C&C session detection using random forest

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

DDoS (Distributed Denial of Service) attack is one of the most used DoS (Denial of Service) attack. It is a distributed attack in which an attacker uses a multitude of compromised computers to attack a single target. Those compromised computers that actually execute the attack are called botnet. To hide their identity, the attacker usually uses a third-party server to control and send attack command to bots, this kind of server is called C&C (command & control) server. The detection of C&C sessions is a strong proof of botnet detection and early detection of DDoS attacks as C&C connections occur before a DDoS attack. Network traffic analysis is an effective method to detect C&C sessions as it is hard to avoid encrypting the payload or change command code. We consider a new feature vector with 55 features, and use a random forest algorithm to build the classifier. Random forest is an ensemble of classifiers that can deal with high-dimension problems. In fact, it can also calculate the importance of features that will help us find the key features responsible for the detection of C&C sessions. Experimental results show that our approach has better performance on C&C session detection.

Original languageEnglish
Title of host publicationProceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017
PublisherAssociation for Computing Machinery, Inc
ISBN (Electronic)9781450348881
DOIs
Publication statusPublished - Jan 5 2017
Event11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017 - Beppu, Japan
Duration: Jan 5 2017Jan 7 2017

Publication series

NameProceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017

Other

Other11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017
CountryJapan
CityBeppu
Period1/5/171/7/17

Fingerprint

Servers
Classifiers
Telecommunication traffic
Denial-of-service attack
Botnet

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems

Cite this

Lu, L., Feng, Y., & Sakurai, K. (2017). C&C session detection using random forest. In Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017 [34] (Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017). Association for Computing Machinery, Inc. https://doi.org/10.1145/3022227.3022260

C&C session detection using random forest. / Lu, Liang; Feng, Yaokai; Sakurai, Kouichi.

Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017. Association for Computing Machinery, Inc, 2017. 34 (Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Lu, L, Feng, Y & Sakurai, K 2017, C&C session detection using random forest. in Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017., 34, Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017, Association for Computing Machinery, Inc, 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017, Beppu, Japan, 1/5/17. https://doi.org/10.1145/3022227.3022260
Lu L, Feng Y, Sakurai K. C&C session detection using random forest. In Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017. Association for Computing Machinery, Inc. 2017. 34. (Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017). https://doi.org/10.1145/3022227.3022260
Lu, Liang ; Feng, Yaokai ; Sakurai, Kouichi. / C&C session detection using random forest. Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017. Association for Computing Machinery, Inc, 2017. (Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017).
@inproceedings{f4892ee1efdd442bbe88e4c96db8db2a,
title = "C&C session detection using random forest",
abstract = "DDoS (Distributed Denial of Service) attack is one of the most used DoS (Denial of Service) attack. It is a distributed attack in which an attacker uses a multitude of compromised computers to attack a single target. Those compromised computers that actually execute the attack are called botnet. To hide their identity, the attacker usually uses a third-party server to control and send attack command to bots, this kind of server is called C&C (command & control) server. The detection of C&C sessions is a strong proof of botnet detection and early detection of DDoS attacks as C&C connections occur before a DDoS attack. Network traffic analysis is an effective method to detect C&C sessions as it is hard to avoid encrypting the payload or change command code. We consider a new feature vector with 55 features, and use a random forest algorithm to build the classifier. Random forest is an ensemble of classifiers that can deal with high-dimension problems. In fact, it can also calculate the importance of features that will help us find the key features responsible for the detection of C&C sessions. Experimental results show that our approach has better performance on C&C session detection.",
author = "Liang Lu and Yaokai Feng and Kouichi Sakurai",
year = "2017",
month = "1",
day = "5",
doi = "10.1145/3022227.3022260",
language = "English",
series = "Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017",
publisher = "Association for Computing Machinery, Inc",
booktitle = "Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017",

}

TY - GEN

T1 - C&C session detection using random forest

AU - Lu, Liang

AU - Feng, Yaokai

AU - Sakurai, Kouichi

PY - 2017/1/5

Y1 - 2017/1/5

N2 - DDoS (Distributed Denial of Service) attack is one of the most used DoS (Denial of Service) attack. It is a distributed attack in which an attacker uses a multitude of compromised computers to attack a single target. Those compromised computers that actually execute the attack are called botnet. To hide their identity, the attacker usually uses a third-party server to control and send attack command to bots, this kind of server is called C&C (command & control) server. The detection of C&C sessions is a strong proof of botnet detection and early detection of DDoS attacks as C&C connections occur before a DDoS attack. Network traffic analysis is an effective method to detect C&C sessions as it is hard to avoid encrypting the payload or change command code. We consider a new feature vector with 55 features, and use a random forest algorithm to build the classifier. Random forest is an ensemble of classifiers that can deal with high-dimension problems. In fact, it can also calculate the importance of features that will help us find the key features responsible for the detection of C&C sessions. Experimental results show that our approach has better performance on C&C session detection.

AB - DDoS (Distributed Denial of Service) attack is one of the most used DoS (Denial of Service) attack. It is a distributed attack in which an attacker uses a multitude of compromised computers to attack a single target. Those compromised computers that actually execute the attack are called botnet. To hide their identity, the attacker usually uses a third-party server to control and send attack command to bots, this kind of server is called C&C (command & control) server. The detection of C&C sessions is a strong proof of botnet detection and early detection of DDoS attacks as C&C connections occur before a DDoS attack. Network traffic analysis is an effective method to detect C&C sessions as it is hard to avoid encrypting the payload or change command code. We consider a new feature vector with 55 features, and use a random forest algorithm to build the classifier. Random forest is an ensemble of classifiers that can deal with high-dimension problems. In fact, it can also calculate the importance of features that will help us find the key features responsible for the detection of C&C sessions. Experimental results show that our approach has better performance on C&C session detection.

UR - http://www.scopus.com/inward/record.url?scp=85015214206&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85015214206&partnerID=8YFLogxK

U2 - 10.1145/3022227.3022260

DO - 10.1145/3022227.3022260

M3 - Conference contribution

AN - SCOPUS:85015214206

T3 - Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017

BT - Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017

PB - Association for Computing Machinery, Inc

ER -