Subspace Clustering for Interpretable Botnet Traffic Analysis
暂无分享,去创建一个
With the growth of the Internet of Things (IoT), massively connected devices are exposed to cyber-attacks and are becoming active as bots. To protect IoT devices efficiently from increasing threats, in addition to honeypot-based approaches, we need to gain more complete understanding of IoT botnets and potential victims including purposes of attacks and events which they are participating in. In this paper, we propose a two-step subspace clustering method to cluster botnets and clarify their types (functionalities). For each target host, the proposed method separates features into several subspaces and generates a sub-label in each subspace to represent partial characteristic (e.g., low-size flows or high TCP-SYN rate). Major combinations of sub-labels presents different partial characteristic, and the proposed method classify bots and interprets the whole behaviors for each bot group. In the evaluation, we reveal the scale and variety of botnets in the wild through two real-world datasets.
[1] Jian Pei,et al. Mining frequent patterns without candidate generation , 2000, SIGMOD '00.
[2] Albert Cabellos-Aparicio,et al. Analysis of the impact of sampling on NetFlow traffic classification , 2011, Comput. Networks.