botnet specimens among the chosen algorithms. They exhibited
higher precision rates whilst analyzing a large number of samples with less processing time. The
variety of testing scenarios were deeply assessed and reported to set baseline results for future
benchmark analysis targeted on flow-based behavioral patterns
- …