Artificial Neural Networks. for. Botnet detection. Joseph Ghafari. Stéphane Sénécal, Emmanuel Herbert. Figures. Botnets. Neurons. Results. Conclusion. Figures. Botnets. Neurons. Results. Conclusion. Facts & Figures about Botnets. Figures. 88% of all spam. Botnets. Neurons. - PowerPoint PPT Presentation
PowerPoint Presentation
1Joseph GhafariArtificial Neural NetworksBotnet detectionfor
Stphane Sncal, Emmanuel
Herbert1FiguresBotnetsNeuronsResultsConclusion23FiguresBotnetsNeuronsResultsConclusionBotBotnetDNSNeural
NetworkMLPELMConfigurationResultsConclusionWhat now Facts &
FiguresFinancial impact
4FiguresBotnetsNeuronsResultsConclusionFacts & Figures about
Botnets
5
FiguresBotnetsNeuronsResultsConclusion
88% of all spam77 spam / min
(200B spam / day)/ bot!5Facts & Figures about Botnets6
FiguresBotnetsNeuronsResultsConclusion
150,000 bots / dayBredolab: 30M bots
6Financial impact7
FiguresBotnetsNeuronsResultsConclusion6 banks robbed200 accounts
hacked$ 4,7M stolen7Financial impact8
FiguresBotnetsNeuronsResultsConclusion
140 M clicks / day
$ 900 K / day89Figures
NeuronsResultsConclusion
Botnets10FiguresResultsConclusionNeurons
Botnets
Bot - Infection
11FiguresResultsConclusionNeurons
Botnets
Bot Propagation
12FiguresResultsConclusionNeurons
Botnets
Bot Propagation
24h340,000 infections13FiguresResultsConclusionNeurons
BotnetsBotnets -
EtymologieBotNetRobotNetwork14FiguresResultsConclusionNeurons
BotnetsBotnets - Etymologie
C&C15FiguresResultsConclusionNeurons
BotnetsBotnets Control structure
C&C16FiguresResultsConclusionNeurons
BotnetsBotnets Clients
C&C
17FiguresResultsConclusionNeurons
BotnetsBotnets Spam
??????????????????
18FiguresResultsConclusionNeurons
BotnetsBotnets DDoS Attacks19FiguresResultsConclusionNeurons
BotnetsBotnets DDoS Attacks20FiguresResultsConclusionNeurons
BotnetsBotnets DDoS Attacks21FiguresResultsConclusionNeurons
BotnetsNotions - Internet
22FiguresResultsConclusionNeurons
BotnetsNotions - Internet
47.12.101.312.1.40.831.28.150.102116.4.92.5023FiguresResultsConclusionNeurons
BotnetsNotions - Internet
47.12.101.312.1.40.831.28.150.102116.4.92.5024FiguresResultsConclusionNeurons
BotnetsNotions - Internet
bbc.co.ukwww.emn.frwww.orange.frwww.google.com25FiguresResultsConclusionNeurons
BotnetsDNS How it works
www.emn.fr
O se trouve www.emn.fr
?12.1.40.812.1.40.826FiguresResultsConclusionNeurons
BotnetsBotnets & DNS
C&C
DNS40.101.12.3
O se trouve www.todaysfutbol.com
?40.101.12.3www.todaysfutbol.com27FiguresResultsConclusionNeurons
BotnetsDNS Data
DNS
QR28FiguresResultsConclusionNeurons
BotnetsProblem
Botnet ?29FiguresResultsConclusionNeurons
BotnetsAim
BotnetLgitime30FiguresResultsConclusion
Botnets
Neurons
31FiguresResultsConclusionNeuronsBotnetsA neuron
32FiguresResultsConclusionNeuronsBotnetsThe artificial
neuron
33FiguresResultsConclusionNeuronsBotnetsNeural network
34FiguresResultsConclusionNeuronsBotnetsArtificial neural
network
35FiguresResultsConclusionNeuronsBotnetsArtificial neural
network
BotnetNormal
36FiguresResultsConclusionNeuronsBotnetsMulti-Layer Perceptron
(MLP)
37FiguresResultsConclusionNeuronsBotnetsMulti-Layer Perceptron
(MLP)
38FiguresResultsConclusionNeuronsBotnetsMLP Step 1
Propagation
39FiguresResultsConclusionNeuronsBotnetsMLP Step 2
Computing the error
40FiguresResultsConclusionNeuronsBotnets
MLP Step 3Error Back-propagation
41FiguresResultsConclusionNeuronsBotnetsMLP Example
42FiguresResultsConclusionNeuronsBotnetsExtreme Learning Machine
(ELM)Dsquilibre des donnesSuperposition de classesContrainte Temps
rel
43FiguresResultsConclusionNeuronsBotnetsExtreme Learning Machine
(ELM)
44FiguresResultsConclusionNeuronsBotnetsExtreme Learning Machine
(ELM)
45FiguresResultsConclusionNeuronsBotnetsELM Step 1
46FiguresResultsConclusionNeuronsBotnetsELM Phase
2Propagation
47FiguresResultsConclusionNeuronsBotnetsELM Phase 3
48FiguresResultsConclusionNeuronsBotnetsELM Example
49FiguresResultsConclusionNeuronsBotnetsMLP ELMMLPELM
SimpleDeepLearning speedLearning speedHyper
parametersShalowHyper parametersUnderstanding50FiguresBotnets
ResultsNeuronsConclusion51FiguresBotnetsResults
NeuronsConclusionProcedure
About 10,000 input cases
1 1000 neurons
512 feature combinations tested2/3learning set1/3validation
set52FiguresBotnetsResults
NeuronsConclusionResults Optimal feature set
Hour of the queryTTL (Time To Live)Errors during query
process53FiguresBotnetsResults
NeuronsConclusionResults Confusion Matrix
PredictedExpectedBotnetLegitimateLegitimateBotnet17192516601551874168518151744355954FiguresBotnetsResults
NeuronsConclusionResults Measures
Precision = 0,92Recall = 0,99Accuracy = 94,94 % (Error rate =
5,06 %)False Positives = 8,5 % (4,36 % total)False Negatives = 1,4
% (0,7 % total)55FiguresBotnets
Neurons
ConclusionResults56FiguresBotnetsNeuronsConclusionResults
Conclusion
Fast learning
Online/Batch possible
Good performances
Not enough data
Highly heterogeneous
data57FiguresBotnetsNeuronsConclusionResults
What now
Gather more dataUse the lists instead of statistical values for
distributions
Take advantage of non numeric data (IP address, Query ID, )
58FiguresBotnetsNeuronsConclusionResults
