Real-time botnet detection using nonnegative tucker decomposition

Hideaki Kanehara; Takeshi Takahashi; Yuma Murakami; Daisuke Inoue; Jumpei Shimamura; Noboru Murata

doi:10.1145/3297280.3297415

Real-time botnet detection using nonnegative tucker decomposition

Hideaki Kanehara, Takeshi Takahashi, Yuma Murakami, Daisuke Inoue, Jumpei Shimamura, Noboru Murata

School of Advanced Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

10 Citations (Scopus)

Abstract

This study focuses on darknet traffic analysis and applies tensor factorization in order to detect coordinated group activities, such as a botnet. Tensor factorization is a powerful tool for extracting co-occurrence patterns that is highly interpretable and can handle more variables than matrix factorization. We propose a simple method for detecting group activities from its extracted features. However, tensor factorization requires too high a computational cost to run in real time. To address this problem, we implemented a two-step algorithm in order to achieve fast, memory-efficient factorization. We also utilize nonnegative Tucker decomposition, one of the tensor factorization methods, because it has non-negativity constraints, to avoid physically unreasonable results. Finally, we introduce our prototype implementation of the proposed scheme, with which we demonstrate the effectiveness of the scheme by reviewing several past security incidents.

Original language	English
Title of host publication	Proceedings of the ACM Symposium on Applied Computing
Publisher	Association for Computing Machinery
Pages	1337-1344
Number of pages	8
ISBN (Print)	9781450359337
DOIs	https://doi.org/10.1145/3297280.3297415
Publication status	Published - 2019
Event	34th Annual ACM Symposium on Applied Computing, SAC 2019 - Limassol, Cyprus Duration: 2019 Apr 8 → 2019 Apr 12

Publication series

Name	Proceedings of the ACM Symposium on Applied Computing
Volume	Part F147772

Conference

Conference	34th Annual ACM Symposium on Applied Computing, SAC 2019
Country/Territory	Cyprus
City	Limassol
Period	19/4/8 → 19/4/12

Keywords

Botnet Detection
Darknet Analysis
Group Activity Detection
Real-Time Analysis
Tensor Factorization

ASJC Scopus subject areas

Software

Access to Document

10.1145/3297280.3297415

Cite this

Kanehara, H., Takahashi, T., Murakami, Y., Inoue, D., Shimamura, J., & Murata, N. (2019). Real-time botnet detection using nonnegative tucker decomposition. In Proceedings of the ACM Symposium on Applied Computing (pp. 1337-1344). (Proceedings of the ACM Symposium on Applied Computing; Vol. Part F147772). Association for Computing Machinery. https://doi.org/10.1145/3297280.3297415

Real-time botnet detection using nonnegative tucker decomposition. / Kanehara, Hideaki; Takahashi, Takeshi; Murakami, Yuma et al.
Proceedings of the ACM Symposium on Applied Computing. Association for Computing Machinery, 2019. p. 1337-1344 (Proceedings of the ACM Symposium on Applied Computing; Vol. Part F147772).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kanehara, H, Takahashi, T, Murakami, Y, Inoue, D, Shimamura, J & Murata, N 2019, Real-time botnet detection using nonnegative tucker decomposition. in Proceedings of the ACM Symposium on Applied Computing. Proceedings of the ACM Symposium on Applied Computing, vol. Part F147772, Association for Computing Machinery, pp. 1337-1344, 34th Annual ACM Symposium on Applied Computing, SAC 2019, Limassol, Cyprus, 19/4/8. https://doi.org/10.1145/3297280.3297415

