Machine Learning Based Botnet Detection in Software Defined Networks

International Journal of Security and Its Applications Pub Date : 2017-11-30 DOI:10.14257/IJSIA.2017.11.11.01

Farhan Tariq, S. Baig

{"title":"Machine Learning Based Botnet Detection in Software Defined Networks","authors":"Farhan Tariq, S. Baig","doi":"10.14257/IJSIA.2017.11.11.01","DOIUrl":null,"url":null,"abstract":"This paper proposed a flow-based approach to detect botnet by applying machine learning algorithms to software defined networks without reading packet payload. The proposed work uses network flows as input and process it in two windows based modules to extract a statistical feature set to be used for classification. The first module process network flow stream to extract flow traces. The window size of this module is 10 which means a flow trace with 10 flows is considered as a trace of interest and forwarded to the next module for further processing. The second module processes the selected trace and fetches historical flows in last 60-minute window for the source and destination IPs of the trace. The feature set is extracted from selected trace and relevant historical flows. The approach applies supervised decision tree based machine learning algorithm to create a model during a training phase using extracted feature set. This model is then used to classify flow traces during the testing phase. The dataset for experimentation is extracted from publicly available real botnet and normal traces. The experimental findings show that the method is capable to detect unknown botnet. The results show detection rate of 97% for known botnets and 90% for unknown botnets.","PeriodicalId":46187,"journal":{"name":"International Journal of Security and Its Applications","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-11-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.14257/IJSIA.2017.11.11.01","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Security and Its Applications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14257/IJSIA.2017.11.11.01","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

Abstract

This paper proposed a flow-based approach to detect botnet by applying machine learning algorithms to software defined networks without reading packet payload. The proposed work uses network flows as input and process it in two windows based modules to extract a statistical feature set to be used for classification. The first module process network flow stream to extract flow traces. The window size of this module is 10 which means a flow trace with 10 flows is considered as a trace of interest and forwarded to the next module for further processing. The second module processes the selected trace and fetches historical flows in last 60-minute window for the source and destination IPs of the trace. The feature set is extracted from selected trace and relevant historical flows. The approach applies supervised decision tree based machine learning algorithm to create a model during a training phase using extracted feature set. This model is then used to classify flow traces during the testing phase. The dataset for experimentation is extracted from publicly available real botnet and normal traces. The experimental findings show that the method is capable to detect unknown botnet. The results show detection rate of 97% for known botnets and 90% for unknown botnets.

查看原文本刊更多论文

软件定义网络中基于机器学习的僵尸网络检测

本文提出了一种基于流的方法，通过将机器学习算法应用于软件定义的网络来检测僵尸网络，而无需读取数据包有效载荷。所提出的工作使用网络流作为输入，并在两个基于窗口的模块中对其进行处理，以提取用于分类的统计特征集。第一模块处理网络流以提取流迹。该模块的窗口大小为10，这意味着具有10个流的流跟踪被认为是感兴趣的跟踪，并被转发到下一个模块进行进一步处理。第二个模块处理选定的跟踪，并在最后60分钟窗口中获取跟踪的源IP和目标IP的历史流。特征集是从选定的轨迹和相关的历史流中提取的。该方法应用基于监督决策树的机器学习算法，在训练阶段使用提取的特征集创建模型。然后，该模型用于在测试阶段对流动痕迹进行分类。用于实验的数据集是从公开可用的真实僵尸网络和正常跟踪中提取的。实验结果表明，该方法能够检测未知僵尸网络。结果表明，已知僵尸网络和未知僵尸网络的检测率分别为97%和90%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Journal of Security and Its Applications COMPUTER SCIENCE, INFORMATION SYSTEMS-

自引率

0.00%

发文量

期刊介绍： IJSIA aims to facilitate and support research related to security technology and its applications. Our Journal provides a chance for academic and industry professionals to discuss recent progress in the area of security technology and its applications. Journal Topics: -Access Control -Ad Hoc & Sensor Network Security -Applied Cryptography -Authentication and Non-repudiation -Cryptographic Protocols -Denial of Service -E-Commerce Security -Identity and Trust Management -Information Hiding -Insider Threats and Countermeasures -Intrusion Detection & Prevention -Network & Wireless Security -Peer-to-Peer Security -Privacy and Anonymity -Secure installation, generation and operation -Security Analysis Methodologies -Security assurance -Security in Software Outsourcing -Security products or systems -Security technology -Systems and Data Security