Tracking Temporal Evolution of Network Activity for Botnet Detection
This addresses the challenge of detecting evolving botnets for cybersecurity applications, but it is incremental as it builds on existing LSTM methods.
The paper tackles botnet detection by tracking hosts' network activity over time using an LSTM-based neural network, achieving 96.2% accuracy on the CTU-13 dataset and showing improved generalizability and real-time potential compared to existing methods.
Botnets are becoming increasingly prevalent as the primary enabling technology in a variety of malicious campaigns such as email spam, click fraud, distributed denial-of-service (DDoS) attacks, and cryptocurrency mining. Botnet technology has continued to evolve rapidly making detection a very challenging problem. There is a fundamental need for robust detection methods that are insensitive to characteristics of a specific botnet and are generalizable across different botnet types. We propose a novel supervised approach to detect malicious botnet hosts by tracking a host's network activity over time using a Long Short-Term Memory (LSTM) based neural network architecture. We build a prototype to demonstrate the feasibility of our approach, evaluate it on the CTU-13 dataset, and compare our performance against existing detection methods. We show that our approach results in a more generalizable, botnet-agnostic detection methodology, is amenable to real-time implementation, and performs well compared to existing approaches, with an overall accuracy score of 96.2%.