Efficient Detection of Botnet Traffic by Features Selection and Decision Trees

Velasco-Mata, Javier; González-Castro, V́ıctor; Fidalgo, Eduardo; Alegre, Enrique

doi:10.1109/access.2021.3108222

Cited by 34 publications

(16 citation statements)

References 51 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Next, the second module performs the classification using these features. Following the above-mentioned time restriction, we chose the classifier Decision Tree (DT), since it is fast in the decision 17 , and because it is possible to quickly train a new DT with traffic traces of new or modified botnets.…”

Section: Methodsmentioning

confidence: 99%

“…As the classifier for our approach, we selected a Decision Tree, following the results of our previous work 17 , in which we compared the computational costs of four different models -Decision Tree (DT), Random Forest (RF), k-Nearest Neighbors (kNN) and Support Vector Machines (SVM)-, and realized that DT was the most efficient among them. Finally, we compared our model to other three state-of-the-art approaches that could also be implemented to use time windows of one second, and we assessed that our approach was an order of magnitude faster.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Real-time botnet detection on large network bandwidths using machine learning

Velasco-Mata

González-Castro

Fidalgo

et al. 2023

Sci Rep

Self Cite

View full text Add to dashboard Cite

Botnets are one of the most harmful cyberthreats, that can perform many types of cyberattacks and cause billionaire losses to the global economy. Nowadays, vast amounts of network traffic are generated every second, hence manual analysis is impossible. To be effective, automatic botnet detection should be done as fast as possible, but carrying this out is difficult in large bandwidths. To handle this problem, we propose an approach that is capable of carrying out an ultra-fast network analysis (i.e. on windows of one second), without a significant loss in the F1-score. We compared our model with other three literature proposals, and achieved the best performance: an F1 score of 0.926 with a processing time of 0.007 ms per sample. We also assessed the robustness of our model on saturated networks and on large bandwidths. In particular, our model is capable of working on networks with a saturation of 10% of packet loss, and we estimated the number of CPU cores needed to analyze traffic on three bandwidth sizes. Our results suggest that using commercial-grade cores of 2.4 GHz, our approach would only need four cores for bandwidths of 100 Mbps and 1 Gbps, and 19 cores on 10 Gbps networks.

show abstract

Section: Methodsmentioning

confidence: 99%

mentioning

confidence: 99%

Real-time botnet detection on large network bandwidths using machine learning

Velasco-Mata

González-Castro

Fidalgo

et al. 2023

Sci Rep

Self Cite

View full text Add to dashboard Cite

show abstract

“…Velasco-Mata et al [40] has tested the feature sets of 5, 6, 7 with two filter methods, Information Gain and Gini Importance, over Decistion Tree, Random Forest, k-NN for botnet detection for multi class classification. Finally, the five feature set produced an 85% detection rate with a decision tree classifier on the QB-CTU13 [41] and EQB-CTU13 [41] datasets.…”

Section: B Feature Selectionmentioning

confidence: 99%

“…We have experimented with all tasks with the same CPU. Finally,To measure the performance of a features set of features which are derived by Filter and wrapper methods, We computed the ratio of the F1-score and the computational time to permit the measurement of the gain in detection ability regarding the computational expense of this detection [40].…”

Section: Application Of the Machine Learning Workflowmentioning

confidence: 99%

In-Depth Feature Selection for the Statistical Machine Learning-Based Botnet Detection in IoT Networks

2022

View full text Add to dashboard Cite

The attackers compromise insecure IoT devices to enlarge their botnets for the purpose of launching more influential attacks against their victims. In various studies, it is demonstrated that machine learning can be utilized for the detection of IoT botnet attacks. In this paper, we focus on the minimization of feature sets for machine learning tasks that are formulated as six different binary and multi-class classification problems based on the stages of the botnet life-cycle. More specifically, we apply filter and wrapper methods with some machine learning methods and derived the optimal feature sets for each classification problem. The experimental results show that it is possible to achieve very high detection rates with very limited number of features. Some wrapper methods guarantee an optimal feature set regardless of the problem formulation but filter methods do not achieve that in all cases. The feature selection methods more prefer channel-based features for the detection at post-attack and communication & control stages whereas host-based features are more influential for identifying the attacks originating from the bots. INDEX TERMSFeature selection, machine learning, Internet of Things, botnet, intrusion detection I. INTRODUCTION

show abstract

“…e proposed method has shown how it can perform against both normal attack data and botnet-specific attack data. Javier et al [25] focus on the method to increase the performance of botnet traffic classification. ey use Information Gain and Gini Importance to select features and evaluate the selected features through performing three models, that is, Decision Tree, Random Forest, and k-Nearest Neighbor.…”

Section: Related Workmentioning

confidence: 99%

A Protocol-Independent Botnet Detection Method Using Flow Similarity

Liang

Zhao

Chen

2022

Security and Communication Networks

View full text Add to dashboard Cite

The detection of botnets has always been a hot spot in the field of network security. However, there are still many challenges in botnet detection. Most of the current botnet detection approaches, such as machine learning and blacklists, cannot discover evolving botnet variants. These methods are usually only valid for specific botnet protocols which are not general. Even they may be difficult to deal with encrypted botnet traffic. In this paper, we design a protocol-independent botnet detection method for these challenges. Our detection method takes advantage of the group characteristic of the botnet, which is the inherent characteristics of the botnet. We use the sequence of packet length as the characteristic of a flow. Then, we calculate the similarity between these sequences to detect botnets. Our method has an excellent generality, which is not affected by encrypted traffic and the protocols of the botnet. Experiments on a challenging dataset ISCX show that the proposed method can effectively detect botnets with a high average detection rate and low false alarm, which significantly outperforms the state-of-the-art methods. Therefore, the proposed detection method is robust and has a wide range of adaptability in detecting botnets.

show abstract

Efficient Detection of Botnet Traffic by Features Selection and Decision Trees

Cited by 34 publications

References 51 publications

Real-time botnet detection on large network bandwidths using machine learning

Real-time botnet detection on large network bandwidths using machine learning

In-Depth Feature Selection for the Statistical Machine Learning-Based Botnet Detection in IoT Networks

A Protocol-Independent Botnet Detection Method Using Flow Similarity

Contact Info

Product

Resources

About