Similarity as a central approach to flow‐based anomaly detection

Drašar, Martin; Vizváry, Martin; Vykopal, Jan

doi:10.1002/nem.1867

Cited by 17 publications

(16 citation statements)

References 63 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The experimental results show that flow‐based features, such as interarrival time features, are the most representative features to model botnet communication and the highest classification accuracy is reached by C4.5 algorithm. The feature selection to detect anomaly was elaborated by Drasar et al The impact of flow‐based features to detection accuracy enhancement is evaluated.…”

Section: Related Workmentioning

confidence: 99%

Botnet detection based on network flow summary and deep learning

Pektaş

Acarman

2018

Int J Network Mgmt

View full text Add to dashboard Cite

A botnet is a group of compromised Internet-connected devices controlled remotely by cyber criminals to launch coordinated attacks and to perform various malicious activities. Since botnets continuously adapt themselves to the evolving countermeasures introduced by both network and host-based detection mechanism, the traditional approaches do not provide adequate protection to botnet threat. On the one hand, behavioral analysis of network traffic can play a key role to detect botnets. For instance, behavioral analysis can be applied to observe and discover communication patterns that botnets operate during their life cycle. On the other hand, deep learning has been successfully applied to various classification tasks, and it is also a promising solution for botnet discovery. In this paper, we apply deep neural network to detect botnet by modeling network traffic flow. The performance of the proposed method is evaluated with publicly available large-scale communication traces. The experimental results illustrate that deep learning is an efficient and effective method for identifying botnet traffic with a high true positive rate (attack detection rate) and low false positive alarm rate.Int J Network Mgmt. 2018;28:e2039.wileyonlinelibrary.com/journal/nem

show abstract

Section: Related Workmentioning

confidence: 99%

Botnet detection based on network flow summary and deep learning

Pektaş

Acarman

2018

Int J Network Mgmt

View full text Add to dashboard Cite

show abstract

“…Because of the increasing data flow rate of the Internet, the system performance of signature-based detection is falling. Consequently, some studies [21][22][23][24][25][26][27][28][29] proposed a new flow-based detection mechanism, which combines signature-based and anomaly-based methodologies with correlated honeypot logs. Of these studies, only [27,28] have prediction capability.…”

Section: Ids-based Honeypotmentioning

confidence: 99%

“…In [39], the authors utilized association rule mining using a modified Apriori algorithm to distinguish malicious flows from suspicious flows collected by histogram-based detectors [40]. It uses Mahalanobis distance for anomaly detection by means of [21] Signature based and anomaly based No Thakar et al [18] Content based No Dressler et al [22] Signature based and anomaly based No Wei-wei et al [30] Anomaly based Yes Zhan et al [31] Signature based Yes Artail et al [23] Signature based and anomaly based No Drašar et al [24] Signature based and anomaly based No Curran et al [3] Signature based No Kwon et al [32] Signature based Yes Tudorica et al [17] Signature based No Singh et al [25] Signature based and anomaly based No Jain et al [26] Signature based and anomaly based No Alosefer et al [27] Signature based and anomaly based Yes Ma et al [28] Signature based and anomaly based Yes Zhao et al [29] Signature based and anomaly based No clustering and further uses association rule mining to reduce the false positive rates. But the major drawback of Mahalanobis distance is that it requires the inversion of the covariance matrix, which may result in incorrect values.…”

Section: Mining-based Honeypotmentioning

confidence: 99%

Novel intrusion prediction mechanism based on honeypot log similarity

et al. 2016

View full text Add to dashboard Cite

SUMMARYThe current network-based intrusion detection systems have a very high rate of false alarms, and this phenomena results in significant efforts to gauge the threat level of the anomalous traffic. In this paper, we propose an intrusion detection mechanism based on honeypot log similarity analysis and data mining techniques to predict and block suspicious flows before attacks occur. With honeypot logs and association rule mining, our approach can reduce the false alarm problem of intrusion detection because only suspicious traffic would be present in the honeypots. The proposed mechanism can reduce human effort, and the entire system can operate automatically. The results of our experiments indicate that the honeypot prediction system is practical for protecting assets from attacks or misuse.

show abstract

“…Most current P2P botnet detection systems examine network traffic to detect active bots. () However, with the advent of multi‐gigabit link speeds, capturing and analyzing header and payload of every packet requires enormous amounts of computational resources and is therefore not feasible in high‐speed and high‐volume networks. To solve this problem, sampling techniques are widely used in these situations to allow the analysis of high traffic volumes with limited resources.…”

Section: Introductionmentioning

confidence: 99%

Adaptive traffic sampling for P2P botnet detection

Yang

Wang

et al. 2017

Int J Network Mgmt

View full text Add to dashboard Cite

Summary Peer‐to‐peer (P2P) botnets have become one of the major threats to network security. Most existing botnet detection systems detect bots by examining network traffic. Unfortunately, the traffic volumes typical of current high‐speed Internet Service Provider and enterprise networks are challenging for these network‐based systems, which perform computationally complex analyses. In this paper, we propose an adaptive traffic sampling system that aims to effectively reduce the volume of traffic that P2P botnet detectors need to process while not degrading their detection accuracy. Our system first identifies a small number of potential P2P bots in high‐speed networks as soon as possible, and then samples as many botnet‐related packets as possible with a predefined target sampling rate. The sampled traffic then can be delivered to fine‐grained detectors for further in‐depth analysis. We evaluate our system using traffic datasets of real‐world and popular P2P botnets. The experiments demonstrate that our system can identify potential P2P bots quickly and accurately with few false positives and greatly increase the proportion of botnet‐related packets in the sampled packets while maintain the high detection accuracy of the fine‐grained detectors.

show abstract

Similarity as a central approach to flow‐based anomaly detection

Cited by 17 publications

References 63 publications

Botnet detection based on network flow summary and deep learning

Botnet detection based on network flow summary and deep learning

Novel intrusion prediction mechanism based on honeypot log similarity

Adaptive traffic sampling for P2P botnet detection

Contact Info

Product

Resources

About