SAFEM: Scalable analysis of flows with entropic measures and SVM

Jérôme, François; Wagner, Cynthia; State, Radu; Engel, Thomas

doi:10.1109/noms.2012.6211943

Cited by 7 publications

(3 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…3) Other methods: use various entropy measures. For instance, [23] proposes a technique to detect large-scale anomalies in the network traffic, by measuring the deviation between the profiles of normal traffic and incoming flow records. [10] proposes a behavioral botnet detection method using Markov Chains to model the different states in the C&C channel.…”

Section: A Flow-based Techniquesmentioning

confidence: 99%

Botnet Fingerprinting: A Frequency Distributions Scheme for Lightweight Bot Detection

Blaise

Bouet

Conan

et al. 2020

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Efficient bot detection is a crucial security matter and widely explored in the past years. Recent approaches supplant flow-based detection techniques and exploit graphbased features, incurring however in scalability issues, with high time and space complexity. Bots exhibit specific communication patterns: they use particular protocols, contact specific domains, hence can be identified by analyzing their communication with the outside. A way we follow to simplify the communication graph and avoid scalability issues is looking at frequency distributions of protocol attributes capturing the specificity of botnets behaviour. We propose a bot detection technique named BotFP, for BotFin-gerPrinting, which acts by (i) characterizing hosts behaviour with attribute frequency distribution signatures, (ii) learning benign hosts and bots behaviours through either clustering or supervised Machine Learning (ML), and (iii) classifying new hosts either as bots or benign ones, using distances to labelled clusters or relying on a ML algorithm. We validate BotFP on the CTU-13 dataset, which contains 13 scenarios of bot infections, connecting to a Command-and-Control (C&C) channel and launching malicious actions such as port scanning or Denial-of-Service (DDoS) attacks. Compared to state-of-the-art techniques, we show that BotFP is more lightweight, can handle large amounts of data, and shows better accuracy.

show abstract

Section: A Flow-based Techniquesmentioning

confidence: 99%

Botnet Fingerprinting: A Frequency Distributions Scheme for Lightweight Bot Detection

Blaise

Bouet

Conan

et al. 2020

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

show abstract

“…SVMs are suitable for learning on a large set of examples and because of that are commonly used in traffic classification [10,24,31] and anomaly detection systems [11,18,4]. Unlike other classification algorithms, SVMs tend to use all the available features by combining them in a linear way.…”

Section: Support Vector Machinesmentioning

confidence: 99%

A Small Data Approach to Identification of Individuals on the Transport Layer using Statistical Behaviour Templates

Abt

Gärtner

Baier

2014

Proceedings of the 7th International Conference on Security of Information and Networks

View full text Add to dashboard Cite

Our daily life is dominated by constant Internet connectivity. In order to retrieve up-to-date information and to share personal experiences and impressions, our computers and mobile devices periodically communicate with servers or peers. During this data exchange, we constantly leave digital traces on different systems across the communication stack. These traces can be used to compute profiles of individuals. While such profiles may be used to increase user experience and convenience, they seriously affect privacy of individuals. Typically, service providers like Google or Facebook collect gigabytes to terabytes of user payload data to compute user profiles from. That is, they make use of a big data approach. In contrast to that, this paper shows a novel small data approach to compute profiles using behaviour templates derived from IP address and port number statistics. Our use case is to increase network security through concurrent identification. Our approach is capable of identifying individuals with true-and false-positive rates of 0.995 and 0.001, respectively, without relying on payload information, significantly outperforming related work.

show abstract

“…An SVM is a supervised learning approach that can be applied to linear and non-linear classification problems [4]. These are suitable for learning on a large set of examples and because of that they are commonly used in traffic classification [5,6,7] and anomaly detection systems [8,9,10]. Unlike other classification algorithms, SVMs tend to use all the available features by combining them in a linear way.…”

Section: Support Vectormentioning

confidence: 99%

Passive Remote Source NAT Detection Using Behavior Statistics Derived from NetFlow

Abt

Dietz

Baier

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Network Address Translation (NAT) is a technique commonly employed in today's computer networks. NAT allows multiple devices to hide behind a single IP address. From a network management and security point of view, NAT may not be desirable or permitted as it allows rogue and unattended network access. In order to detect rogue NAT devices, we propose a novel passive remote source NAT detection approach based on behavior statistics derived from NetFlow. Our approach utilizes 9 distinct features that can directly be derived from Net-Flow records. Furthermore, our approach does not require IP address information, but is capable of operating on anonymous identifiers. Hence, our approach is very privacy friendly. Our approach requires only a 120 seconds sample of NetFlow records to detect NAT traffic within the sample with a lower-bound accuracy of 89.35%. Furthermore, our approach is capable of operating in real-time.

show abstract

SAFEM: Scalable analysis of flows with entropic measures and SVM

Cited by 7 publications

References 18 publications

Botnet Fingerprinting: A Frequency Distributions Scheme for Lightweight Bot Detection

Botnet Fingerprinting: A Frequency Distributions Scheme for Lightweight Bot Detection

A Small Data Approach to Identification of Individuals on the Transport Layer using Statistical Behaviour Templates

Passive Remote Source NAT Detection Using Behavior Statistics Derived from NetFlow

Contact Info

Product

Resources

About