Identifying malicious botnet traffic using logistic regression

Rohan Bapat; Abhijith Mandya; Xinyang Liu; Brendan Abraham; Donald E. Brown; Hyojung Kang; Malathi Veeraraghavan

doi:10.1109/SIEDS.2018.8374749

Identifying malicious botnet traffic using logistic regression

Rohan Bapat, Abhijith Mandya, Xinyang Liu, Brendan Abraham, Donald E. Brown, Hyojung Kang, Malathi Veeraraghavan

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

An important source of cyber-attacks is malware, which proliferates in different forms such as botnets. The botnet malware typically looks for vulnerable devices across the Internet, rather than targeting specific individuals, companies or industries. It attempts to infect as many connected devices as possible, using their resources for automated tasks that may cause significant economic and social harm while being hidden to the user and device. Thus, it becomes very difficult to detect such activity. A considerable amount of research has been conducted to detect and prevent botnet infestation. In this paper, we attempt to create a foundation for an anomaly-based intrusion detection system using a statistical learning method to improve network security and reduce human involvement in botnet detection. We focus on identifying the best features to detect botnet activity within network traffic using a lightweight logistic regression model. The network traffic is processed by Bro, a popular network monitoring framework which provides aggregate statistics about the packets exchanged between a source and destination over a certain time interval. These statistics serve as features to a logistic regression model responsible for classifying malicious and benign traffic. Our model is easy to implement and simple to interpret. We characterized and modeled 8 different botnet families separately and as a mixed dataset. Finally, we measured the performance of our model on multiple parameters using F1 score, accuracy and Area Under Curve (AUC).

Original language	English (US)
Title of host publication	2018 Systems and Information Engineering Design Symposium, SIEDS 2018
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	266-271
Number of pages	6
ISBN (Electronic)	9781538663431
DOIs	https://doi.org/10.1109/SIEDS.2018.8374749
State	Published - Jun 6 2018
Externally published	Yes
Event	2018 Systems and Information Engineering Design Symposium, SIEDS 2018 - Charlottesville, United States Duration: Apr 27 2018 → …

Publication series

Name	2018 Systems and Information Engineering Design Symposium, SIEDS 2018

Conference

Conference	2018 Systems and Information Engineering Design Symposium, SIEDS 2018
Country/Territory	United States
City	Charlottesville
Period	4/27/18 → …

Keywords

Botnet Detection
Cyber Security
Logistic Regression
Machine Learning

ASJC Scopus subject areas

Artificial Intelligence
Computer Science Applications
Hardware and Architecture
Information Systems
Information Systems and Management
Control and Systems Engineering

Online availability

10.1109/SIEDS.2018.8374749

Library availability

Discover UIUC Full Text

Cite this

Bapat, R., Mandya, A., Liu, X., Abraham, B., Brown, D. E., Kang, H., & Veeraraghavan, M. (2018). Identifying malicious botnet traffic using logistic regression. In 2018 Systems and Information Engineering Design Symposium, SIEDS 2018 (pp. 266-271). (2018 Systems and Information Engineering Design Symposium, SIEDS 2018). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SIEDS.2018.8374749

Identifying malicious botnet traffic using logistic regression. / Bapat, Rohan; Mandya, Abhijith; Liu, Xinyang et al.
2018 Systems and Information Engineering Design Symposium, SIEDS 2018. Institute of Electrical and Electronics Engineers Inc., 2018. p. 266-271 (2018 Systems and Information Engineering Design Symposium, SIEDS 2018).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Bapat, R, Mandya, A, Liu, X, Abraham, B, Brown, DE, Kang, H & Veeraraghavan, M 2018, Identifying malicious botnet traffic using logistic regression. in 2018 Systems and Information Engineering Design Symposium, SIEDS 2018. 2018 Systems and Information Engineering Design Symposium, SIEDS 2018, Institute of Electrical and Electronics Engineers Inc., pp. 266-271, 2018 Systems and Information Engineering Design Symposium, SIEDS 2018, Charlottesville, United States, 4/27/18. https://doi.org/10.1109/SIEDS.2018.8374749

Bapat R, Mandya A, Liu X, Abraham B, Brown DE, Kang H et al. Identifying malicious botnet traffic using logistic regression. In 2018 Systems and Information Engineering Design Symposium, SIEDS 2018. Institute of Electrical and Electronics Engineers Inc. 2018. p. 266-271. (2018 Systems and Information Engineering Design Symposium, SIEDS 2018). doi: 10.1109/SIEDS.2018.8374749

