TY - GEN
T1 - Throwing Darts in the Dark? Detecting Bots with Limited Data using Neural Data Augmentation
AU - Jan, Steve T.K.
AU - Hao, Qingying
AU - Hu, Tianrui
AU - Pu, Jiameng
AU - Oswal, Sonal
AU - Wang, Gang
AU - Viswanath, Bimal
N1 - Funding Information:
ACKNOWLEDGEMENT We thank our shepherd Suman Jana and anonymous reviewers for their constructive feedback. We also thank Harisankar Haridas for discussions on bot behavior. This work was supported by NSF grants CNS-1750101 and CNS-1717028.
Publisher Copyright:
© 2020 IEEE.
PY - 2020/5
Y1 - 2020/5
N2 - Machine learning has been widely applied to building security applications. However, many machine learning models require the continuous supply of representative labeled data for training, which limits the models' usefulness in practice. In this paper, we use bot detection as an example to explore the use of data synthesis to address this problem. We collected the network traffic from 3 online services in three different months within a year (23 million network requests). We develop a stream-based feature encoding scheme to support machine learning models for detecting advanced bots. The key novelty is that our model detects bots with extremely limited labeled data. We propose a data synthesis method to synthesize unseen (or future) bot behavior distributions. The synthesis method is distribution-aware, using two different generators in a Generative Adversarial Network to synthesize data for the clustered regions and the outlier regions in the feature space. We evaluate this idea and show our method can train a model that outperforms existing methods with only 1% of the labeled data. We show that data synthesis also improves the model's sustainability over time and speeds up the retraining. Finally, we compare data synthesis and adversarial retraining and show they can work complementary with each other to improve the model generalizability.
AB - Machine learning has been widely applied to building security applications. However, many machine learning models require the continuous supply of representative labeled data for training, which limits the models' usefulness in practice. In this paper, we use bot detection as an example to explore the use of data synthesis to address this problem. We collected the network traffic from 3 online services in three different months within a year (23 million network requests). We develop a stream-based feature encoding scheme to support machine learning models for detecting advanced bots. The key novelty is that our model detects bots with extremely limited labeled data. We propose a data synthesis method to synthesize unseen (or future) bot behavior distributions. The synthesis method is distribution-aware, using two different generators in a Generative Adversarial Network to synthesize data for the clustered regions and the outlier regions in the feature space. We evaluate this idea and show our method can train a model that outperforms existing methods with only 1% of the labeled data. We show that data synthesis also improves the model's sustainability over time and speeds up the retraining. Finally, we compare data synthesis and adversarial retraining and show they can work complementary with each other to improve the model generalizability.
UR - https://www.scopus.com/pages/publications/85091560075
UR - https://www.scopus.com/pages/publications/85091560075#tab=citedBy
U2 - 10.1109/SP40000.2020.00079
DO - 10.1109/SP40000.2020.00079
M3 - Conference contribution
AN - SCOPUS:85091560075
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 1190
EP - 1206
BT - Proceedings - 2020 IEEE Symposium on Security and Privacy, SP 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 41st IEEE Symposium on Security and Privacy, SP 2020
Y2 - 18 May 2020 through 21 May 2020
ER -