@inproceedings{9ee13556dbba42309c186db57c08a0aa,

title = "Real-time botnet detection using nonnegative tucker decomposition",

abstract = "This study focuses on darknet traffic analysis and applies tensor factorization in order to detect coordinated group activities, such as a botnet. Tensor factorization is a powerful tool for extracting co-occurrence patterns that is highly interpretable and can handle more variables than matrix factorization. We propose a simple method for detecting group activities from its extracted features. However, tensor factorization requires too high a computational cost to run in real time. To address this problem, we implemented a two-step algorithm in order to achieve fast, memory-efficient factorization. We also utilize nonnegative Tucker decomposition, one of the tensor factorization methods, because it has non-negativity constraints, to avoid physically unreasonable results. Finally, we introduce our prototype implementation of the proposed scheme, with which we demonstrate the effectiveness of the scheme by reviewing several past security incidents.",

keywords = "Botnet Detection, Darknet Analysis, Group Activity Detection, Real-Time Analysis, Tensor Factorization",

author = "Hideaki Kanehara and Takeshi Takahashi and Yuma Murakami and Daisuke Inoue and Jumpei Shimamura and Noboru Murata",

year = "2019",

doi = "10.1145/3297280.3297415",

language = "English",

isbn = "9781450359337",

series = "Proceedings of the ACM Symposium on Applied Computing",

publisher = "Association for Computing Machinery",

pages = "1337--1344",

booktitle = "Proceedings of the ACM Symposium on Applied Computing",

note = "34th Annual ACM Symposium on Applied Computing, SAC 2019 ; Conference date: 08-04-2019 Through 12-04-2019",

}

TY - GEN

T1 - Real-time botnet detection using nonnegative tucker decomposition

AU - Kanehara, Hideaki

AU - Takahashi, Takeshi

AU - Murakami, Yuma

AU - Inoue, Daisuke

AU - Shimamura, Jumpei

AU - Murata, Noboru

PY - 2019

Y1 - 2019

N2 - This study focuses on darknet traffic analysis and applies tensor factorization in order to detect coordinated group activities, such as a botnet. Tensor factorization is a powerful tool for extracting co-occurrence patterns that is highly interpretable and can handle more variables than matrix factorization. We propose a simple method for detecting group activities from its extracted features. However, tensor factorization requires too high a computational cost to run in real time. To address this problem, we implemented a two-step algorithm in order to achieve fast, memory-efficient factorization. We also utilize nonnegative Tucker decomposition, one of the tensor factorization methods, because it has non-negativity constraints, to avoid physically unreasonable results. Finally, we introduce our prototype implementation of the proposed scheme, with which we demonstrate the effectiveness of the scheme by reviewing several past security incidents.

AB - This study focuses on darknet traffic analysis and applies tensor factorization in order to detect coordinated group activities, such as a botnet. Tensor factorization is a powerful tool for extracting co-occurrence patterns that is highly interpretable and can handle more variables than matrix factorization. We propose a simple method for detecting group activities from its extracted features. However, tensor factorization requires too high a computational cost to run in real time. To address this problem, we implemented a two-step algorithm in order to achieve fast, memory-efficient factorization. We also utilize nonnegative Tucker decomposition, one of the tensor factorization methods, because it has non-negativity constraints, to avoid physically unreasonable results. Finally, we introduce our prototype implementation of the proposed scheme, with which we demonstrate the effectiveness of the scheme by reviewing several past security incidents.

KW - Botnet Detection

KW - Darknet Analysis

KW - Group Activity Detection

KW - Real-Time Analysis

KW - Tensor Factorization

UR - http://www.scopus.com/inward/record.url?scp=85065669001&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85065669001&partnerID=8YFLogxK

U2 - 10.1145/3297280.3297415

DO - 10.1145/3297280.3297415

M3 - Conference contribution

AN - SCOPUS:85065669001

SN - 9781450359337

T3 - Proceedings of the ACM Symposium on Applied Computing

SP - 1337

EP - 1344

BT - Proceedings of the ACM Symposium on Applied Computing

PB - Association for Computing Machinery

T2 - 34th Annual ACM Symposium on Applied Computing, SAC 2019

Y2 - 8 April 2019 through 12 April 2019

ER -

Real-time botnet detection using nonnegative tucker decomposition

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this