research-article

C&C session detection using random forest

Authors:

Liang Lu,

Yaokai Feng,

Kouichi SakuraiAuthors Info & Claims

IMCOM '17: Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication

Article No.: 34, Pages 1 - 6

https://doi.org/10.1145/3022227.3022260

Published: 05 January 2017 Publication History

Get Access

Abstract

DDoS (Distributed Denial of Service) attack is one of the most used DoS (Denial of Service) attack. It is a distributed attack in which an attacker uses a multitude of compromised computers to attack a single target. Those compromised computers that actually execute the attack are called botnet. To hide their identity, the attacker usually uses a third-party server to control and send attack command to bots, this kind of server is called C&C (command & control) server. The detection of C&C sessions is a strong proof of botnet detection and early detection of DDoS attacks as C&C connections occur before a DDoS attack. Network traffic analysis is an effective method to detect C&C sessions as it is hard to avoid encrypting the payload or change command code. We consider a new feature vector with 55 features, and use a random forest algorithm to build the classifier. Random forest is an ensemble of classifiers that can deal with high-dimension problems. In fact, it can also calculate the importance of features that will help us find the key features responsible for the detection of C&C sessions. Experimental results show that our approach has better performance on C&C session detection.

References

[1]

"denial of service attack". Retrieved 26 May 2016. DOI=https://www.us-cert.gov/ncas/tips/ST04-015 (accessed 2016/8/20)

Google Scholar

[2]

Millman, Rene. "DDoS attacks on the rise - touching 500gbps". SC Magazine UK. Retrieved 18 May 2016. DOI=http://www.scmagazineuk.com/ddos-attacks-on-the-rise-touching-500gbps/article/467665/(accessed 2016/8/20)

Google Scholar

[3]

Zhao, David, et al. "Botnet detection based on traffic behavior analysis and flow intervals." Computers & Security 39 (2013): 2--16. DOI=http://www.academia.edu/download/44592507/Botnet_detection_based_on_traffic_behavi20160410-32157-baxr0x.pdf (accessed 2016/8/20)

Digital Library

Google Scholar

[4]

Kondo, Satoshi, and Naoshi Sato. "Botnet traffic detection techniques by C&C session classification using SVM." International Workshop on Security. Springer Berlin Heidelberg, 2007. DOI=https://pdfs.semanticscholar.org/9007/6bce9607d0e9a98f705eba1cdb478f2d2ad3.pdf (accessed 2016/8/20)

Digital Library

Google Scholar

[5]

Leonard J, Xu S, Sandhu R. A framework for understanding botnets. In: Proceedings of international conference on availability, reliability and security. IEEE Computer Society; 2009. p. 917e22. DOI=http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.185.811&rep=rep1&type=pdf (accessed 2016/8/20)

Crossref

Google Scholar

[6]

R Development Core Team 2005. R: A Language and Environment for Statistical Computing. DOI= http://www.r-project.org/ (accessed 2016/8/20)

Google Scholar

[7]

Fortran original by Leo Breiman and Adele Cutler, R port by Andy Liaw and Matthew Wiener 2015.:randomForest package DOI=https://cran.r-project.org/web/packages/randomForest/index.html (accessed 2016/8/20)

Google Scholar

[8]

Kohavi, Ron. "A study of cross-validation and bootstrap for accuracy estimation and model selection." Ijcai. Vol. 14. No. 2. 1995. DOI=https://www.semanticscholar.org/paper/0be0d781305750b37acb35fa187febd8db67bfcc/pdf (accessed 2016/8/20)

Google Scholar

[9]

Yamauchi, Kawamoto. "Evaluation of Machine Learning Techniques for C&C traffic Classification" 56.9 (2015): 1745--1753. DOI=https://ipsj.ixsq.nii.ac.jp/ej/?action=pages_view_main&active_action=repository_view_main_item_detail&item_id=145054&item_no=1&page_id=13&block_id=8 (accessed 2016/8/20)

Google Scholar

[10]

2014(MWS2014) DOI=http://www.iwsec.org/mws/2014/about.html (accessed 2016/8/20)

Google Scholar

[11]

Leo Breiman, Adele Culter. Random Forest.DOI=https://www.stat.berkeley.edu/~breiman/RandomForests/cc_home.htm#varimp (accessed 2016/8/20)

Google Scholar

Cited By

View all

K VKannimoola J(2024)Guarding Against Command and Control (C2) Agents Utilizing Real-World Applications for Communication Channels2024 5th International Conference for Emerging Technology (INCET)10.1109/INCET61516.2024.10593568(1-5)Online publication date: 24-May-2024
https://doi.org/10.1109/INCET61516.2024.10593568
Ali HYas RAbdulameer M(2023)Behavior Analysis of Machine Learning Algorithms for Botnets Detection2023 International Conference on Information Technology, Applied Mathematics and Statistics (ICITAMS)10.1109/ICITAMS57610.2023.10525642(235-241)Online publication date: 20-Mar-2023
https://doi.org/10.1109/ICITAMS57610.2023.10525642
Hossain MIslam M(2023)A novel hybrid feature selection and ensemble-based machine learning approach for botnet detectionScientific Reports10.1038/s41598-023-48230-113:1Online publication date: 1-Dec-2023
https://doi.org/10.1038/s41598-023-48230-1
Show More Cited By

Index Terms

C&C session detection using random forest
1. Security and privacy
  1. Systems security
    1. Denial-of-service attacks

