transfer learning approach for botnet detection based on
play

Transfer Learning Approach for Botnet Detection based on Recurrent - PowerPoint PPT Presentation

Nov 03, 2023 •201 likes •423 views

Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder Jeeyung Kim Scientific Data Management Research Group Computational Research Division Lawrence Berkeley National Laboratory 2020 SNTA, 06/02/2020 J.

  1. Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder Jeeyung Kim Scientific Data Management Research Group Computational Research Division Lawrence Berkeley National Laboratory 2020 SNTA, 06/02/2020 J. Kim, LBNL 1

  2. Introduction • Botnet is one of the most significant threats to the cyber-security • Bot masters hijack other machines, and command to act together to attack more machines • Attack types : DDos, Click-fraud, spamming, crypto-mining • Communication methods : Internet Relay Chat (IRC), peer-to-peer (P2P) and HTTP Ø One of the task of cybersecurity research is to detect botnets 2020 SNTA, 06/02/2020 J. Kim, LBNL 2

  3. Introduction • Existing approaches: signature based and anomaly-based • a) signature-based : detect botnets with a set of rules or signatures • b) anomaly-based methods : detect botnets based on a number of network traffic anomalies such as high network latency, high volumes of traffic and unusual system behavior (Zeidanloo et al. 2010) • Machine learning(ML) methods: Zhao et al. 2013, Venkatesh et al. 2012, Singh et al. 2014, Beigi et al. 2014, Stevanovic et al. 2014 2020 SNTA, 06/02/2020 J. Kim, LBNL 3

  4. Introduction • Supervised learning methods • Promising results with a high degree of accuracy for detecting botnets (Du et al. 2019, Ongun et al. 2019, Singh et al 2014) • Assumes the provision of data labels to classify -> unavailable in practice. • Semi-supervised learning methods • Straightforward to collect • The detection performance: generally much lower than supervised learning techniques • Autoencoders (AEs) (Dargenio et al. 2018) • Variational Autoencoder (VAEs) (An et al. 2015, Nguyen et al. 2019, Nicolau et al. 2018) • One-class support vector machines (OSVMs) (Nicolau et al. 2018) 2020 SNTA, 06/02/2020 J. Kim, LBNL 4

  5. Introduction • Transfer learning methods : utilize labeled data available in another domain (“source domain”) for the domain of interest(“target domain”) • Transfer learning – construct a learning model without the data-labeling effort via knowledge transfer (Pan et al. 2009) • Transfer learning methods in anomaly detection • Andrews et al. 2016 ,Chalapathy et al. 2018, Ide et al. 2017, Xiao et al. 2015 • Focus on text classification, speech recognition, image classification • Transfer learning for botnet detection • Alothman et al. 2018, Bhodia et al. 2019, Jiang et al. 2019, Kumagai et al. 2019, Singla et al. 2019, Stevanovic et al. 2014 • Depend on naive techniques • Calculating similarity or heuristic methods • Most of them require both normal and anomalous instances for source and target domains 2020 SNTA, 06/02/2020 J. Kim, LBNL 5

  6. Contribution • Transfer learning framework which constructs a learning model without the label information in the target domain • Use Recurrent Variational Autoencoder (RVAE) model to obtain anomaly scores • Detect potential botnets in the new network monitoring data set • With the knowledge transferred from the popular dataset, CTU-13, as the source domain 2020 SNTA, 06/02/2020 J. Kim, LBNL 6

  7. Preliminary • Transfer Learning • Classification or regression tasks in one domain of interest • Only have sufficient labeled data in different domains, where the latter data may follow a different data distribution (Pan et al. 2009) • Can be divided into three categories according to source/target domains label existence and the types of tasks • Inductive transfer learning • Transductive transfer learning • Unsupervised transfer learning • Recurrent Variational Autoencoder • Combine seq2seq(RNN-to-RNN structure) with VAE • The methods to use RVAE as botnet detector in (Kim et al. 2020) 2020 SNTA, 06/02/2020 J. Kim, LBNL 7

