B-Corr Model for Bot Group Activity Detection Based on Network Flows Traffic Analysis

Hostiadi, Dandy Pramana; Wibisono, Waskitho; Ahmad, Tohari

doi:10.3837/tiis.2020.10.014

Cited by 4 publications

(2 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Graph visualization-based analysis techniques are often implemented in botnet attack analysis techniques [15,22], attack event analysis [23], or event forensics [24]. In [15,22], simple visualization can be done by identifying the direction of the attacker's communication in graph-directed interaction (GDI), representing the attack as a node and communication as an edge. Rabzelj et al [23] conducted an attack analysis with data distribution originating from an intrusion detection system known as a honeypot.…”

Section: Related Workmentioning

confidence: 99%

Botnet Attack Analysis through Graph Visualization

2024

IJIES

View full text Add to dashboard Cite

Botnet attacks on computer networks require proper handling because they can have dangerous consequences. Botnets are dynamic and able to evolve quickly. A botnet can resemble normal activity, making it challenging to detect. Previous research has introduced botnet detection models but has not focused on analyzing intensity behavior based on incoming and outgoing flows in graph visualization. This analysis is needed to get the botnet attack flow. This paper proposes a detection and comprehensive analysis of botnet attack behavior based on a directed graph. The goal is to detect the attacker and extract the behavior from the directed graph. First, all network traffic is grouped based on the time distance between activities. Visualization is carried out by representing the attacker and target as nodes in every activity group and analyzing the direction of communication in the form of in-degree and out-degree. Meanwhile, interactions are represented in edges and weighted edges based on activity intensity. Then, all graph representation is extracted for classification using random forest, decision tree, support vector classification, Naïve bayes, k -nearest neighbors, logistic regression, and XGBoost. In the experiment, three different datasets are used, namely CTU-13, NCC-1, and NCC-2. The proposed approaches perform well, with an average of 99.97% accuracy, 46.82% precision, and 83.33% recall. These results can form a knowledge base of botnet attacks that can be used in attack detection models on the network.

show abstract

Section: Related Workmentioning

confidence: 99%

Botnet Attack Analysis through Graph Visualization

2024

IJIES

View full text Add to dashboard Cite

show abstract

“…The intended relationship was the similarity between the two attacker activities. If two different attackers are represented as nodes A and B, there may be a difference in similarity between A to B and B to A [24]. To determine whether two attacking objects are similar and have a substantial similarity value, it is necessary to analyze the similarity threshold value [25].…”

Section: Dynamic Threshold Analysismentioning

confidence: 99%

The Optimization of the ARP Poisoning Attack Detection Model Using a Similar Approach Based on NetFlow Analysis

Atmojo,

Hostiadi,

Susila

et al. 2023

LKJITI

View full text Add to dashboard Cite

Information security and threats are a concern in the cyber era. Attacks can be malicious activities. One of them is known as ARP poisoning attack activity, which attacks by falsifying a computer's identity through illegal access to retrieve confidential information in a target computer. Besides, it has also caused service deadlocks in the network. Previous studies have been introduced for the ARP Attack Detection model using rule-based and mining-based. Still, they cannot show optimal detection performance and obtain high false positive results. This paper proposed a detection model for ARP poisoning attacks using a similarity measurement approach adopting cosine similarity. The goal is to obtain measurements of host activities similar to ARP poisoning attacks. The experiment results showed that the model got an accuracy of 97.25%, recall of 96.43%, and precision of 81% with a similarity threshold value of 0.488. Comparison results with previous studies showed higher detection accuracy than previous studies and some classification methods. It shows that the model can improve intrusion detection performance and facilitate network administrators to analyze ARP poisoning attacks in computer networks.

show abstract