TY - GEN
T1 - Real-time botnet detection using nonnegative tucker decomposition
AU - Kanehara, Hideaki
AU - Takahashi, Takeshi
AU - Murakami, Yuma
AU - Inoue, Daisuke
AU - Shimamura, Jumpei
AU - Murata, Noboru
PY - 2019
Y1 - 2019
N2 - This study focuses on darknet traffic analysis and applies tensor factorization in order to detect coordinated group activities, such as a botnet. Tensor factorization is a powerful tool for extracting co-occurrence patterns that is highly interpretable and can handle more variables than matrix factorization. We propose a simple method for detecting group activities from its extracted features. However, tensor factorization requires too high a computational cost to run in real time. To address this problem, we implemented a two-step algorithm in order to achieve fast, memory-efficient factorization. We also utilize nonnegative Tucker decomposition, one of the tensor factorization methods, because it has non-negativity constraints, to avoid physically unreasonable results. Finally, we introduce our prototype implementation of the proposed scheme, with which we demonstrate the effectiveness of the scheme by reviewing several past security incidents.
AB - This study focuses on darknet traffic analysis and applies tensor factorization in order to detect coordinated group activities, such as a botnet. Tensor factorization is a powerful tool for extracting co-occurrence patterns that is highly interpretable and can handle more variables than matrix factorization. We propose a simple method for detecting group activities from its extracted features. However, tensor factorization requires too high a computational cost to run in real time. To address this problem, we implemented a two-step algorithm in order to achieve fast, memory-efficient factorization. We also utilize nonnegative Tucker decomposition, one of the tensor factorization methods, because it has non-negativity constraints, to avoid physically unreasonable results. Finally, we introduce our prototype implementation of the proposed scheme, with which we demonstrate the effectiveness of the scheme by reviewing several past security incidents.
KW - Botnet Detection
KW - Darknet Analysis
KW - Group Activity Detection
KW - Real-Time Analysis
KW - Tensor Factorization
UR - http://www.scopus.com/inward/record.url?scp=85065669001&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85065669001&partnerID=8YFLogxK
U2 - 10.1145/3297280.3297415
DO - 10.1145/3297280.3297415
M3 - Conference contribution
AN - SCOPUS:85065669001
SN - 9781450359337
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 1337
EP - 1344
BT - Proceedings of the ACM Symposium on Applied Computing
PB - Association for Computing Machinery
T2 - 34th Annual ACM Symposium on Applied Computing, SAC 2019
Y2 - 8 April 2019 through 12 April 2019
ER -