scholarly journals An Effective Conversation-Based Botnet Detection Method

2017 ◽  
Vol 2017 ◽  
pp. 1-9 ◽  
Author(s):  
Ruidong Chen ◽  
Weina Niu ◽  
Xiaosong Zhang ◽  
Zhongliu Zhuo ◽  
Fengmao Lv
Keyword(s):  
High Speed ◽  
Detection System ◽  
False Positive Rate ◽  
Denial Of Service ◽  
Supervised Machine Learning ◽  
Detection Methods ◽  
Network Environment ◽  
Botnet Detection ◽  
Processing Technologies ◽  
High Speed Network

A botnet is one of the most grievous threats to network security since it can evolve into many attacks, such as Denial-of-Service (DoS), spam, and phishing. However, current detection methods are inefficient to identify unknown botnet. The high-speed network environment makes botnet detection more difficult. To solve these problems, we improve the progress of packet processing technologies such as New Application Programming Interface (NAPI) and zero copy and propose an efficient quasi-real-time intrusion detection system. Our work detects botnet using supervised machine learning approach under the high-speed network environment. Our contributions are summarized as follows: (1) Build a detection framework using PF_RING for sniffing and processing network traces to extract flow features dynamically. (2) Use random forest model to extract promising conversation features. (3) Analyze the performance of different classification algorithms. The proposed method is demonstrated by well-known CTU13 dataset and nonmalicious applications. The experimental results show our conversation-based detection approach can identify botnet with higher accuracy and lower false positive rate than flow-based approach.

scholarly journals Benchmark-Based Reference Model for Evaluating Botnet Detection Tools Driven by Traffic-Flow Analytics

Sensors ◽  
2020 ◽  
Vol 20 (16) ◽  
pp. 4501 ◽  
Author(s):  
Katherinne Shirley Huancayo Ramos ◽  
Marco Antonio Sotelo Monge ◽  
Jorge Maestre Vidal
Keyword(s):  
Random Forest ◽  
Decision Tree ◽  
Reference Model ◽  
Denial Of Service ◽  
Machine Learning Algorithms ◽  
Supervised Machine Learning ◽  
Evaluation Methodology ◽  
Detection Methods ◽  
Support Vector ◽  
Botnet Detection

Botnets are some of the most recurrent cyber-threats, which take advantage of the wide heterogeneity of endpoint devices at the Edge of the emerging communication environments for enabling the malicious enforcement of fraud and other adversarial tactics, including malware, data leaks or denial of service. There have been significant research advances in the development of accurate botnet detection methods underpinned on supervised analysis but assessing the accuracy and performance of such detection methods requires a clear evaluation model in the pursuit of enforcing proper defensive strategies. In order to contribute to the mitigation of botnets, this paper introduces a novel evaluation scheme grounded on supervised machine learning algorithms that enable the detection and discrimination of different botnets families on real operational environments. The proposal relies on observing, understanding and inferring the behavior of each botnet family based on network indicators measured at flow-level. The assumed evaluation methodology contemplates six phases that allow building a detection model against botnet-related malware distributed through the network, for which five supervised classifiers were instantiated were instantiated for further comparisons—Decision Tree, Random Forest, Naive Bayes Gaussian, Support Vector Machine and K-Neighbors. The experimental validation was performed on two public datasets of real botnet traffic—CIC-AWS-2018 and ISOT HTTP Botnet. Bearing the heterogeneity of the datasets, optimizing the analysis with the Grid Search algorithm led to improve the classification results of the instantiated algorithms. An exhaustive evaluation was carried out demonstrating the adequateness of our proposal which prompted that Random Forest and Decision Tree models are the most suitable for detecting different botnet specimens among the chosen algorithms. They exhibited higher precision rates whilst analyzing a large number of samples with less processing time. The variety of testing scenarios were deeply assessed and reported to set baseline results for future benchmark analysis targeted on flow-based behavioral patterns.

