A New C&C Channel Detection Framework Using Heuristic Rule and Transfer Learning

A great many of botnet detection methods focus on recognizing the significant C&C channels. Most of them require a C&C training set to build a behavior detection model. However, when lacking such training set for new or unknown botnets, these methods may become inefficient or even invalid.To...

Full description

Saved in:
Bibliographic Details
Published in2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC) pp. 1 - 9
Main Authors Jiang, Jianguo, Yin, Qilei, Shi, Zhixin, Li, Meimei, Lv, Bin
Format Conference Proceeding
LanguageEnglish
Published IEEE 01.10.2019
Subjects
Online AccessGet full text

Cover

Loading…
More Information
Summary:A great many of botnet detection methods focus on recognizing the significant C&C channels. Most of them require a C&C training set to build a behavior detection model. However, when lacking such training set for new or unknown botnets, these methods may become inefficient or even invalid.To overcome it, we propose a new general framework for C&C channel detection. It neither needs us to know the families of bots or prepare a training set nor requires deploying malicious activity monitors. Also, it is capable of mining useful knowledge from the historical dataset to boost its detection performance. In our framework, we put forward a clustering method and several heuristic rules to aggregate and label partial C&C traffic, a sample selection function to mine useful historical knowledge and a transfer learning based model to find other C&C channels. We evaluated our framework on two datasets and achieved the best C&C F-measure of about 0.886 and 0.960 respectively. Moreover, the comparison result further indicates its performance advantage and better behavior learning ability.
ISSN:2374-9628
DOI:10.1109/IPCCC47392.2019.8958732