使用无监督机器学习检测异常DNS流量

2020 4th Cyber Security in Networking Conference (CSNet) Pub Date : 2020-10-21 DOI:10.1109/CSNet50428.2020.9265466

Thi Quynh Nguyen, R. Laborde, A. Benzekri, Bruno Qu’hen

{"title":"使用无监督机器学习检测异常DNS流量","authors":"Thi Quynh Nguyen, R. Laborde, A. Benzekri, Bruno Qu’hen","doi":"10.1109/CSNet50428.2020.9265466","DOIUrl":null,"url":null,"abstract":"Nowadays, complex attacks like Advanced Persistent Threats (APTs) often use tunneling techniques to avoid being detected by security systems like Intrusion Detection System (IDS), Security Event Information Management (SIEMs) or firewalls. Companies try to identify these APTs by defining rules on their intrusion detection system, but it is a hard task that requires a lot of time and effort. In this study, we compare the performance of four unsupervised machine-learning algorithms: K-means, Gaussian Mixture Model (GMM), Density-Based Spatial Clustering of Applications with Noise (DBSCAN), and Local Outlier Factor (LOF) on the Boss of the SOC Dataset Version 1 (Botsv1) dataset of the Splunk project to detect malicious DNS traffics. Then we propose an approach that combines DBSCAN and K Nearest Neighbor (KNN) to achieve 100% detection rate and between 1.6% and 2.3% false-positive rate. A simple post-analysis consisting in ranking the IP addresses according to the number of requests or volume of bytes sent determines the infected machines.","PeriodicalId":234911,"journal":{"name":"2020 4th Cyber Security in Networking Conference (CSNet)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Detecting abnormal DNS traffic using unsupervised machine learning\",\"authors\":\"Thi Quynh Nguyen, R. Laborde, A. Benzekri, Bruno Qu’hen\",\"doi\":\"10.1109/CSNet50428.2020.9265466\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Nowadays, complex attacks like Advanced Persistent Threats (APTs) often use tunneling techniques to avoid being detected by security systems like Intrusion Detection System (IDS), Security Event Information Management (SIEMs) or firewalls. Companies try to identify these APTs by defining rules on their intrusion detection system, but it is a hard task that requires a lot of time and effort. In this study, we compare the performance of four unsupervised machine-learning algorithms: K-means, Gaussian Mixture Model (GMM), Density-Based Spatial Clustering of Applications with Noise (DBSCAN), and Local Outlier Factor (LOF) on the Boss of the SOC Dataset Version 1 (Botsv1) dataset of the Splunk project to detect malicious DNS traffics. Then we propose an approach that combines DBSCAN and K Nearest Neighbor (KNN) to achieve 100% detection rate and between 1.6% and 2.3% false-positive rate. A simple post-analysis consisting in ranking the IP addresses according to the number of requests or volume of bytes sent determines the infected machines.\",\"PeriodicalId\":234911,\"journal\":{\"name\":\"2020 4th Cyber Security in Networking Conference (CSNet)\",\"volume\":\"25 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-10-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2020 4th Cyber Security in Networking Conference (CSNet)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CSNet50428.2020.9265466\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 4th Cyber Security in Networking Conference (CSNet)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSNet50428.2020.9265466","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

摘要

如今，像高级持续性威胁(apt)这样的复杂攻击通常使用隧道技术来避免被入侵检测系统(IDS)、安全事件信息管理(SIEMs)或防火墙等安全系统检测到。公司试图通过在入侵检测系统上定义规则来识别这些apt，但这是一项艰巨的任务，需要大量的时间和精力。在本研究中，我们比较了四种无监督机器学习算法:K-means、高斯混合模型(GMM)、基于密度的带噪声应用空间聚类(DBSCAN)和局部离群因子(LOF)在Splunk项目SOC数据集版本1 (Botsv1)数据集的Boss上检测恶意DNS流量的性能。然后，我们提出了一种结合DBSCAN和K最近邻(KNN)的方法，可以实现100%的检测率和1.6% ~ 2.3%的假阳性率。简单的后期分析包括根据请求数量或发送的字节量对IP地址进行排名，以确定受感染的计算机。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Detecting abnormal DNS traffic using unsupervised machine learning

Nowadays, complex attacks like Advanced Persistent Threats (APTs) often use tunneling techniques to avoid being detected by security systems like Intrusion Detection System (IDS), Security Event Information Management (SIEMs) or firewalls. Companies try to identify these APTs by defining rules on their intrusion detection system, but it is a hard task that requires a lot of time and effort. In this study, we compare the performance of four unsupervised machine-learning algorithms: K-means, Gaussian Mixture Model (GMM), Density-Based Spatial Clustering of Applications with Noise (DBSCAN), and Local Outlier Factor (LOF) on the Boss of the SOC Dataset Version 1 (Botsv1) dataset of the Splunk project to detect malicious DNS traffics. Then we propose an approach that combines DBSCAN and K Nearest Neighbor (KNN) to achieve 100% detection rate and between 1.6% and 2.3% false-positive rate. A simple post-analysis consisting in ranking the IP addresses according to the number of requests or volume of bytes sent determines the infected machines.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2020 4th Cyber Security in Networking Conference (CSNet)

自引率

0.00%

发文量