skip to main content
10.1145/2020408.2020471acmconferencesArticle/Chapter ViewAbstractPublication PageskddConference Proceedingsconference-collections
research-article

Detecting bots via incremental LS-SVM learning with dynamic feature adaptation

Published: 21 August 2011 Publication History

Abstract

As botnets continue to proliferate and grow in sophistication, so does the need for more advanced security solutions to effectively detect and defend against such attacks. In particular, botnets such as Conficker have been known to encrypt the communication packets exchanged between bots and their command-and-control server, making it costly for existing botnet detection systems that rely on deep packet inspection (DPI) methods to identify compromised machines. In this paper, we argue that, even in the face of encrypted traffic flows, botnets can still be detected by examining the set of server IP-addresses visited by a client machine in the past. However there are several challenges that must be addressed. First, the set of server IP-addresses visited by client machines may evolve dynamically. Second, the set of client machines used for training and their class labels may also change over time. To overcome these challenges, this paper presents a novel incremental LS-SVM algorithm that is adaptive to both changes in the feature set and class labels of training instances. To evaluate the performance of our algorithm, we have performed experiments on two large-scale datasets, including real-time data collected from peering routers at a large Tier-1 ISP. Experimental results showed that the proposed algorithm produces classification accuracy comparable to its batch counterpart, while consuming significantly less computational resources.

References

[1]
Snort network intrusion prevention and detection system, http://www.snort.org.
[2]
J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection. In SRUTI'06: Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet, pages 43--48, July 2006.
[3]
E. Cooke, F. Jahanian, and D. McPherson. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In SRUTI'05: Proceedings of the 1st Workshop on Steps to Reducing Unwanted Traffic on the Internet, pages 39--44, July 2005.
[4]
T. Gestel, J. Suykens, B. Baesens, S. Viaene, J. Vanthienen,G.Dedene, B. D. Moor, and J. Vandewalle. Benchmarking Least Square Support Vector Machine Classifiers. Machine Learning, 54(1):5--32, 2004.
[5]
J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by IRC nickname evaluation. In HotBots'07: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, April 2007.
[6]
G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting malware infection through IDS-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium (Security'07), pages 167--182, August 2007.
[7]
G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In NDSS'08: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.
[8]
J. Ma, L. K. Saul, S. Savage, and G. M. Voelker. Beyond blacklists: Learning to detect malicious web sites from suspicious URLs. In KDD'09: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pages 1245--1254, June 2009.
[9]
J. Ma, L. K. Saul, S. Savage, and G. M. Voelker. Identifying suspicious URLs: An application of large-scale online learning. In ICML '09: Proceedings of the 26th Annual International Conference on Machine Learning, June 2009.
[10]
S. Nagaraja, P. Mittal, C.-Y. Hong, M. Caesar, and N. Borisov. Botgrep: finding P2P bots with structured graph analysis. In Proceedings of the 19th USENIX conference on Security,August 2010.
[11]
R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In NSDI'10: Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation, April 2010.
[12]
P. Porras, H. Saidi, and V. Yegneswaran. An analysis of conficker's logic and rendezvous points. Technical report, SRI International, Menlo Park, CA, USA, 2009.
[13]
D. E. Rumelhart, G. E. Hinton, and R. J. Williams. Learning internal representations by error propagation. Parallel distributed processing: Explorations in the microstructure of cognition, Vol 1, MIT Press, pages 318--362, 1986.
[14]
D. Sculley and G. M. Wachman. Relaxed online SVMs for spam filtering. In SIGIR '07: Proceedings of the 30th International ACM SIGIR conference on Research and development in Information Retrieval, pages 415--422, July 2007.
[15]
J. Suykens, T. Gestel, J. Brabanter, B. Moor, and J. Vandewalle. Least Squares Support Vector Machines. World Scientific Pub, Singapore, 2002.
[16]
D. Tax and P. Laskov. Online SVM learning: from classification to data description and back. In NNSP'03: Proceedings of the IEEE 13th Workshop on Neural Networks for Signal Processing, pages 499--508, September 2003.
[17]
Q. Wang, Y. Guan, and X. Wang. SVM-based spam filter with active and online learning. In TREC '06: Proceedings of the 15th Text Retrieval Conference, November 2006.
[18]
J. Ye and T. Xiong. SVM versus least square SVM. In Proceedings of the 11th International Conference on Artificial Intelligence and Statistics, pages 644--651, March 2007.
[19]
L. Zhang, J. Zhu, and T. Yao. An evaluation of statistical spam filtering techniques. In ACM Transactions on Asian Language Information Processing, 3(4):243--269, 2004.

