Network Security Modeling using NetFlow Data: Detecting Botnet attacks in IP Traffic
This work addresses cybersecurity monitoring for network administrators by detecting botnet attacks, but it is incremental as it applies existing statistical and deep learning methods to a specific domain.
The researchers tackled the problem of detecting botnet command and control hosts in massive IP traffic by developing a statistical intrusion detection system using NetFlow data, which successfully identified malicious traffic and matched predictions to existing blacklists.
Cybersecurity, security monitoring of malicious events in IP traffic, is an important field largely unexplored by statisticians. Computer scientists have made significant contributions in this area using statistical anomaly detection and other supervised learning methods to detect specific malicious events. In this research, we investigate the detection of botnet command and control (C&C) hosts in massive IP traffic. We use the NetFlow data, the industry standard for monitoring of IP traffic for exploratory analysis and extracting new features. Using statistical as well as deep learning models, we develop a statistical intrusion detection system (SIDS) to predict traffic traces identified with malicious attacks. Employing interpretative machine learning techniques, botnet traffic signatures are derived. These models successfully detected botnet C&C hosts and compromised devices. The results were validated by matching predictions to existing blacklists of published malicious IP addresses.