  8. Related Works • Network IDS methods • Daya et al. 2020, Binkley el al. 2006, Gu et al. 2008, Paxson et al. 1999, Roesch et al. 1999, Zeidanloo et al. 2010 • Use statistical deviations or rules to detect botnet • Cannot detect new botnets • Zeek : popular network IDS, which is a monitoring system for detecting network intruders in real-time • Zeek is not for detecting botnet • ML methods • VAE/AE • Dargenio et al. 2018, Kim et al. 2020, Nguyen et al. 2019, Nicolau et al. 2018 • The methods overlook sequential characteristics within network traffic • RNN • Kim et al. 2020, Ongun et al. 2019, Sinha et al. 2019, Torres et al. 2016 • The method cannot be applied to the online anomaly detection system • Others Random Forest, Neural Network • Du et al. 2019, Ongun et al. 2019, Venkatesh et al. 2012 • Require fully labeled dataset which is hard to obtain due to lack of labeled data on changing network traffic. 2020 SNTA, 06/02/2020 J. Kim, LBNL 8

  9. Related Works • Transfer learning on botnet detection • Alothman 2018, Bhodia et al. 2019, Jiang et al. 2019, Kumagai et al. 2019, Singla et al. 2019, Taheri et al. 2018 • Most depends on naive techniques such as calculating similarity • requires high computation cost • Clustering & naïve rule methods • Jiang et al. 2019 • Neural Network • Bhodia et al. 2019, Singla et al. 2019, Taheri et al. 2018 • Requires labeled dataset for both source and target domains contrary to the proposed method not requiring labeled dataset for a target domain. 2020 SNTA, 06/02/2020 J. Kim, LBNL 9

  10. Proposed Model • Anomaly Detection Method • Use RVAE as an anomaly detector • Input : pre-processed flow-based features • Output : reconstructed input • Training / evaluation method • Train the model with only normal instances RVAE [Kim et al. 2020] • Reconstruction errors of anomalous samples: larger than that of the normal samples • Collect each reconstruction loss, then estimate distribution in the validation phase • Represents collected reconstruction errors from normal and anomalous instances, respectively. • Get two likelihoods for each instance from normal and anomalous distributions in the testing phase • The network traffic flow data can be classified by comparing the two values. 2020 SNTA, 06/02/2020 J. Kim, LBNL 10

  11. Proposed Model • The process of transfer learning 1. Follow the procedure of transfer anomaly detection method (Kumagai et al. 2019) 2. Further develop the method to be trained without label information on the target domain • Hard to obtain labeled data of network traffic data Ø Two cases of training data on botnet detection: labeled dataset on the target domain ( with_label ) and unlabeled dataset on the target domain ( without_label ). • The normal and anomalous instances in a source domain are used for training RVAE in the both methods • After updating parameters of RVAE with the source domain samples, update parameters of RVAE with the target domain samples 2020 SNTA, 06/02/2020 J. Kim, LBNL 11

  12. Proposed Model • Notation used • The objective function of the source domain (Kumagai et al. $ : a set of anomalous instances in • 𝒀 𝒕 2019) : a source domain % : a set of normal instances in a • 𝒀 𝒕 source domain $ : a set of anomalous instances in • 𝒀 𝒖 a target domain % : a set of normal instances in a • 𝒀 𝒖 target domain • D : the number of features • 𝑮 𝜾 : Encoder, 𝑯 𝝔 : Decoder % : the number of instances of $ , 𝑶 𝒕 • 𝑶 𝒕 anomalous and normal on the source domain • 𝔄 : the latent variable 2020 SNTA, 06/02/2020 J. Kim, LBNL 12

  13. Proposed Model • The process of transfer learning • The proposed method can be categorized into two based on whether the labeled dataset on the target domain is necessary or not. • Transfer learning with the unlabeled dataset on the target domain is different from the method with the method using the labeled data set on the target domain regarding that it uses entire instances in the target domain for training. • Only normal instances in the target domain are used for training on with label method • Different objective function of the target domain of the two methods. • In the source domain, the objective functions on both methods are equal to each other 2020 SNTA, 06/02/2020 J. Kim, LBNL 13

