TY - GEN
T1 - C&C session detection using random forest
AU - Lu, Liang
AU - Feng, Yaokai
AU - Sakurai, Kouichi
N1 - Publisher Copyright:
© 2017 ACM.
PY - 2017/1/5
Y1 - 2017/1/5
N2 - DDoS (Distributed Denial of Service) attack is one of the most used DoS (Denial of Service) attack. It is a distributed attack in which an attacker uses a multitude of compromised computers to attack a single target. Those compromised computers that actually execute the attack are called botnet. To hide their identity, the attacker usually uses a third-party server to control and send attack command to bots, this kind of server is called C&C (command & control) server. The detection of C&C sessions is a strong proof of botnet detection and early detection of DDoS attacks as C&C connections occur before a DDoS attack. Network traffic analysis is an effective method to detect C&C sessions as it is hard to avoid encrypting the payload or change command code. We consider a new feature vector with 55 features, and use a random forest algorithm to build the classifier. Random forest is an ensemble of classifiers that can deal with high-dimension problems. In fact, it can also calculate the importance of features that will help us find the key features responsible for the detection of C&C sessions. Experimental results show that our approach has better performance on C&C session detection.
AB - DDoS (Distributed Denial of Service) attack is one of the most used DoS (Denial of Service) attack. It is a distributed attack in which an attacker uses a multitude of compromised computers to attack a single target. Those compromised computers that actually execute the attack are called botnet. To hide their identity, the attacker usually uses a third-party server to control and send attack command to bots, this kind of server is called C&C (command & control) server. The detection of C&C sessions is a strong proof of botnet detection and early detection of DDoS attacks as C&C connections occur before a DDoS attack. Network traffic analysis is an effective method to detect C&C sessions as it is hard to avoid encrypting the payload or change command code. We consider a new feature vector with 55 features, and use a random forest algorithm to build the classifier. Random forest is an ensemble of classifiers that can deal with high-dimension problems. In fact, it can also calculate the importance of features that will help us find the key features responsible for the detection of C&C sessions. Experimental results show that our approach has better performance on C&C session detection.
UR - http://www.scopus.com/inward/record.url?scp=85015214206&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85015214206&partnerID=8YFLogxK
U2 - 10.1145/3022227.3022260
DO - 10.1145/3022227.3022260
M3 - Conference contribution
AN - SCOPUS:85015214206
T3 - Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017
BT - Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017
PB - Association for Computing Machinery, Inc
T2 - 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017
Y2 - 5 January 2017 through 7 January 2017
ER -