TACTICAL APPLICATION OF MACHINE LEARNING TECHNIQUES FOR ANALYZING AUDIT RECORD GENERATION AND UTILIZATION SYSTEM (ARGUS) DATA TO DETECT BOTNET TRAFFIC
Loading...
Authors
Ross, John T., II
Males, Nathaniel J.
Subjects
machine learning
Audit Record Generation and Utilization System
ARGUS
DOD Information Network
DODIN
command and control
C2
Tactics Techniques and Procedures
TTPs
decision tree
random forest
naive Bayes
k-Nearest Neighbor
Support Vector
network flow
network behavior
Python
Scikit learn
Audit Record Generation and Utilization System
ARGUS
DOD Information Network
DODIN
command and control
C2
Tactics Techniques and Procedures
TTPs
decision tree
random forest
naive Bayes
k-Nearest Neighbor
Support Vector
network flow
network behavior
Python
Scikit learn
Advisors
Wood, Brian P.
Garza, Victor R.
Date of Issue
2021-06
Date
Publisher
Monterey, CA; Naval Postgraduate School
Language
Abstract
Advancing botnet threats in cyberspace threaten the security of the Department of Defense (DOD) Information Network (DODIN) and have the potential to overwhelm the Defensive Cyber Forces' ability to provide timely assessments of network flow information due to the sheer volume of traffic. This is a problem because the DOD relies heavily on the capacity of the DODIN to command and control forces and achieve strategic objectives. This research assesses the performance of various machine learning algorithms on their ability to detect various types of botnet traffic using labeled ARGUS data. The research utilizes the Bot-IoT dataset that is composed of ARGUS files that summarize network traffic flows collected during several different botnet activities including Operating System fingerprinting, Service Scan, Data Exfiltration, and Keylogging data. The identification and categorization of botnet traffic within labeled data is a classification problem for which supervised learning methods are most appropriate. The algorithms explored are Random Forest, k-Nearest Neighbor, and Support Vector. The metrics to assess performance of the classifiers are sourced from rates of true positive, true negative, false positive and false negative. Those rates are used to calculate a score of accuracy, precision, and recall for each model on each type of botnet traffic. This research demonstrates that the Random Forest model is an effective tool to accurately classify and detect botnet traffic.
Type
Thesis
Description
Series/Report No
Department
Information Sciences (IS)
Information Sciences (IS)
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
Distribution Statement
Approved for public release. Distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.