@inproceedings{9557d1801b984a3888b1bdd0be6bd656,

title = "Identifying malicious botnet traffic using logistic regression",

abstract = "An important source of cyber-attacks is malware, which proliferates in different forms such as botnets. The botnet malware typically looks for vulnerable devices across the Internet, rather than targeting specific individuals, companies or industries. It attempts to infect as many connected devices as possible, using their resources for automated tasks that may cause significant economic and social harm while being hidden to the user and device. Thus, it becomes very difficult to detect such activity. A considerable amount of research has been conducted to detect and prevent botnet infestation. In this paper, we attempt to create a foundation for an anomaly-based intrusion detection system using a statistical learning method to improve network security and reduce human involvement in botnet detection. We focus on identifying the best features to detect botnet activity within network traffic using a lightweight logistic regression model. The network traffic is processed by Bro, a popular network monitoring framework which provides aggregate statistics about the packets exchanged between a source and destination over a certain time interval. These statistics serve as features to a logistic regression model responsible for classifying malicious and benign traffic. Our model is easy to implement and simple to interpret. We characterized and modeled 8 different botnet families separately and as a mixed dataset. Finally, we measured the performance of our model on multiple parameters using F1 score, accuracy and Area Under Curve (AUC).",

keywords = "Botnet Detection, Cyber Security, Logistic Regression, Machine Learning",

author = "Rohan Bapat and Abhijith Mandya and Xinyang Liu and Brendan Abraham and Brown, {Donald E.} and Hyojung Kang and Malathi Veeraraghavan",

note = "Publisher Copyright: {\textcopyright} 2018 IEEE.; 2018 Systems and Information Engineering Design Symposium, SIEDS 2018 ; Conference date: 27-04-2018",

year = "2018",

month = jun,

day = "6",

doi = "10.1109/SIEDS.2018.8374749",

language = "English (US)",

series = "2018 Systems and Information Engineering Design Symposium, SIEDS 2018",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "266--271",

booktitle = "2018 Systems and Information Engineering Design Symposium, SIEDS 2018",

address = "United States",

}

TY - GEN

T1 - Identifying malicious botnet traffic using logistic regression

AU - Bapat, Rohan

AU - Mandya, Abhijith

AU - Liu, Xinyang

AU - Abraham, Brendan

AU - Brown, Donald E.

AU - Kang, Hyojung

AU - Veeraraghavan, Malathi

PY - 2018/6/6

Y1 - 2018/6/6

N2 - An important source of cyber-attacks is malware, which proliferates in different forms such as botnets. The botnet malware typically looks for vulnerable devices across the Internet, rather than targeting specific individuals, companies or industries. It attempts to infect as many connected devices as possible, using their resources for automated tasks that may cause significant economic and social harm while being hidden to the user and device. Thus, it becomes very difficult to detect such activity. A considerable amount of research has been conducted to detect and prevent botnet infestation. In this paper, we attempt to create a foundation for an anomaly-based intrusion detection system using a statistical learning method to improve network security and reduce human involvement in botnet detection. We focus on identifying the best features to detect botnet activity within network traffic using a lightweight logistic regression model. The network traffic is processed by Bro, a popular network monitoring framework which provides aggregate statistics about the packets exchanged between a source and destination over a certain time interval. These statistics serve as features to a logistic regression model responsible for classifying malicious and benign traffic. Our model is easy to implement and simple to interpret. We characterized and modeled 8 different botnet families separately and as a mixed dataset. Finally, we measured the performance of our model on multiple parameters using F1 score, accuracy and Area Under Curve (AUC).

AB - An important source of cyber-attacks is malware, which proliferates in different forms such as botnets. The botnet malware typically looks for vulnerable devices across the Internet, rather than targeting specific individuals, companies or industries. It attempts to infect as many connected devices as possible, using their resources for automated tasks that may cause significant economic and social harm while being hidden to the user and device. Thus, it becomes very difficult to detect such activity. A considerable amount of research has been conducted to detect and prevent botnet infestation. In this paper, we attempt to create a foundation for an anomaly-based intrusion detection system using a statistical learning method to improve network security and reduce human involvement in botnet detection. We focus on identifying the best features to detect botnet activity within network traffic using a lightweight logistic regression model. The network traffic is processed by Bro, a popular network monitoring framework which provides aggregate statistics about the packets exchanged between a source and destination over a certain time interval. These statistics serve as features to a logistic regression model responsible for classifying malicious and benign traffic. Our model is easy to implement and simple to interpret. We characterized and modeled 8 different botnet families separately and as a mixed dataset. Finally, we measured the performance of our model on multiple parameters using F1 score, accuracy and Area Under Curve (AUC).

KW - Botnet Detection

KW - Cyber Security

KW - Logistic Regression

KW - Machine Learning

UR - http://www.scopus.com/inward/record.url?scp=85049352600&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85049352600&partnerID=8YFLogxK

U2 - 10.1109/SIEDS.2018.8374749

DO - 10.1109/SIEDS.2018.8374749

M3 - Conference contribution

AN - SCOPUS:85049352600

T3 - 2018 Systems and Information Engineering Design Symposium, SIEDS 2018

SP - 266

EP - 271

BT - 2018 Systems and Information Engineering Design Symposium, SIEDS 2018

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2018 Systems and Information Engineering Design Symposium, SIEDS 2018

Y2 - 27 April 2018

ER -

Identifying malicious botnet traffic using logistic regression

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this