Deep Learning Classification for Encrypted Botnet Traffic: Optimising Model Performance and Resource Utilisation

Carr, Lucas and Chavula, Josiah (2024) Deep Learning Classification for Encrypted Botnet Traffic: Optimising Model Performance and Resource Utilisation, Communications in Computer and Information Science, South African Computer Science and Information Systems Research Trends, 2159, Springer.

[thumbnail of Carr_Chavula.pdf] Text
Carr_Chavula.pdf

Download (1MB)

Abstract

Detection of malicious traffic on a network is critical to ensuring the safety and security of internet systems. Classical approaches to this task increasingly struggle with modern networking procedures, like encryption. Deep learning (DL) offers an alternative approach to traffic classification problems. We address two major problem classes: (1) botnet detection and (2) botnet family classification. For each problem, we explore five implementations of DL architectures: a multi-layer perceptron (MLP), shallow and deep convolutional neural network (CNN v1 and CNN v2), an autoencoder (AE) and an autoencoder + convolutional neural network (AE+CNN). Our evaluation of models for each respective problem class is based on the classification performance and computational requirements of each model. We further investigate the effect of training the models on an input with a reduced feature space, where we evaluate the impact this has in terms of a trade-off between computational and classification performance. For botnet detection, we find that all models attain good (≥0.979 accuracy) classification performance on a normal testing set; however, this performance drops fairly substantially when evaluated on a set of unknown botnet families. Furthermore, we observed a clear trend between increased feature space and memory utilisation, while finding no evidence of a trend between inference time and feature space. For botnet classification, we found that models which implement CNN architectures outperform others by a substantial margin (≈6 percentage points). We observe the same trend between feature space and memory utilisation, and absence of apparent relationship between feature space and inference time.

Item Type: Journal article (online only)
Uncontrolled Keywords: Deep Learning Machine Learning Malware Classification Malware Detection Botnets
Subjects: Security and privacy > Intrusion/anomaly detection and malware mitigation > Malware and its mitigation
Security and privacy > Intrusion/anomaly detection and malware mitigation > Intrusion detection systems
Applied computing > Computer forensics > Network forensics
Alternate Locations: https://doi.org/10.1007/978-3-031-64881-6
Date Deposited: 22 Aug 2024 06:01
Last Modified: 22 Aug 2024 06:01
URI: https://pubs.cs.uct.ac.za/id/eprint/1696

Actions (login required)

View Item View Item