An analysis of network traffic classification for botnet detection

Research output: Contribution to book/anthology/report/conference proceedingArticle in proceedingResearchpeer-review

Abstract

Botnets represent one of the most serious threats to the Internet security today. This paper explores how can network traffic classification be used for accurate and efficient identification of botnet network activity at local and enterprise networks. The paper examines the effectiveness of detecting botnet network traffic using three methods that target protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. We propose three traffic classification methods based on capable Random Forests classifier. The proposed methods has been evaluated through the series of experiments using traffic traces originating from 40 different bot samples and diverse non- malicious applications. The evaluation indicate accurate and time- efficient classification of botnet traffic for all three protocols. The future work will be devoted to the optimization of traffic analysis and the correlation of findings from the three analysis methods in order to identify compromised hosts within the network.
Original languageEnglish
Title of host publicationThe proceedings of International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015
Number of pages8
PublisherIEEE Press
Publication dateAug 2015
ISBN (Print)9781467367974
DOIs
Publication statusPublished - Aug 2015
EventInternational Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 - London, United Kingdom
Duration: 8 Jun 20159 Jun 2015

Conference

ConferenceInternational Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015
CountryUnited Kingdom
CityLondon
Period08/06/201509/06/2015
SeriesInternational Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA)

Fingerprint

Classifiers
Internet
Network protocols
Botnet
Experiments

Keywords

  • Botnet
  • Botnet Detection
  • Traffic Analysis
  • Traffic Classification
  • MLAs
  • Random Forests
  • Features Selection

Cite this

Stevanovic, M., & Pedersen, J. M. (2015). An analysis of network traffic classification for botnet detection. In The proceedings of International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 IEEE Press. International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA) https://doi.org/10.1109/CyberSA.2015.7361120
Stevanovic, Matija ; Pedersen, Jens Myrup. / An analysis of network traffic classification for botnet detection. The proceedings of International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015. IEEE Press, 2015. (International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA)).
@inproceedings{42e92cf2fcc84aaaaccd3b8efa3aad5b,
title = "An analysis of network traffic classification for botnet detection",
abstract = "Botnets represent one of the most serious threats to the Internet security today. This paper explores how can network traffic classification be used for accurate and efficient identification of botnet network activity at local and enterprise networks. The paper examines the effectiveness of detecting botnet network traffic using three methods that target protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. We propose three traffic classification methods based on capable Random Forests classifier. The proposed methods has been evaluated through the series of experiments using traffic traces originating from 40 different bot samples and diverse non- malicious applications. The evaluation indicate accurate and time- efficient classification of botnet traffic for all three protocols. The future work will be devoted to the optimization of traffic analysis and the correlation of findings from the three analysis methods in order to identify compromised hosts within the network.",
keywords = "Botnet, Botnet Detection, Traffic Analysis, Traffic Classification, MLAs, Random Forests, Features Selection",
author = "Matija Stevanovic and Pedersen, {Jens Myrup}",
year = "2015",
month = "8",
doi = "10.1109/CyberSA.2015.7361120",
language = "English",
isbn = "9781467367974",
booktitle = "The proceedings of International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015",
publisher = "IEEE Press",

}

Stevanovic, M & Pedersen, JM 2015, An analysis of network traffic classification for botnet detection. in The proceedings of International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015. IEEE Press, International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA), International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 , London, United Kingdom, 08/06/2015. https://doi.org/10.1109/CyberSA.2015.7361120

An analysis of network traffic classification for botnet detection. / Stevanovic, Matija; Pedersen, Jens Myrup.

The proceedings of International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015. IEEE Press, 2015.

Research output: Contribution to book/anthology/report/conference proceedingArticle in proceedingResearchpeer-review

TY - GEN

T1 - An analysis of network traffic classification for botnet detection

AU - Stevanovic, Matija

AU - Pedersen, Jens Myrup

PY - 2015/8

Y1 - 2015/8

N2 - Botnets represent one of the most serious threats to the Internet security today. This paper explores how can network traffic classification be used for accurate and efficient identification of botnet network activity at local and enterprise networks. The paper examines the effectiveness of detecting botnet network traffic using three methods that target protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. We propose three traffic classification methods based on capable Random Forests classifier. The proposed methods has been evaluated through the series of experiments using traffic traces originating from 40 different bot samples and diverse non- malicious applications. The evaluation indicate accurate and time- efficient classification of botnet traffic for all three protocols. The future work will be devoted to the optimization of traffic analysis and the correlation of findings from the three analysis methods in order to identify compromised hosts within the network.

AB - Botnets represent one of the most serious threats to the Internet security today. This paper explores how can network traffic classification be used for accurate and efficient identification of botnet network activity at local and enterprise networks. The paper examines the effectiveness of detecting botnet network traffic using three methods that target protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. We propose three traffic classification methods based on capable Random Forests classifier. The proposed methods has been evaluated through the series of experiments using traffic traces originating from 40 different bot samples and diverse non- malicious applications. The evaluation indicate accurate and time- efficient classification of botnet traffic for all three protocols. The future work will be devoted to the optimization of traffic analysis and the correlation of findings from the three analysis methods in order to identify compromised hosts within the network.

KW - Botnet

KW - Botnet Detection

KW - Traffic Analysis

KW - Traffic Classification

KW - MLAs

KW - Random Forests

KW - Features Selection

U2 - 10.1109/CyberSA.2015.7361120

DO - 10.1109/CyberSA.2015.7361120

M3 - Article in proceeding

SN - 9781467367974

BT - The proceedings of International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015

PB - IEEE Press

ER -

Stevanovic M, Pedersen JM. An analysis of network traffic classification for botnet detection. In The proceedings of International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015. IEEE Press. 2015. (International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA)). https://doi.org/10.1109/CyberSA.2015.7361120