A Graph-Based Machine Learning Approach for Bot Detection

TL;DR

This paper introduces a two-phase graph-based machine learning system for bot detection that improves accuracy, reduces computational overhead, and effectively detects various bot types, including zero-day attacks, in large-scale networks.

Contribution

It presents a novel two-phased approach combining unsupervised and supervised ML leveraging communication graphs for improved bot detection.

Findings

Detects multiple bot types with high precision

Robust to zero-day attacks

Suitable for large-scale network data

Abstract

Bot detection using machine learning (ML), with network flow-level features, has been extensively studied in the literature. However, existing flow-based approaches typically incur a high computational overhead and do not completely capture the network communication patterns, which can expose additional aspects of malicious hosts. Recently, bot detection systems which leverage communication graph analysis using ML have gained attention to overcome these limitations. A graph-based approach is rather intuitive, as graphs are true representations of network communications. In this paper, we propose a two-phased, graph-based bot detection system which leverages both unsupervised and supervised ML. The first phase prunes presumable benign hosts, while the second phase achieves bot detection with high precision. Our system detects multiple types of bots and is robust to zero-day attacks. It also accommodates different network topologies and is suitable for large-scale data.