Network Security Modeling using NetFlow Data: Detecting Botnet attacks in IP Traffic

TL;DR

This paper presents a novel intrusion detection system using NetFlow data and deep learning to identify botnet command and control hosts in IP traffic, validated against blacklists.

Contribution

It introduces a new approach combining statistical and deep learning models with interpretative techniques for botnet detection using NetFlow data.

Findings

Successful detection of botnet C&C hosts

Effective validation against blacklists

New features extracted from NetFlow data

Abstract

Cybersecurity, security monitoring of malicious events in IP traffic, is an important field largely unexplored by statisticians. Computer scientists have made significant contributions in this area using statistical anomaly detection and other supervised learning methods to detect specific malicious events. In this research, we investigate the detection of botnet command and control (C&C) hosts in massive IP traffic. We use the NetFlow data, the industry standard for monitoring of IP traffic for exploratory analysis and extracting new features. Using statistical as well as deep learning models, we develop a statistical intrusion detection system (SIDS) to predict traffic traces identified with malicious attacks. Employing interpretative machine learning techniques, botnet traffic signatures are derived. These models successfully detected botnet C&C hosts and compromised devices. The results were validated by matching predictions to existing blacklists of published malicious IP addresses.