Multi-Aspect DDOS Detection System for Securing Cloud Network

2019 ◽  
pp. 1952-1983
Author(s):  
Pourya Shamsolmoali ◽  
Masoumeh Zareapoor ◽  
M.Afshar Alam
Keyword(s):  
Cloud Computing ◽  
Detection System ◽  
Denial Of Service ◽  
Complex Form ◽  
Internet Security ◽  
Detection Methods ◽  
Ddos Attacks ◽  
Dos Attacks ◽  
Ddos Detection ◽  
Cloud Network

Distributed Denial of Service (DDoS) attacks have become a serious attack for internet security and Cloud Computing environment. This kind of attacks is the most complex form of DoS (Denial of Service) attacks. This type of attack can simply duplicate its source address, such as spoofing attack, which defending methods do not able to disguises the real location of the attack. Therefore, DDoS attack is the most significant challenge for network. In this chapter we present different aspect of security in Cloud Computing, mostly we concentrated on DDOS Attacks. The Authors illustrated all types of Dos Attacks and discussed the most effective detection methods.

scholarly journals MALGRA: Machine Learning and N-Gram Malware Feature Extraction and Detection System

Electronics ◽  
2020 ◽  
Vol 9 (11) ◽  
pp. 1777
Author(s):  
Muhammad Ali ◽  
Stavros Shiaeles ◽  
Gueltoum Bendiab ◽  
Bogdan Ghita
Keyword(s):  
Machine Learning ◽  
Learning Algorithm ◽  
Detection System ◽  
Malware Detection ◽  
Machine Learning Algorithms ◽  
Supervised Machine Learning ◽  
Detection Methods ◽  
Normal Operation ◽  
Analysis Technique ◽  
N Gram

Detection and mitigation of modern malware are critical for the normal operation of an organisation. Traditional defence mechanisms are becoming increasingly ineffective due to the techniques used by attackers such as code obfuscation, metamorphism, and polymorphism, which strengthen the resilience of malware. In this context, the development of adaptive, more effective malware detection methods has been identified as an urgent requirement for protecting the IT infrastructure against such threats, and for ensuring security. In this paper, we investigate an alternative method for malware detection that is based on N-grams and machine learning. We use a dynamic analysis technique to extract an Indicator of Compromise (IOC) for malicious files, which are represented using N-grams. The paper also proposes TF-IDF as a novel alternative used to identify the most significant N-grams features for training a machine learning algorithm. Finally, the paper evaluates the proposed technique using various supervised machine-learning algorithms. The results show that Logistic Regression, with a score of 98.4%, provides the best classification accuracy when compared to the other classifiers used.

Packet Sampling Applications in Campus High-Speed Network Intrusion Detection System

2013 ◽  
Vol 760-762 ◽  
pp. 2010-2013
Author(s):  
Hui Qing Qiu ◽  
Cong Wang ◽  
Jie Lu
Keyword(s):  
Intrusion Detection ◽  
Intrusion Detection System ◽  
High Speed ◽  
Detection System ◽  
Network Intrusion Detection ◽  
Network Intrusion ◽  
High Speed Network ◽  
Network Intrusion Detection System ◽  
Packet Sampling ◽  
And Performance

A technique of high-speed network intrusion detection system based on packet sampling theory is proposed. Starting with basic principles of packet sampling, this paper first analyses the significant mathematical conclusion of sampling strategies, then after discussing current strategies, mechanism and performance of different packet sampling methods, we specify an efficient strategy of packet sampling. Results show that this method can attain above 55% accurate rate with below 1% false rate in 94 specified attacking cases from DARPA 2000 IDS evaluation dataset.

scholarly journals RT-SAD: Real-Time Sketch-Based Adaptive DDoS Detection for ISP Network

2021 ◽  
Vol 2021 ◽  
pp. 1-10
Author(s):  
Haibin Shi ◽  
Guang Cheng ◽  
Ying Hu ◽  
Fuzhou Wang ◽  
Haoxuan Ding
Keyword(s):  
Real Time ◽  
High Speed ◽  
Attack Detection ◽  
Detection Accuracy ◽  
Network Environment ◽  
The Real ◽  
Feature Extraction Method ◽  
Ddos Attack ◽  
High Speed Network ◽  
Ddos Attack Detection