Cited By

View all
  • (2024)Research on Intelligent Intrusion Detection System Model for Train Network Based on TCNProceedings of the 6th International Conference on Electrical Engineering and Information Technologies for Rail Transportation (EITRT) 202310.1007/978-981-99-9319-2_33(288-297)Online publication date: 4-Jan-2024
  • (2021)A Survey on Data-driven Network Intrusion DetectionACM Computing Surveys10.1145/347275354:9(1-36)Online publication date: 8-Oct-2021
  • (2021)Survey on Artificial Intelligence Based Resilient Recovery of Botnet Attack2021 5th International Conference on Trends in Electronics and Informatics (ICOEI)10.1109/ICOEI51242.2021.9452839(1-8)Online publication date: 3-Jun-2021
  • Show More Cited By

Index Terms

  1. Detecting bots via incremental LS-SVM learning with dynamic feature adaptation

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    KDD '11: Proceedings of the 17th ACM SIGKDD international conference on Knowledge discovery and data mining
    August 2011
    1446 pages
    ISBN:9781450308137
    DOI:10.1145/2020408
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 21 August 2011

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. botnet detection
    2. online learning
    3. support vector machines

    Qualifiers

    • Research-article

    Conference

    KDD '11
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 1,133 of 8,635 submissions, 13%

    Upcoming Conference

    KDD '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)1
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Research on Intelligent Intrusion Detection System Model for Train Network Based on TCNProceedings of the 6th International Conference on Electrical Engineering and Information Technologies for Rail Transportation (EITRT) 202310.1007/978-981-99-9319-2_33(288-297)Online publication date: 4-Jan-2024
    • (2021)A Survey on Data-driven Network Intrusion DetectionACM Computing Surveys10.1145/347275354:9(1-36)Online publication date: 8-Oct-2021
    • (2021)Survey on Artificial Intelligence Based Resilient Recovery of Botnet Attack2021 5th International Conference on Trends in Electronics and Informatics (ICOEI)10.1109/ICOEI51242.2021.9452839(1-8)Online publication date: 3-Jun-2021
    • (2021)Botnet Detection Using Machine Learning AlgorithmsProceedings of the International Conference on Paradigms of Computing, Communication and Data Sciences10.1007/978-981-15-7533-4_56(717-727)Online publication date: 20-Feb-2021
    • (2020)Model of the intrusion detection system based on the integration of spatial-temporal featuresComputers and Security10.1016/j.cose.2019.10168189:COnline publication date: 1-Feb-2020
    • (2017)Classification Under Streaming Emerging New Classes: A Solution Using Completely-Random TreesIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2017.269170229:8(1605-1618)Online publication date: 1-Aug-2017
    • (2017)Multi-perspective Machine Learning (MPML) — A Machine Learning Model for Multi-faceted Learning Problems2017 International Conference on Computational Science and Computational Intelligence (CSCI)10.1109/CSCI.2017.60(363-368)Online publication date: Dec-2017
    • (2015)BotCatchSecurity and Communication Networks10.1002/sec.10528:6(952-969)Online publication date: 1-Apr-2015
    • (2014)Botnet detection techniques: review, future trends, and issuesJournal of Zhejiang University SCIENCE C10.1631/jzus.C130024215:11(943-983)Online publication date: 11-Nov-2014

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media