×

Machine learning based botnet detection with dynamic adaptation

  • US 8,402,543 B1
  • Filed: 03/25/2011
  • Issued: 03/19/2013
  • Est. Priority Date: 03/25/2011
  • Status: Active Grant
First Claim
Patent Images

1. A method for botnet detection in a network, comprising:

  • extracting, by a processor of a computer system and from first network traffic data exchanged between a malicious client and a plurality of servers in the network, a malicious data instance comprising a first plurality of features, corresponding to the plurality of servers, each representing a measure of communication activity between the malicious client and a first corresponding server in the first network traffic data;

    extracting, by the processor and from second network traffic data exchanged between a non-malicious client and the plurality of servers, a non-malicious data instance comprising a second plurality of features, corresponding to the plurality of servers, each representing the measure of communication activity between the non-malicious client and a second corresponding server in the second network traffic data;

    including the malicious data instance and the non-malicious data instance in a training data set comprising a plurality of malicious data instances and non-malicious data instances, wherein each data instance of the plurality of malicious data instances and non-malicious data instances is associated with one of a plurality of clients comprising the malicious client and the non-malicious client;

    generating, by the processor and using a pre-determined machine learning algorithm, a classification model based on the training data set, wherein the classification model is adapted to, when applied to one or more malicious data instance, generate a malicious label, wherein the classification model is further adapted to, when applied to one or more non-malicious data instance, generate a non-malicious label;

    extracting, by the processor and from third network traffic data exchanged between a unclassified client and the plurality of servers, a unclassified data instance comprising a third plurality of features, corresponding to the plurality of servers, each representing a measure of communication activity between the unclassified client and a third corresponding server in the third network traffic data;

    generating, by the processor, a classification label of the unclassified data instance by applying the classification model to the unclassified data instance, wherein the classification label comprises the malicious label; and

    identifying, in response to the classification label comprising the malicious label, the unclassified client as associated with a botnet.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×