  14. Proposed Model 1. Using label information in a target domain ( with_label ) • Use only normal instances for training on a target domain • The objective function for the target domain : 2020 SNTA, 06/02/2020 J. Kim, LBNL 14

  15. Proposed Model 2. Not using label information in a target domain ( without_label ) • Use the entire instances of the dataset for the first several epochs during training on the target domain. • After 𝐹 epochs, we collect instances which show lower reconstruction errors in each mini-batch. • The instances with lower reconstruction errors -> possibly to be normal. • Normal instance selection process a) Sort the instances by the size of reconstruction errors every minibatch. Select an instance of the bottom 𝑠 % of reconstruction errors in minibatch and add b) the portion of instances to the next minibatch training samples. Ø Train the anomaly detector effectively on the target domain without label information via the selecting samples method 2020 SNTA, 06/02/2020 J. Kim, LBNL 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State University Computer Science outline background experimental flow tuples botnet server mesh detection botnet client mesh detection

364 views • 23 slides
Towards a learning approach for abbreviation detection and resolution Klaar Vanopstal, Bart

Towards a learning approach for abbreviation detection and resolution Klaar Vanopstal, Bart

Background Annotation Pattern-based approach Learning-based approach Conclusions and future work Towards a learning approach for abbreviation detection and resolution Klaar Vanopstal, Bart Desmet, V eronique Hoste LT 3 , Language and

1.42k views • 84 slides
1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq Khan, Protick Bhowmick, Md. Shohrab Hossain, and Husnu S. Narman 2 Outlines Motivation Problem Contribution Results Conclusions 3

733 views • 34 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

767 views • 42 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic New different approche for sending spam Basing on reputation of email providers Difficult to detect signup detection monitoring users' activity

157 views • 15 slides
Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods Basil AsSadhan Department of Electrical Engineering & Center of Excellence in Information Assurance King Saud University April 13-14, 2014

609 views • 39 slides
Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor:

Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor:

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor: Oliver Gasser Introduction - Botnets Great

748 views • 17 slides
Industrial Transfer Learning Introduction to Industrial Transfer Learning Industrial Transfer

Industrial Transfer Learning Introduction to Industrial Transfer Learning Industrial Transfer

Industrial Transfer Learning Introduction to Industrial Transfer Learning Industrial Transfer Learning Motivation Machine Learning in Manufacturing Decision Support Automation Process Control Self-Optimization Predictive Quality Predictive

742 views • 24 slides
A quantile-based approach for hyperparameter transfer learning David Salinas 2 Huibin Shen 1

A quantile-based approach for hyperparameter transfer learning David Salinas 2 Huibin Shen 1

A quantile-based approach for hyperparameter transfer learning David Salinas 2 Huibin Shen 1 Valerio Perrone 1 1 Amazon Research 2 NAVER LABS Europe, work done at Amazon December 11, 2019 David Salinas, Huibin Shen, Valerio Perrone A

476 views • 8 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
Learning-based Contour Detection & Contour-based Object Detection Iasonas Kokkinos Department

Learning-based Contour Detection & Contour-based Object Detection Iasonas Kokkinos Department

1 Learning-based Contour Detection &

766 views • 64 slides
Transfer Learning Eu Wern Teh What are we covering? Why transfer learning? Fine

Transfer Learning Eu Wern Teh What are we covering? Why transfer learning? Fine

Transfer Learning Eu Wern Teh What are we covering? Why transfer learning? Fine Tuning: how? why? Example Practise: Ants and Bees dataset Caltech 101 dataset Why Transfer Learning? Speedup Training

584 views • 24 slides
W ITH the widespread use of hands-free electronic gad- are mapped to a multilingual set using a

W ITH the widespread use of hands-free electronic gad- are mapped to a multilingual set using a