With the great changes in network scale and network topology, the difficulty of DDoS attack detection increases significantly. Most of the methods proposed in the past rarely considered the real-time, adaptive ability, and other practical issues in the real-world network attack detection environment. In this paper, we proposed a real-time adaptive DDoS attack detection method RT-SAD, based on the response to the external network when attacked. We designed a feature extraction method based on sketch and an adaptive updating algorithm, which makes the method suitable for the high-speed network environment. Experiment results show that our method can detect DDoS attacks using sampled Netflowunder high-speed network environment, with good real-time performance, low resource consumption, and high detection accuracy.

scholarly journals Fingerprinting Network Entities Based on Traffic Analysis in High-Speed Network Environment

2018 ◽  
Vol 2018 ◽  
pp. 1-15
Author(s):  
Xiaodan Gu ◽  
Ming Yang ◽  
Yiting Zhang ◽  
Peilong Pan ◽  
Zhen Ling
Keyword(s):  
High Speed ◽  
Performance Test ◽  
Time Lapse ◽  
Traffic Analysis ◽  
Network Environment ◽  
Environment Analysis ◽  
Novel Device ◽  
Online Identification ◽  
High Speed Network ◽  
Feature Dimension

For intrusion detection, it is increasingly important to detect the suspicious entities and potential threats. In this paper, we introduce the identification technologies of network entities to detect the potential intruders. However, traditional entities identification technologies based on the MAC address, IP address, or other explicit identifiers can be deactivated if the identifier is hidden or tampered. Meanwhile, the existing fingerprinting technology is also restricted by its limited performance and excessive time lapse. In order to realize entities identification in high-speed network environment, PFQ kernel module and Storm are used for high-speed packet capture and online traffic analysis, respectively. On this basis, a novel device fingerprinting technology based on runtime environment analysis is proposed, which employs logistic regression to implement online identification with a sliding window mechanism, reaching a recognition accuracy of 77.03% over a 60-minute period. In order to realize cross-device user identification, Web access records, domain names in DNS responses, and HTTP User-Agent information are extracted to constitute user behavioral fingerprints for online identification with Multinomial Naive Bayes model. When the minimum effective feature dimension is set to 9, it takes only 5 minutes to reach an accuracy of 79.51%. Performance test results show that the proposed methods can support over 10Gbps traffic capture and online analysis, and the system architecture is justified in practice because of its practicability and extensibility.

scholarly journals An Overview of Distributed Denial of Service Traffic Detection Approaches

2019 ◽  
Vol 31 (4) ◽  
pp. 453-464
Author(s):  
Ivan Cvitić ◽  
Dragan Peraković ◽  
Marko Periša ◽  
Siniša Husnjak
Keyword(s):  
Critical Infrastructure ◽  
Detection System ◽  
Autonomous Vehicle ◽  
Denial Of Service ◽  
Model Development ◽  
Detection Methods ◽  
Future Research ◽  
Distributed Denial Of Service ◽  
Negative Consequences ◽  
Iot Devices

The availability of information and communication (IC) resources is a growing problem caused by the increase in the number of users, IC services, and the capacity constraints. IC resources need to be available to legitimate users at the required time. The availability is of crucial importance in IC environments such as smart city, autonomous vehicle, or critical infrastructure management systems. In the mentioned and similar environments the unavailability of resources can also have negative consequences on people's safety. The distributed denial of service (DDoS) attacks and traffic that such attacks generate, represent a growing problem in the last decade. Their goal is to disable access to the resources for legitimate users. This paper analyses the trends of such traffic which indicates the importance of its detection methods research. The paper also provides an overview of the currently used approaches used in detection system and model development. Based on the analysis of the previous research, the disadvantages of the used approaches have been identified which opens the space and gives the direction for future research. Besides the mentioned this paper highlights a DDoS traffic generated through Internet of things (IoT) devices as an evolving threat that needs to be taken into consideration in the future studies.

Sign in / Sign up

Export Citation Format

Share Document