利用卷積特徵屬性和類神經網路偵測殭屍網路

Abstract

殭屍網路(Botnet)是現今一個網路犯罪中的主要威脅之一，經常被用來最為發動分散式阻斷服務攻擊(DDOS)、傳送垃圾郵件、竊取機密資料等惡意行為。檢測殭屍網絡是一個具有挑戰性的問題，因為這些殭屍網絡正在不斷改進以規避檢測。 在本篇論文中，我們提出一種基於機器學習方法的殭屍網絡偵測系統，這個系統可以有效的從網路流量中識別殭屍網絡。我們的方法從網路的流量中提取卷積版本的特徵屬性，並通過使用人工神經網絡來訓練分類模型。而實驗結果也證明了，使用卷積特徵屬性的檢測準確度優於使用傳統特徵屬性的檢測準確度。在已知的P2P殭屍網路數據集上可以達到94.7％的準確率(Accuracy)和2.2％的假陽性率(false positive rate)，此外，我們的系統為增加殭屍網路偵測的準確性使用了額外的信心測試。 信心測試進一步對神經網路信任度不足的網路流量進行再次分類，實驗結果也表明了，信心測試階段檢測精度可提高至98.6％，假陽性率有可以降低至0.5％

Botnet is one of the major threats on the Internet for committing cybercrimes, such as DDoS attacks, stealing sensitive information, spreading spams, etc. It is a challenging issue to detect modern botnets that are continuously improving for evading detection. In this paper, we propose a machine learning based botnet detection system that is shown to be effective in identifying P2P botnets. Our approach extracts convolutional version of effective flow-based features, and trains a classification model by using a feed-forward artificial neural network. The experimental results show that the accuracy of detection using the convolutional features is better than the ones using the traditional features. It can achieve 94.7% of detection accuracy and 2.2% of false positive rate on the known P2P botnet datasets. Furthermore, our system provides an additional confidence testing for enhancing performance of botnet detection. It further classifies the network traffic of insufficient confidence in the neural network. The experiment shows that this stage can increase the detection accuracy up to 98.6% and decrease the false positive rate up to 0.5%