1 Transfer learning for cross-lingual automatic speech recognition Amit Das Abstract In this study, two instance based transfer learning languages. With this, all language dependent transcriptions can phoneme modeling approaches are

408 views • 5 slides
Projection based transfer learning Christian Poelitz Dortmund Technical University Christian

Projection based transfer learning Christian Poelitz Dortmund Technical University Christian

Projection based transfer learning Christian Poelitz Dortmund Technical University Christian Poelitz Dortmund Technical University Projection based transfer learning Transfer Learning We want to reuse a trained model or information from

158 views • 15 slides
Advertising, Analytics and Tracking Thierry Sans Advertising I have a cool car to sell and

Advertising, Analytics and Tracking Thierry Sans Advertising I have a cool car to sell and

Advertising, Analytics and Tracking Thierry Sans Advertising I have a cool car to sell and Design an ad and give it to me I want people to know about it Advertiser I have a cool website, many viewers, Put this ad on your webpage! and I want

459 views • 23 slides
Combating Click Fraud Using Premium Clicks Sid Stamm , RavenWhite Inc. and Indiana University

Combating Click Fraud Using Premium Clicks Sid Stamm , RavenWhite Inc. and Indiana University

Combating Click Fraud Using Premium Clicks Sid Stamm , RavenWhite Inc. and Indiana University Joint Work With Ari Juels , RSA Laboratories, RSA/EMC Corp Markus Jakobsson , RavenWhite Inc. Research Performed at RavenWhite Inc. 1 Click

600 views • 46 slides
Real-Time Bidding & Behavioral Targeting Weinan Zhang Shanghai Jiao Tong University

Real-Time Bidding & Behavioral Targeting Weinan Zhang Shanghai Jiao Tong University

2019 EE448, Big Data Mining, Lecture 12 Real-Time Bidding & Behavioral Targeting Weinan Zhang Shanghai Jiao Tong University http://wnzhang.net http://wnzhang.net/teaching/ee448/index.html Content of This Course Real-time bidding based

979 views • 69 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
CLOUD NINJA Catch Me If You Can! RSA 2014 Thursday, February 27, 2014 | 8:00am 9:00am | West

CLOUD NINJA Catch Me If You Can! RSA 2014 Thursday, February 27, 2014 | 8:00am 9:00am | West

CLOUD NINJA Catch Me If You Can! RSA 2014 Thursday, February 27, 2014 | 8:00am 9:00am | West | Room: 3002 Overview What are these guys talking about? Main Topics Could we build a botnet from freely available cloud services? Will we

887 views • 39 slides
Apache Apex: Next Gen Big Data Analytics Thomas Weise <thw@apache.org> @thweise PMC Chair

Apache Apex: Next Gen Big Data Analytics Thomas Weise <thw@apache.org> @thweise PMC Chair

Apache Apex: Next Gen Big Data Analytics Thomas Weise <thw@apache.org> @thweise PMC Chair Apache Apex, Architect DataTorrent Apache Big Data Europe, Sevilla, Nov 14 th 2016 Stream Data Processing Real-time Data Delivery Transform /

632 views • 35 slides
Malice on the Internet A Peek into Todays Security Attacks Arvind Krishnamurthy Thursday,

Malice on the Internet A Peek into Todays Security Attacks Arvind Krishnamurthy Thursday,

Malice on the Internet A Peek into Todays Security Attacks Arvind Krishnamurthy Thursday, November 4, 2010 Bit of History: Morris Worm Worm was released in 1988 by Robert Morris Graduate student at Cornell, son of NSA scientist

926 views • 89 slides
HOW TO DETECT AND PREVENT FRAUD The webinar will begin shortly. Make sure your computers

HOW TO DETECT AND PREVENT FRAUD The webinar will begin shortly. Make sure your computers

HOW TO DETECT AND PREVENT FRAUD The webinar will begin shortly. Make sure your computers sound (volume) is un -muted ( icon) We recommend using headphones for better sound quality INTRODUCTION NAU MAI HAERE MAI Francesca Ephraim

359 views • 24 slides

More recommend