Improving Botnet Detection with Recurrent Neural Network and Transfer Learning

Kim, Jeeyung; Sim, Alex; Kim, Jinoh; Wu, Kesheng; Hahm, Jaegyoon

doi:10.48550/arxiv.2104.12602

Cited by 2 publications

(2 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As the first-level mining is performed without using the attack labels, this part of the training is unsupervised. Note that here we only mine flows originating from a single source IP address at a time; this is quite well-aligned with anomaly detection solutions that often predict the anomalous sources in a given time-slot since aggregation of flows at source level gives more information for better classification [2], [3].…”

Section: Attack Mining and Identification A First-level Mining: Extra...mentioning

confidence: 74%

“…Analyzing network traffic helps in detecting and identifying the threats and attacks faced by organizations. Past works have attempted to detect (often specific) attacks using supervised learning approaches that model the attack detection as a binary classification problem [1], [2], where labeled data of two classes of network traffic-normal and anomalous-are gathered and provided for training the models. However, network traffic (of, say, enterprises) tends to be noisy due to the large number of users, evolving landscape of applications and protocols (e.g., adoption of TLS 1.3 and HTTP/3), increasing use of new smart devices, etc.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

APEX: Characterizing Attack Behaviors from Network Anomalies

Sudheera

Tian

Divakaran³

et al. 2022

2022 IEEE International Performance, Computing, and Communications Conference (IPCCC)

View full text Add to dashboard Cite

Networks regularly face various threats and attacks that manifest in their communication traffic. Recent works proposed unsupervised approaches, e.g., using a variational autoencoder, that are not only effective in detecting anomalies in network traffic, but also practical as they do not require ground truth or labeled data. However, the problem of characterizing anomalies into different attack behaviors is still less explored; in this work, we study this specific problem. We develop APEX, a framework that employs data mining approaches in a semisupervised way to extract the attack patterns from anomalous traffic and links them to specific attack types. APEX comprises two levels of mining: the first level extracts patterns in anomalous network flows, and the second level characterizes behaviors in the extracted patterns into different attack classes. We carry out extensive experiments on real network traces obtained from the MAWI traffic archive. The evaluations demonstrate that APEX is effective in extracting distinguishable behaviors of network attacks from anomalous traffic, and provide useful insights to security analysts investigating the anomalies.

show abstract

Section: Attack Mining and Identification A First-level Mining: Extra...mentioning

confidence: 74%

Section: Introductionmentioning

confidence: 99%

APEX: Characterizing Attack Behaviors from Network Anomalies

Sudheera

Tian

Divakaran³

et al. 2022

2022 IEEE International Performance, Computing, and Communications Conference (IPCCC)

View full text Add to dashboard Cite

show abstract

APEX: Characterizing Attack Behaviors from Network Anomalies

Sudheera¹,

Tian²,

Divakaran³

et al. 2022

Preprint

View full text Add to dashboard Cite

<p> Networks regularly face various threats and attacks that manifest in their communication traffic. Recent works proposed unsupervised approaches, e.g., using a variational autoencoder, that are not only effective in detecting anomalies in network traffic, but also practical as they do not require ground truth or labeled data. However, the problem of characterizing anomalies into different attack behaviors is still less explored; in this work, we study this specific problem. We develop APEX, a framework that employs data mining approaches in a semi-supervised way to extract the attack patterns from anomalous traffic and links them to specific attack types. APEX comprises two levels of mining: the first level extracts patterns in anomalous network flows, and the second level characterizes behaviors in the extracted patterns into different attack classes. We carry out extensive experiments on real network traces obtained from the MAWI traffic archive. The evaluations demonstrate that APEX is effective in extracting distinguishable behaviors of network attacks from anomalous traffic, and provide useful insights to security analysts investigating the anomalies. </p>

show abstract

Improving Botnet Detection with Recurrent Neural Network and Transfer Learning

Cited by 2 publications

References 27 publications

APEX: Characterizing Attack Behaviors from Network Anomalies

APEX: Characterizing Attack Behaviors from Network Anomalies

APEX: Characterizing Attack Behaviors from Network Anomalies

Contact Info

Product

Resources

About