1. 1 Joseph Ghafari Artificial Neural Networks Botnet detection for Stéphane Sénécal, Emmanuel Herbert

2. Figures Botnets Neurons Results Conclusion 2

3. 3 Figures Botnets Neurons Results Conclusion BotBotnetDNS Neural NetworkMLPELM ConfigurationResults ConclusionWhat now … Facts & FiguresFinancial impact

4. 4 Figures Botnets Neurons Results Conclusion

5. Facts & Figures about Botnets 5 Figures Botnets Neurons Results Conclusion 88% of all spam 77 spam / min (200B spam / day) / bot!

6. Facts & Figures about Botnets 6 Figures Botnets Neurons Results Conclusion 150,000 bots / day Bredolab: 30M bots

7. Financial impact 7 Figures Botnets Neurons Results Conclusion 6 banks robbed 200 accounts hacked $ 4,7M stolen

8. Financial impact 8 Figures Botnets Neurons Results Conclusion 140 M clicks / day $ 900 K / day

9. 9 Figures Neurons Results Conclusion Botnets

10. 10 Figures Results Conclusion Neurons Botnets Bot - Infection

11. 11 Figures Results Conclusion Neurons Botnets Bot – Propagation

12. 12 Figures Results Conclusion Neurons Botnets Bot – Propagation 24h340,000 infections

13. 13 Figures Results Conclusion Neurons Botnets Botnets - Etymologie “Bot”“Net” RobotNetwork

14. 14 Figures Results Conclusion Neurons Botnets Botnets - Etymologie C&C

15. 15 Figures Results Conclusion Neurons Botnets Botnets – Control structure C&C

16. 16 Figures Results Conclusion Neurons Botnets Botnets – Clients C&C

17. 17 Figures Results Conclusion Neurons Botnets Botnets – Spam

18. ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 18 Figures Results Conclusion Neurons Botnets Botnets – DDoS Attacks

19. 19 Figures Results Conclusion Neurons Botnets Botnets – DDoS Attacks

20. 20 Figures Results Conclusion Neurons Botnets Botnets – DDoS Attacks

21. 21 Figures Results Conclusion Neurons Botnets Notions - Internet

22. 22 Figures Results Conclusion Neurons Botnets Notions - Internet 47.12.101.3 12.1.40.8 31.28.150.102 116.4.92.50

23. 23 Figures Results Conclusion Neurons Botnets Notions - Internet 47.12.101.3 12.1.40.8 31.28.150.102 116.4.92.50

24. 24 Figures Results Conclusion Neurons Botnets Notions - Internet bbc.co.uk www.emn.fr www.orange.fr www.google.com

25. 25 Figures Results Conclusion Neurons Botnets DNS – How it works www.emn.fr Où se trouve www.emn.fr ? 12.1.40.8

26. 26 Figures Results Conclusion Neurons Botnets Botnets & DNS C&C DNS 40.101.12.3 Où se trouve www.todaysfutbol.com ? 40.101.12.3 www.todaysfutbol.com

27. 27 Figures Results Conclusion Neurons Botnets DNS Data DNS Q R

28. 28 Figures Results Conclusion Neurons Botnets Problem Botnet ?

29. 29 Figures Results Conclusion Neurons Botnets Aim Botnet Légitime

30. 30 Figures Results Conclusion Botnets Neurons

31. 31 Figures Results Conclusion Neurons Botnets A neuron

32. 32 Figures Results Conclusion Neurons Botnets The artificial neuron

33. 33 Figures Results Conclusion Neurons Botnets Neural network

34. 34 Figures Results Conclusion Neurons Botnets Artificial neural network

35. 35 Figures Results Conclusion Neurons Botnets Artificial neural network Botnet Normal

36. 36 Figures Results Conclusion Neurons Botnets Multi-Layer Perceptron (MLP)

37. 37 Figures Results Conclusion Neurons Botnets Multi-Layer Perceptron (MLP)

38. 38 Figures Results Conclusion Neurons Botnets MLP – Step 1 Propagation

39. 39 Figures Results Conclusion Neurons Botnets MLP – Step 2 Computing the error

40. 40 Figures Results Conclusion Neurons Botnets MLP – Step 3 Error Back-propagation

41. 41 Figures Results Conclusion Neurons Botnets MLP – Example

42. 42 Figures Results Conclusion Neurons Botnets Extreme Learning Machine (ELM) Déséquilibre des données Superposition de classes Contrainte Temps réel

43. 43 Figures Results Conclusion Neurons Botnets Extreme Learning Machine (ELM)

44. 44 Figures Results Conclusion Neurons Botnets Extreme Learning Machine (ELM)

45. 45 Figures Results Conclusion Neurons Botnets ELM – Step 1

46. 46 Figures Results Conclusion Neurons Botnets ELM – Phase 2 Propagation

47. 47 Figures Results Conclusion Neurons Botnets ELM – Phase 3

48. 48 Figures Results Conclusion Neurons Botnets ELM – Example

49. 49 Figures Results Conclusion Neurons Botnets MLP – ELM MLP ELM Simple Deep Learning speed Hyper parameters Shalow Hyper parameters Understanding

50. 50 Figures Botnets Results Neurons Conclusion

51. 51 Figures Botnets Results Neurons Conclusion Procedure About 10,000 input cases1 – 1000 neurons512 feature combinations tested 2/3learning set 1/3validation set

52. 52 Figures Botnets Results Neurons Conclusion Results – Optimal feature set Hour of the query TTL (Time To Live) Errors during query process

53. 53 Figures Botnets Results Neurons Conclusion Results – Confusion Matrix Predicted Expected Botnet Legitimate Botnet 1719 251660 1551874 1685 181517443559

54. 54 Figures Botnets Results Neurons Conclusion Results – Measures Precision = 0,92 Recall = 0,99 Accuracy = 94,94 % (Error rate = 5,06 %) False Positives = 8,5 % (4,36 % total) False Negatives = 1,4 % (0,7 % total)

55. 55 Figures Botnets Neurons Conclusion Results

56. 56 Figures Botnets Neurons Conclusion Results Conclusion Fast learning Online/Batch possible Good performances Not enough dataHighly heterogeneous data

57. 57 Figures Botnets Neurons Conclusion Results What now … Gather more data Use the lists instead of statistical values for distributions Take advantage of non numeric data (IP address, Query ID, …)

58. 58 Figures Botnets Neurons Conclusion Results