A Comparison of Machine Learning Approaches to Detect Botnet Traffic

Abraham, Brendan; Mandya, Abhijith; Bapat, Rohan; Alali, Fatma; Brown, Don; Veeraraghavan, Malathi

doi:10.1109/ijcnn.2018.8489096

Cited by 24 publications

(27 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As described in Section 2.1, our experiments involve botnet detectors based on five different machine and deep learning algorithms that have been shown by related literature to perform well for botnet detection tasks [3,11,28,45,[61][62][63]: Random Forest (RF), Multi-Layer Perceptron (MLP), Decision Tree (DT), AdaBoost (AB), alongside the recent "Wide and Deep" (WnD) technique proposed by Google [31]. Each detector presents multiple instances, each focused on identifying a specific botnet variant within the adopted dataset-in our case, each detector has six instances (we do not consider the Sogou malware variant due its low amount of available samples).…”

Section: Developing the Baseline Detectorsmentioning

confidence: 99%

“…Each detector presents multiple instances, each focused on identifying a specific botnet variant within the adopted dataset-in our case, each detector has six instances (we do not consider the Sogou malware variant due its low amount of available samples). This design idea is motivated by the fact that ML detectors show superior performance when they are used as ensembles instead of "catch-all" solutions, in which each instance addresses a specific problem [2,18,62,63].…”

Section: Developing the Baseline Detectorsmentioning

confidence: 99%

See 1 more Smart Citation

AppCon: Mitigating Evasion Attacks to ML Cyber Detectors

et al. 2020

View full text Add to dashboard Cite

Adversarial attacks represent a critical issue that prevents the reliable integration of machine learning methods into cyber defense systems. Past work has shown that even proficient detectors are highly affected just by small perturbations to malicious samples, and that existing countermeasures are immature. We address this problem by presenting AppCon, an original approach to harden intrusion detectors against adversarial evasion attacks. Our proposal leverages the integration of ensemble learning to realistic network environments, by combining layers of detectors devoted to monitor the behavior of the applications employed by the organization. Our proposal is validated through extensive experiments performed in heterogeneous network settings simulating botnet detection scenarios, and consider detectors based on distinct machine- and deep-learning algorithms. The results demonstrate the effectiveness of AppCon in mitigating the dangerous threat of adversarial attacks in over 75% of the considered evasion attempts, while not being affected by the limitations of existing countermeasures, such as performance degradation in non-adversarial settings. For these reasons, our proposal represents a valuable contribution to the development of more secure cyber defense platforms.

show abstract

Section: Developing the Baseline Detectorsmentioning

confidence: 99%

Section: Developing the Baseline Detectorsmentioning

confidence: 99%

AppCon: Mitigating Evasion Attacks to ML Cyber Detectors

et al. 2020

View full text Add to dashboard Cite

show abstract

“…Other botnet types can be used to test if a traffic classifier can improve a previous result. For example, we found that in the work of Abraham et al [43] the best F1 score obtained for the botnet Bunitu was 90% with an ensemble of classifiers. Moreover, the work of AlAhmadi & Martinovic [44] reported that the recall obtained for the NotPetya botnet using an RF classifier was 60%, and that 25% of the samples of this botnet were wrongly classified as produced by the botnet Miuref.…”

Section: A Botnet Detectionmentioning

confidence: 84%

“…We used all the available samples from these three botnets in their repository by the end of 2020. We selected these new particular botnets to be able to compare our study with the works of Abraham et al [43] and AlAhmadi & Martinovic [44]. The number of used TCP flows of each class in both datasets is specified in Table 2.…”

Section: Experimentation a Datasetsmentioning

confidence: 99%

Efficient Detection of Botnet Traffic by Features Selection and Decision Trees

Velasco-Mata¹,

González-Castro

Fidalgo

et al. 2021

IEEE Access

View full text Add to dashboard Cite

Botnets are one of the online threats with the most significant presence, causing billionaire losses to global economies. Nowadays, the increasing number of devices connected to the Internet makes it necessary to analyze extensive network traffic data. In this work, we focus on increasing the performance of botnet traffic classification by selecting those features that further increase the detection rate. For this purpose, we use two feature selection techniques, i.e., Information Gain and Gini Importance, which led to three pre-selected subsets of five, six and seven features. Then, we evaluate the three feature subsets and three models, i.e., Decision Tree, Random Forest and k-Nearest Neighbors. To test the performance of the three feature vectors and the three models, we generate two datasets based on the CTU-13 dataset, namely QB-CTU13 and EQB-CTU13. Finally, we measure the performance as the macro averaged F1 score over the computational time required to classify a sample. The results show that the highest performance is achieved by Decision Trees using a five feature set, which obtained a mean F1 score of 85% classifying each sample in an average time of 0.78 microseconds.

show abstract

“…Several applications provide insights for data security, e.g. the recent papers on botnet traffic [14], data stream of network infections [15], physical intrusions in building [16]. Safety applications of anomaly detection are not common: some researches forecast specific hazards, e.g.…”

Section: Literature Reviewmentioning

confidence: 99%

Machine learning for anomaly detection and process phase classification to improve safety and maintenance activities

Quatrini

Costantino

Gravio

et al. 2020

Journal of Manufacturing Systems

View full text Add to dashboard Cite

Anomaly detection is a crucial aspect for both safety and efficiency of modern process industries. This paper proposes a two-steps methodology for anomaly detection in industrial processes, adopting machine learning classification algorithms. Starting from a real-time collection of process data, the first step identifies the ongoing process phase, the second step classifies the input data as "Expected", "Warning", or "Critical". The proposed methodology is extremely relevant where machines carry out several operations without the evidence of production phases. In this context, the difficulty of attributing the real-time measurements to a specific production phase affects the success of the condition monitoring. The paper proposes the comparison of the anomaly detection step with and without the process phase identification step, validating its absolute necessity. The methodology applies the decision forests algorithm, as a well-known anomaly detector from industrial data, and decision jungle algorithm, never tested before in industrial applications. A real case study in the pharmaceutical industry validates the proposed anomaly detection methodology, using a 10 months database of 16 process parameters from a granulation process.

show abstract

A Comparison of Machine Learning Approaches to Detect Botnet Traffic

Cited by 24 publications

References 19 publications

AppCon: Mitigating Evasion Attacks to ML Cyber Detectors

AppCon: Mitigating Evasion Attacks to ML Cyber Detectors

Efficient Detection of Botnet Traffic by Features Selection and Decision Trees

Machine learning for anomaly detection and process phase classification to improve safety and maintenance activities

Contact Info

Product

Resources

About