Botnet Detection on TCP Traffic Using Supervised Machine Learning

Javier Velasco Mata; Eduardo Fidalgo Fernández; Víctor González Castro; Enrique Alegre Gutiérrez; Pablo Blanco Medina

Ayuda

Botnet Detection on TCP Traffic Using Supervised Machine Learning

Javier Velasco-Mata ^[1] ^[2] ; Eduardo Fidalgo ^[1] ^[2] ; Víctor González-Castro ^[1] ^[2] ; Enrique Alegre ^[1] ^[2] ; Pablo Blanco-Medina ^[1] ^[2]
1. [1] Universidad de León
  
  Universidad de León
  
  León, España
2. [2] INCIBE (Spanish National Cybersecurity Institute, León)
Localización: Hybrid Artificial Intelligent Systems. 14th International Conference, HAIS 2019: León, Spain, September 4–6, 2019. Proceedings / coord. por Hilde Pérez García, Lidia Sánchez González, Manuel Castejón Limas, Héctor Quintián Pardo, Emilio Santiago Corchado Rodríguez, 2019, ISBN 978-3-030-29858-6, págs. 444-455
Idioma: inglés
Enlaces
- Texto completo
Resumen
- The increase of botnet presence on the Internet has made it necessary to detect their activity in order to prevent them to attack and spread over the Internet. The main methods to detect botnets are traffic classifiers and sinkhole servers, which are special servers designed as a trap for botnets. However, sinkholes also receive non-malicious automatic online traffic and therefore they also need to use traffic classifiers. For these reasons, we have created two new datasets to evaluate classifiers: the TCP-Int dataset, built from publicly available TCP Internet traces of normal traffic and of three botnets, Kelihos, Miuref and Sality; and the TCP-Sink dataset based on traffic from a private sinkhole server with traces of the Conficker botnet and of automatic normal traffic. We used the two datasets to test four well-known Machine Learning classifiers: Decision Tree, k-Nearest Neighbours, Support Vector Machine and Naïve Bayes. On the TCP-Int dataset, we used the F1 score to measure the capability to identify the type of traffic, i.e., if the trace is normal or from one of the three considered botnets, while on the TCP-Sink we used ROC curves and the corresponding AUC score since it only presents two classes: non-malicious or botnet traffic. The best performance was achieved by Decision Tree, with a 0.99 F1 score and a 0.99 AUC score on the TCP-Int and the TCP-Sink datasets respectively.