Joseph Ghafari

1. Artificial Neural Networks for Botnet detection Joseph Ghafari Stéphane Sénécal, Emmanuel Herbert

2. Figures Botnets Neurons Results Conclusion

3. Figures Botnets Neurons Results Conclusion

4. Facts & Figures about Botnets Figures 88% of all spam Botnets Neurons Results Conclusion 77 spam / min / bot! (200B spam / day)

5. Facts & Figures about Botnets Figures 150,000 bots / day Botnets Neurons Results Conclusion Bredolab: 30M bots

6. Financial impact Figures 6 banksrobbed Botnets Neurons 200 accountshacked Results Conclusion $ 4,7M stolen

7. Financial impact Figures 140 M clicks / day Botnets Neurons Results Conclusion $ 900 K / day

8. Figures Botnets Neurons Results Conclusion

9. Bot - Infection Figures Botnets Neurons Results Conclusion

10. Bot – Propagation Figures Botnets Neurons Results Conclusion

11. Bot – Propagation Figures Botnets Neurons Results Conclusion 24h 340,000 infections

12. Botnets - Etymologie Figures Botnets C&C Neurons Results Conclusion

13. Botnets – Clients Figures Botnets C&C Neurons Results Conclusion

14. Botnets – DDoSAttacks Figures Botnets ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Neurons Results Conclusion

15. Botnets – DDoSAttacks Figures Botnets Neurons Results Conclusion

16. Notions - Internet Figures Botnets 47.12.101.3 12.1.40.8 Neurons Results Conclusion 116.4.92.50 31.28.150.102

17. Notions - Internet Figures Botnets bbc.co.uk www.emn.fr Neurons Results Conclusion www.google.com www.orange.fr

18. DNS – How itworks Figures Botnets www.emn.fr Où se trouve www.emn.fr ? 12.1.40.8 12.1.40.8 Neurons Results Conclusion

19. Botnets & DNS Figures Botnets www.todaysfutbol.com 40.101.12.3 40.101.12.3 C&C Neurons Où se trouve www.todaysfutbol.com ? Results Conclusion DNS

20. DNS Data Figures Botnets R DNS Q Neurons Results Conclusion

21. Problem Figures Botnets Botnet ? Neurons Results Conclusion

22. Aim Figures Botnets Légitime Botnet Neurons Results Conclusion

23. Figures Botnets Neurons Results Conclusion

24. A neuron Figures Botnets Neurons Results Conclusion

25. The artificialneuron Figures Botnets Neurons Results Conclusion

26. Neural network Figures Botnets Neurons Results Conclusion

27. Artificial neural network Figures Botnets Neurons Results Conclusion

28. Artificial neural network Figures Botnets Neurons Normal Botnet Results Conclusion

29. Multi-Layer Perceptron (MLP) Figures Botnets Neurons Results Conclusion

30. Multi-Layer Perceptron (MLP) Figures Botnets Neurons Results Conclusion

31. MLP – Step 1 Figures Propagation Botnets Neurons Results Conclusion

32. MLP – Step 2 Figures Computing the error Botnets Neurons Results Conclusion

33. MLP – Step 3 Figures Error Back-propagation Botnets Neurons Results Conclusion

34. Extreme Learning Machine (ELM) Figures Botnets Neurons Results Conclusion

35. Extreme Learning Machine (ELM) Figures Botnets Neurons Results Conclusion

36. ELM – Step 1 Figures Randomgeneration of and Botnets Neurons Results Conclusion

37. ELM – Phase 2 Figures Propagation Botnets Neurons Results Conclusion

38. ELM – Phase 3 Matrix inversion to determine Figures Botnets Neurons Results Conclusion

39. MLP – ELM Figures ELM MLP Botnets Neurons Learning speed Simple Hyper parameters Deep Learning speed Shalow Results Hyper parameters Understanding Conclusion

40. Figures Botnets Neurons Results Conclusion

41. Procedure Figures Botnets Neurons Results About 10,000 input cases 1 – 1000 neurons 512 featurecombinationstested 2/3 learning set 1/3 validation set Conclusion

42. Results – Optimal feature set Figures Botnets Neurons Results Hour of the query TTL (Time To Live) Errorsduringqueryprocess Conclusion

43. Results – Confusion Matrix Figures Botnets Neurons Results Expected Legitimate Botnet Predicted Legitimate 1719 155 1874 25 1660 1685 Botnet 1744 1815 3559 Conclusion

44. Results – Measures Figures Botnets Neurons Results Accuracy = 94,94 % (Error rate = 5,06 %) False Negatives = 1,4 % (0,7 % total) Precision = 0,92 Recall = 0,99 False Positives = 8,5 % (4,36 % total) Averagelearning speed Equivalent learning speed for MLP Conclusion

45. Figures Botnets Neurons Results Conclusion

46. Conclusion Figures Botnets Fast learning Neurons Results Conclusion Online/Batch possible Good performances Not enough data Highlyheterogeneous data

47. Whatnow … Figures Botnets Gather more data Neurons Results Conclusion Use the lists instead of statistical values for distributions Take advantage of non numeric data (IP address, Query ID, …)

48. Figures Botnets Neurons Results Conclusion