Real-time botnet detection using nonnegative tucker decomposition

Hideaki Kanehara, Takeshi Takahashi, Yuma Murakami, Daisuke Inoue, Jumpei Shimamura, Noboru Murata

Research output: Contribution to conferencePaper

Abstract

This study focuses on darknet traffic analysis and applies tensor factorization in order to detect coordinated group activities, such as a botnet. Tensor factorization is a powerful tool for extracting co-occurrence patterns that is highly interpretable and can handle more variables than matrix factorization. We propose a simple method for detecting group activities from its extracted features. However, tensor factorization requires too high a computational cost to run in real time. To address this problem, we implemented a two-step algorithm in order to achieve fast, memory-efficient factorization. We also utilize nonnegative Tucker decomposition, one of the tensor factorization methods, because it has non-negativity constraints, to avoid physically unreasonable results. Finally, we introduce our prototype implementation of the proposed scheme, with which we demonstrate the effectiveness of the scheme by reviewing several past security incidents.

Original languageEnglish
Pages1337-1344
Number of pages8
DOIs
Publication statusPublished - 2019 Jan 1
Event34th Annual ACM Symposium on Applied Computing, SAC 2019 - Limassol, Cyprus
Duration: 2019 Apr 82019 Apr 12

Conference

Conference34th Annual ACM Symposium on Applied Computing, SAC 2019
CountryCyprus
CityLimassol
Period19/4/819/4/12

Fingerprint

Factorization
Decomposition
Tensors
Botnet
Data storage equipment
Costs

Keywords

  • Botnet Detection
  • Darknet Analysis
  • Group Activity Detection
  • Real-Time Analysis
  • Tensor Factorization

ASJC Scopus subject areas

  • Software

Cite this

Kanehara, H., Takahashi, T., Murakami, Y., Inoue, D., Shimamura, J., & Murata, N. (2019). Real-time botnet detection using nonnegative tucker decomposition. 1337-1344. Paper presented at 34th Annual ACM Symposium on Applied Computing, SAC 2019, Limassol, Cyprus. https://doi.org/10.1145/3297280.3297415

Real-time botnet detection using nonnegative tucker decomposition. / Kanehara, Hideaki; Takahashi, Takeshi; Murakami, Yuma; Inoue, Daisuke; Shimamura, Jumpei; Murata, Noboru.

2019. 1337-1344 Paper presented at 34th Annual ACM Symposium on Applied Computing, SAC 2019, Limassol, Cyprus.

Research output: Contribution to conferencePaper

Kanehara, H, Takahashi, T, Murakami, Y, Inoue, D, Shimamura, J & Murata, N 2019, 'Real-time botnet detection using nonnegative tucker decomposition', Paper presented at 34th Annual ACM Symposium on Applied Computing, SAC 2019, Limassol, Cyprus, 19/4/8 - 19/4/12 pp. 1337-1344. https://doi.org/10.1145/3297280.3297415
Kanehara H, Takahashi T, Murakami Y, Inoue D, Shimamura J, Murata N. Real-time botnet detection using nonnegative tucker decomposition. 2019. Paper presented at 34th Annual ACM Symposium on Applied Computing, SAC 2019, Limassol, Cyprus. https://doi.org/10.1145/3297280.3297415
Kanehara, Hideaki ; Takahashi, Takeshi ; Murakami, Yuma ; Inoue, Daisuke ; Shimamura, Jumpei ; Murata, Noboru. / Real-time botnet detection using nonnegative tucker decomposition. Paper presented at 34th Annual ACM Symposium on Applied Computing, SAC 2019, Limassol, Cyprus.8 p.
@conference{9ee13556dbba42309c186db57c08a0aa,
title = "Real-time botnet detection using nonnegative tucker decomposition",
abstract = "This study focuses on darknet traffic analysis and applies tensor factorization in order to detect coordinated group activities, such as a botnet. Tensor factorization is a powerful tool for extracting co-occurrence patterns that is highly interpretable and can handle more variables than matrix factorization. We propose a simple method for detecting group activities from its extracted features. However, tensor factorization requires too high a computational cost to run in real time. To address this problem, we implemented a two-step algorithm in order to achieve fast, memory-efficient factorization. We also utilize nonnegative Tucker decomposition, one of the tensor factorization methods, because it has non-negativity constraints, to avoid physically unreasonable results. Finally, we introduce our prototype implementation of the proposed scheme, with which we demonstrate the effectiveness of the scheme by reviewing several past security incidents.",
keywords = "Botnet Detection, Darknet Analysis, Group Activity Detection, Real-Time Analysis, Tensor Factorization",
author = "Hideaki Kanehara and Takeshi Takahashi and Yuma Murakami and Daisuke Inoue and Jumpei Shimamura and Noboru Murata",
year = "2019",
month = "1",
day = "1",
doi = "10.1145/3297280.3297415",
language = "English",
pages = "1337--1344",
note = "34th Annual ACM Symposium on Applied Computing, SAC 2019 ; Conference date: 08-04-2019 Through 12-04-2019",

}

TY - CONF

T1 - Real-time botnet detection using nonnegative tucker decomposition

AU - Kanehara, Hideaki

AU - Takahashi, Takeshi

AU - Murakami, Yuma

AU - Inoue, Daisuke

AU - Shimamura, Jumpei

AU - Murata, Noboru

PY - 2019/1/1

Y1 - 2019/1/1

N2 - This study focuses on darknet traffic analysis and applies tensor factorization in order to detect coordinated group activities, such as a botnet. Tensor factorization is a powerful tool for extracting co-occurrence patterns that is highly interpretable and can handle more variables than matrix factorization. We propose a simple method for detecting group activities from its extracted features. However, tensor factorization requires too high a computational cost to run in real time. To address this problem, we implemented a two-step algorithm in order to achieve fast, memory-efficient factorization. We also utilize nonnegative Tucker decomposition, one of the tensor factorization methods, because it has non-negativity constraints, to avoid physically unreasonable results. Finally, we introduce our prototype implementation of the proposed scheme, with which we demonstrate the effectiveness of the scheme by reviewing several past security incidents.

AB - This study focuses on darknet traffic analysis and applies tensor factorization in order to detect coordinated group activities, such as a botnet. Tensor factorization is a powerful tool for extracting co-occurrence patterns that is highly interpretable and can handle more variables than matrix factorization. We propose a simple method for detecting group activities from its extracted features. However, tensor factorization requires too high a computational cost to run in real time. To address this problem, we implemented a two-step algorithm in order to achieve fast, memory-efficient factorization. We also utilize nonnegative Tucker decomposition, one of the tensor factorization methods, because it has non-negativity constraints, to avoid physically unreasonable results. Finally, we introduce our prototype implementation of the proposed scheme, with which we demonstrate the effectiveness of the scheme by reviewing several past security incidents.

KW - Botnet Detection

KW - Darknet Analysis

KW - Group Activity Detection

KW - Real-Time Analysis

KW - Tensor Factorization

UR - http://www.scopus.com/inward/record.url?scp=85065669001&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85065669001&partnerID=8YFLogxK

U2 - 10.1145/3297280.3297415

DO - 10.1145/3297280.3297415

M3 - Paper

AN - SCOPUS:85065669001

SP - 1337

EP - 1344

ER -