{"title":"利用流量特征熵来识别僵尸感染主机","authors":"B. Soniya, M. Wilscy","doi":"10.1109/RAICS.2013.6745439","DOIUrl":null,"url":null,"abstract":"Botnets are proliferating on the web and are increasingly being used by criminals for data theft, denial of service attacks, spamming and such other activities. Several bot detection approaches have been proposed which can be classified as either host-based or network-based. A hybrid approach which mitigates the disadvantages of the previous two approaches is proposed here. The proposed method aims to identify bots on a single host by looking at the network traffic generated by the host. The detection method is designed for HTTP traffic. A characterization of normal HTTP traffic as well as bot traffic is initially done using features extracted from network packets. A Neural Network Classifier is trained using these traffic features and later used to classify unlabeled traffic as benign or malicious. A normal traffic profile is first used to filter out packets to commonly accessed destinations thereby reducing the workload on the classifier. Stealthy bots which communicate at large time intervals of up to 32 hours are also detected. 120 bots samples were used to evaluate the system. The experimental results demonstrate a high detection rate of 97.4% and a very low false positive rate of 2.5%. The performance of the system is compared with many recent bot detection methods.","PeriodicalId":184155,"journal":{"name":"2013 IEEE Recent Advances in Intelligent Computational Systems (RAICS)","volume":"31 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":"{\"title\":\"Using entropy of traffic features to identify bot infected hosts\",\"authors\":\"B. Soniya, M. Wilscy\",\"doi\":\"10.1109/RAICS.2013.6745439\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Botnets are proliferating on the web and are increasingly being used by criminals for data theft, denial of service attacks, spamming and such other activities. Several bot detection approaches have been proposed which can be classified as either host-based or network-based. A hybrid approach which mitigates the disadvantages of the previous two approaches is proposed here. The proposed method aims to identify bots on a single host by looking at the network traffic generated by the host. The detection method is designed for HTTP traffic. A characterization of normal HTTP traffic as well as bot traffic is initially done using features extracted from network packets. A Neural Network Classifier is trained using these traffic features and later used to classify unlabeled traffic as benign or malicious. A normal traffic profile is first used to filter out packets to commonly accessed destinations thereby reducing the workload on the classifier. Stealthy bots which communicate at large time intervals of up to 32 hours are also detected. 120 bots samples were used to evaluate the system. The experimental results demonstrate a high detection rate of 97.4% and a very low false positive rate of 2.5%. The performance of the system is compared with many recent bot detection methods.\",\"PeriodicalId\":184155,\"journal\":{\"name\":\"2013 IEEE Recent Advances in Intelligent Computational Systems (RAICS)\",\"volume\":\"31 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"10\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2013 IEEE Recent Advances in Intelligent Computational Systems (RAICS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/RAICS.2013.6745439\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 IEEE Recent Advances in Intelligent Computational Systems (RAICS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/RAICS.2013.6745439","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Using entropy of traffic features to identify bot infected hosts
Botnets are proliferating on the web and are increasingly being used by criminals for data theft, denial of service attacks, spamming and such other activities. Several bot detection approaches have been proposed which can be classified as either host-based or network-based. A hybrid approach which mitigates the disadvantages of the previous two approaches is proposed here. The proposed method aims to identify bots on a single host by looking at the network traffic generated by the host. The detection method is designed for HTTP traffic. A characterization of normal HTTP traffic as well as bot traffic is initially done using features extracted from network packets. A Neural Network Classifier is trained using these traffic features and later used to classify unlabeled traffic as benign or malicious. A normal traffic profile is first used to filter out packets to commonly accessed destinations thereby reducing the workload on the classifier. Stealthy bots which communicate at large time intervals of up to 32 hours are also detected. 120 bots samples were used to evaluate the system. The experimental results demonstrate a high detection rate of 97.4% and a very low false positive rate of 2.5%. The performance of the system is compared with many recent bot detection methods.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
