An analysis of Recurrent Neural Networks for Botnet detection behavior

Result code in IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21230%2F16%3A00306877" target="_blank" >RIV/68407700:21230/16:00306877 - isvavai.cz</a>

Result on the web

<a href="http://ieeexplore.ieee.org/document/7585247/" target="_blank" >http://ieeexplore.ieee.org/document/7585247/</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1109/ARGENCON.2016.7585247" target="_blank" >10.1109/ARGENCON.2016.7585247</a>

Result language

angličtina

Original language name

An analysis of Recurrent Neural Networks for Botnet detection behavior

Original language description

A Botnet can be conceived as a group of compromised computers which can be controlled remotely to execute coordinated attacks or commit fraudulent acts. The fact that Botnets keep continuously evolving means that traditional detection approaches are always one step behind. Recently, the behavior analysis of network traffic has arisen as a way to tackle the Botnet detection problem. The behavioral analysis approach aims to look at the common patterns that Botnets follow across their life cycle, trying to generalize in order to become capable of detecting unseen Botnet traffic. This work provides an analysis of the viability of Recurrent Neural Networks (RNN) to detect the behavior of network traffic by modeling it as a sequence of states that change over time. The recent success applying RNN to sequential data problems makes them a viable candidate on the task of sequence behavior analysis. The performance of a RNN is evaluated considering two main issues, the imbalance of network traffic and the optimal length of sequences. Both issues have a great impact in potentially real-life implementation. Evaluation is performed using a stratified k-fold cross validation and an independent test is conducted on not previously seen traffic belonging to a different Botnet. Preliminary results reveal that the RNN is capable of classifying the traffic with a high attack detection rate and an very small false alarm rate, which makes it a potential candidate for implementation and deployment on real-world scenarios. However, experiments exposed the fact that RNN detection models have problems for dealing with traffic behaviors not easily differentiable as well as some particular cases of imbalanced network traffic.

Czech name

—

Czech description

—

Type

D - Article in proceedings

CEP classification

IN - Informatics

OECD FORD branch

—

Project

—

Continuities

I - Institucionalni podpora na dlouhodoby koncepcni rozvoj vyzkumne organizace

Publication year

2016

Confidentiality

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Article name in the collection

2016 IEEE Biennial Congress of Argentina

ISBN

978-1-4673-9764-3

ISSN

—

e-ISSN

—

Number of pages

6

Pages from-to

—

Publisher name

American Institute of Physics and Magnetic Society of the IEEE

Place of publication

San Francisco

Event location

Buenos Aires

Event date

Jun 15, 2016

Type of event by nationality

WRD - Celosvětová akce

UT code for WoS article

000386665200011