Recommendations

Detecting Webshell Based on Random Forest with FastText
ICCAI '18: Proceedings of the 2018 International Conference on Computing and Artificial Intelligence

Web-based remote access Trojan (or webshell) is a kind of tool for network intrusion, which can be uploaded to a website to access web service management authority. Once attacker injected successfully, it can cause great damage so that it is crucial to ...
Machine Learning Approach for Malware Detection Using Random Forest Classifier on Process List Data Structure
ICISDM '18: Proceedings of the 2nd International Conference on Information System and Data Mining

As computer systems have become an integral part of every organization, it is a big challenge to safeguard the computer systems from malicious activities which compromise not only the systems but also the data stored within. Traditional malware and ...
Enhancing Network Threat Detection with Random Forest-Based NIDS and Permutation Feature Importance
Abstract
Network Intrusion Detection Systems (NIDS) are critical for protecting computer networks from unauthorized activities. Traditional NIDS rely on rule-based signatures, which can be limiting in detecting emerging threats. This study investigates the ...

Comments

Information & Contributors

Information

Published In

IMCOM '17: Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication

January 2017

746 pages

ISBN:9781450348881

DOI:10.1145/3022227

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 January 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IMCOM '17

Sponsor:

SIGAPP

IMCOM '17: The 11th International Conference on Ubiquitous Information Management and Communication

January 5 - 7, 2017

Beppu, Japan

Acceptance Rates

IMCOM '17 Paper Acceptance Rate 113 of 366 submissions, 31%;

Overall Acceptance Rate 213 of 621 submissions, 34%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
293
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 15 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

K VKannimoola J(2024)Guarding Against Command and Control (C2) Agents Utilizing Real-World Applications for Communication Channels2024 5th International Conference for Emerging Technology (INCET)10.1109/INCET61516.2024.10593568(1-5)Online publication date: 24-May-2024
https://doi.org/10.1109/INCET61516.2024.10593568
Ali HYas RAbdulameer M(2023)Behavior Analysis of Machine Learning Algorithms for Botnets Detection2023 International Conference on Information Technology, Applied Mathematics and Statistics (ICITAMS)10.1109/ICITAMS57610.2023.10525642(235-241)Online publication date: 20-Mar-2023
https://doi.org/10.1109/ICITAMS57610.2023.10525642
Hossain MIslam M(2023)A novel hybrid feature selection and ensemble-based machine learning approach for botnet detectionScientific Reports10.1038/s41598-023-48230-113:1Online publication date: 1-Dec-2023
https://doi.org/10.1038/s41598-023-48230-1
Ivanova VTashev TDraganov I(2022)Random Forest Detector and Classifier of Multiple IoT-based DDoS AttacksWSEAS TRANSACTIONS ON INFORMATION SCIENCE AND APPLICATIONS10.37394/23209.2022.19.419(30-43)Online publication date: 13-Apr-2022
https://doi.org/10.37394/23209.2022.19.4
Abu Talib MNasir QBou Nassif AMokhamed TAhmed NMahfood B(2022)APT beaconing detection: A systematic reviewComputers & Security10.1016/j.cose.2022.102875122(102875)Online publication date: Nov-2022
https://doi.org/10.1016/j.cose.2022.102875
Aamir MRizvi SHashmani MZubair MUsman J(2021)Machine Learning Classification of Port Scanning and DDoS Attacks: A Comparative AnalysisMehran University Research Journal of Engineering and Technology10.22581/muet1982.2101.1940:1(215-229)Online publication date: 1-Jan-2021
https://doi.org/10.22581/muet1982.2101.19
de Neira AAraujo ANogueira M(2020)Early Botnet Detection for the Internet and the Internet of Things by Autonomous Machine Learning2020 16th International Conference on Mobility, Sensing and Networking (MSN)10.1109/MSN50589.2020.00087(516-523)Online publication date: Dec-2020
https://doi.org/10.1109/MSN50589.2020.00087
Holeňa MPulc PKopp MHoleňa MPulc PKopp M(2020)A Team Is Superior to an IndividualClassification Methods for Internet Applications10.1007/978-3-030-36962-0_6(247-279)Online publication date: 30-Jan-2020
https://doi.org/10.1007/978-3-030-36962-0_6
Rehman Javed AJalil ZAtif Moqurrab SAbbas SLiu X(2020)Ensemble Adaboost classifier for accurate and fast detection of botnet attacks in connected vehiclesTransactions on Emerging Telecommunications Technologies10.1002/ett.408833:10Online publication date: 13-Aug-2020
https://doi.org/10.1002/ett.4088
Huraj LSimon M(2019)Realtime attack environment for DDoS experimentation2019 IEEE 15th International Scientific Conference on Informatics10.1109/Informatics47936.2019.9119271(000113-000118)Online publication date: Nov-2019
https://doi.org/10.1109/Informatics47936.2019.9119271
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Detecting Webshell Based on Random Forest with FastText

Machine Learning Approach for Malware Detection Using Random Forest Classifier on Process List Data Structure

Enhancing Network Threat Detection with Random Forest-Based NIDS and Permutation Feature Importance

Comments

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Detecting Webshell Based on Random Forest with FastText

Machine Learning Approach for Malware Detection Using Random Forest Classifier on Process List Data Structure

Enhancing Network Threat Detection with Random Forest-Based NIDS and Permutation Feature Importance

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations