Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification
- Resource Type
- Periodical
- Authors
- Haddadi, F.; Zincir-Heywood, A.N.
- Source
- IEEE Systems Journal Systems Journal, IEEE. 10(4):1390-1401 Dec, 2016
- Subject
- Components, Circuits, Devices and Systems
Computing and Processing
Protocols
Feature extraction
Servers
IP networks
Topology
Malware
Decision trees
Botnet
flow exporters
protocol filters
traffic classification
traffic flow analysis
- Language
- ISSN
- 1932-8184
1937-9234
2373-7816
Botnets represent one of the most aggressive threats against cyber security. Different techniques using different feature sets have been proposed for botnet traffic analysis and classification. However, no work has been performed to study the effect of such differences. In this paper, we perform a study on the effect of (if any) the feature sets of network traffic flow exporters. To this end, we explore five different traffic flow exporters (each with a different set of flow features) using two different protocol filters [Hypertext Transfer Protocol (HTTP) and Domain Name System (DNS)] and five different classifiers. We evaluate all these on eight different botnet traffic data sets. Our results indicate that the use of a flow exporter and a protocol filter indeed has an effect on the performance of botnet traffic classification. Experimental results show that the best performance is achieved using Tranalyzer flow exporter and HTTP filter with the C4.5 classifier.