Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Botnet detection on flow data using the reconstruction error from Autoencoders trained on Word2Vec network embeddings
Uppsala University, Disciplinary Domain of Science and Technology, Mathematics and Computer Science, Department of Information Technology.
2019 (English)Independent thesis Advanced level (professional degree), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

Botnet network attacks are a growing issue in network security. These types of attacks consist out of compromised devices which are used for malicious activities. Many traditional systems use pre-defined pattern matching methods for detecting network intrusions based on the characteristics of previously seen attacks. This means that previously unseen attacks often go unnoticed as they do not have the patterns that the traditional systems are looking for. This paper proposes an anomaly detection approach which doesn’t use the characteristics of known attacks in order to detect new ones, instead it looks for anomalous events which deviate from the normal. The approach uses Word2Vec, a neural network model used in the field of Natural Language Processing and applies it to NetFlow data in order to produce meaningful representations of network features. These representations together with statistical features are then fed into an Autoencoder model which attempts to reconstruct the NetFlow data, where poor reconstructions could indicate anomalous data. The approach was evaluated on multiple different flow-based network datasets and the results show that the approach has potential for botnet detection, where the reconstructions can be used as metrics for finding botnet events. However, the results vary for different datasets and performs poorly as a botnet detector for some datasets, indicating that further investigation is required before real world use.

Place, publisher, year, edition, pages
2019. , p. 52
Series
UPTEC IT, ISSN 1401-5749 ; 19004
National Category
Engineering and Technology
Identifiers
URN: urn:nbn:se:uu:diva-393285OAI: oai:DiVA.org:uu-393285DiVA, id: diva2:1352441
Educational program
Master of Science Programme in Information Technology Engineering
Supervisors
Examiners
Available from: 2019-09-18 Created: 2019-09-18 Last updated: 2019-09-18Bibliographically approved

Open Access in DiVA

fulltext(1397 kB)24 downloads
File information
File name FULLTEXT01.pdfFile size 1397 kBChecksum SHA-512
98b31560c8a1202fda65dc1e036ceaac7b967a44558eb0fad7af5e1721681f92ff4d80793f020e71cb73b999a2e678ec4ccdb828a5485676701df2d3cac61d59
Type fulltextMimetype application/pdf

By organisation
Department of Information Technology
Engineering and Technology

Search outside of DiVA

GoogleGoogle Scholar
Total: 24 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 36 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf