Machine learning based botnet detection with dynamic adaptation
First Claim
Patent Images
1. A method for botnet detection in a network, comprising:
- extracting, by a processor of a computer system and from first network traffic data exchanged between a malicious client and a plurality of servers in the network, a malicious data instance comprising a first plurality of features, corresponding to the plurality of servers, each representing a measure of communication activity between the malicious client and a first corresponding server in the first network traffic data;
extracting, by the processor and from second network traffic data exchanged between a non-malicious client and the plurality of servers, a non-malicious data instance comprising a second plurality of features, corresponding to the plurality of servers, each representing the measure of communication activity between the non-malicious client and a second corresponding server in the second network traffic data;
including the malicious data instance and the non-malicious data instance in a training data set comprising a plurality of malicious data instances and non-malicious data instances, wherein each data instance of the plurality of malicious data instances and non-malicious data instances is associated with one of a plurality of clients comprising the malicious client and the non-malicious client;
generating, by the processor and using a pre-determined machine learning algorithm, a classification model based on the training data set, wherein the classification model is adapted to, when applied to one or more malicious data instance, generate a malicious label, wherein the classification model is further adapted to, when applied to one or more non-malicious data instance, generate a non-malicious label;
extracting, by the processor and from third network traffic data exchanged between a unclassified client and the plurality of servers, a unclassified data instance comprising a third plurality of features, corresponding to the plurality of servers, each representing a measure of communication activity between the unclassified client and a third corresponding server in the third network traffic data;
generating, by the processor, a classification label of the unclassified data instance by applying the classification model to the unclassified data instance, wherein the classification label comprises the malicious label; and
identifying, in response to the classification label comprising the malicious label, the unclassified client as associated with a botnet.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention address the problem of detecting bots in network traffic based on a classification model learned during a training phase using machine learning algorithms based on features extracted from network data associated with either known malicious or known non-malicious client and applying the learned classification model to features extracted in real-time from current network data. The features represent communication activities between the known malicious or known non-malicious client and a number of servers in the network.
-
Citations
27 Claims
-
1. A method for botnet detection in a network, comprising:
-
extracting, by a processor of a computer system and from first network traffic data exchanged between a malicious client and a plurality of servers in the network, a malicious data instance comprising a first plurality of features, corresponding to the plurality of servers, each representing a measure of communication activity between the malicious client and a first corresponding server in the first network traffic data; extracting, by the processor and from second network traffic data exchanged between a non-malicious client and the plurality of servers, a non-malicious data instance comprising a second plurality of features, corresponding to the plurality of servers, each representing the measure of communication activity between the non-malicious client and a second corresponding server in the second network traffic data; including the malicious data instance and the non-malicious data instance in a training data set comprising a plurality of malicious data instances and non-malicious data instances, wherein each data instance of the plurality of malicious data instances and non-malicious data instances is associated with one of a plurality of clients comprising the malicious client and the non-malicious client; generating, by the processor and using a pre-determined machine learning algorithm, a classification model based on the training data set, wherein the classification model is adapted to, when applied to one or more malicious data instance, generate a malicious label, wherein the classification model is further adapted to, when applied to one or more non-malicious data instance, generate a non-malicious label; extracting, by the processor and from third network traffic data exchanged between a unclassified client and the plurality of servers, a unclassified data instance comprising a third plurality of features, corresponding to the plurality of servers, each representing a measure of communication activity between the unclassified client and a third corresponding server in the third network traffic data; generating, by the processor, a classification label of the unclassified data instance by applying the classification model to the unclassified data instance, wherein the classification label comprises the malicious label; and identifying, in response to the classification label comprising the malicious label, the unclassified client as associated with a botnet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 17, 18, 19, 20, 24)
-
-
14. A system for botnet detection in a network, comprising:
-
a hardware processor; a feature extractor executing on the hardware processor and configured to; extract, from first network traffic data exchanged between a malicious client and a plurality of servers in the network, a malicious data instance comprising a first plurality of features, corresponding to the plurality of servers, each representing a measure of communication activity between the malicious client and a first corresponding server in the first network traffic data; extract, from second network traffic data exchanged between a non-malicious client and the plurality of servers, a non-malicious data instance comprising a second plurality of features, corresponding to the plurality of servers, each representing the measure of communication activity between the non-malicious client and a second corresponding server in the second network traffic data; include the malicious data instance and the non-malicious data instance in a training data set comprising a plurality of malicious data instances and non-malicious data instances, wherein each data instance of the plurality of malicious data instances and non-malicious data instances is associated with one of a plurality of clients comprising the malicious client and the non-malicious client; and extract, from third network traffic data exchanged between a unclassified client and the plurality of servers, a unclassified data instance comprising a third plurality of features, corresponding to the plurality of servers, each representing the measure of communication activity between the unclassified client and a third corresponding server in the third network traffic data; a model generator operatively coupled to the feature extractor, executing on the hardware processor, and configured to; generate, using a pre-determined machine learning algorithm, a classification model based on the training data set, wherein the classification model is adapted to, when applied to one or more malicious data instance, generate a malicious label, wherein the classification model is further adapted to, when applied to one or more non-malicious data instance, generate a non-malicious label; an online classifier operatively coupled to the model generator, executing on the hardware processor, and configured to; generate a classification label of the unclassified data instance by applying the classification model to the unclassified data instance, wherein the classification label comprises the malicious label; and identify, in response to the classification label comprising the malicious label, the unclassified client as associated with a botnet; and a repository coupled to the online classifier and configured to store the plurality of malicious data instances and non-malicious data instances, the unclassified data instance, and the classification model. - View Dependent Claims (15, 16, 21, 22, 23, 25, 26)
-
-
27. A non-transitory computer readable medium storing instructions for identifying a botnet in a network, the instructions, when executed by
a processor of a computer, comprising functionality for: -
extracting, from first network traffic data exchanged between a malicious client and a plurality of servers in the network, a malicious data instance comprising a first plurality of features, corresponding to the plurality of servers, each representing a measure of communication activity between the malicious client and a first corresponding server in the first network traffic data; extracting, from second network traffic data exchanged between a non-malicious client and the plurality of servers, a non-malicious data instance comprising a second plurality of features, corresponding to the plurality of servers, each representing the measure of communication activity between the non-malicious client and a second corresponding server in the second network traffic data; including the malicious data instance and the non-malicious data instance in a training data set comprising a plurality of malicious data instances and non-malicious data instances, wherein each data instance of the plurality of malicious data instances and non-malicious data instances is associated with one of a plurality of clients comprising the malicious client and the non-malicious client; generating, using a pre-determined machine learning algorithm, a classification model based on the training data set, wherein the classification model is adapted to, when applied to one or more malicious data instance, generate a malicious label, wherein the classification model is further adapted to, when applied to one or more non-malicious data instance, generate a non-malicious label; extracting, from third network traffic data exchanged between a unclassified client and the plurality of servers, a unclassified data instance comprising a third plurality of features, corresponding to the plurality of servers, each representing a measure of communication activity between the unclassified client and a third corresponding server in the third network traffic data; generating a classification label of the unclassified data instance by applying the classification model to the unclassified data instance, wherein the classification label comprises the malicious label; and identifying, in response to the classification label comprising the malicious label, the unclassified client as associated with a botnet.
-
Specification