Visible to the public Biblio

Found 472 results

Filters: First Letter Of Title is H  [Clear All Filters]
A B C D E F G [H] I J K L M N O P Q R S T U V W X Y Z   [Show ALL]
Lee, Jian-Hsing, Nidhi, Karuna, Hung, Chung-Yu, Liao, Ting-Wei, Liu, Wu-Yang, Su, Hung-Der.  2021.  Hysteresis Effect Induces the Inductor Power Loss of Converter during the Voltage Conversion. 2021 IEEE International Symposium on the Physical and Failure Analysis of Integrated Circuits (IPFA). :1–7.
A new methodology to calculate the hysteresis induced power loss of inductor from the measured waveforms of DC-to-DC converter during the voltage conversion is presented. From this study, we find that the duty cycles (D) of the buck and boost converters used till date for inductance current calculation are not exactly equal to VOUT/VIN and 1-VIN/VOUT as the inductance change induced by the hysteresis effect cannot be neglected. Although the increase in the loading currents of the converter increases the remanence magnetization of inductor at the turn-off time (toff), this remanence magnetization is destroyed by the turbulence induced vortex current at the transistor turn-on transient. So, the core power loss of inductor increases with the loading current of the converter and becomes much larger than other power losses and cannot be neglected for the power efficiency calculation during power stage design.
Brighten Godfrey, University of Illions at Urbana-Champagin, Anduo Wang, Temple University, Dong Jin, Illinois Institute of Technology, Jason Croft, University of Illinois at Urbana-Champaign, Matthew Caesar, University of Illinois at Urbana-Champaign.  2015.  A Hypothesis Testing Framework for Network Security.

We rely on network infrastructure to deliver critical services and ensure security. Yet networks today have reached a level of complexity that is far beyond our ability to have confidence in their correct behavior – resulting in significant time investment and security vulnerabilities that can cost millions of dollars, or worse. Motivated by this need for rigorous understanding of complex networks, I will give an overview of our or Science of Security lablet project, A Hypothesis Testing Framework for Network Security.

First, I will discuss the emerging field of network verification, which transforms network security by rigorously checking that intended behavior is correctly realized across the live running network. Our research developed a technique called data plane verification, which has discovered problems in operational environments and can verify hypotheses and security policies with millisecond-level latency in dynamic networks. In just a few years, data plane verification has moved from early research prototypes to production deployment. We have built on this technique to reason about hypotheses even under the temporal uncertainty inherent in a large distributed network. Second, I will discuss a new approach to reasoning about networks as databases that we can query to determine answers to behavioral questions and to actively control the network. This talk will span work by a large group of folks, including Anduo Wang, Wenxu an Zhou, Dong Jin, Jason Croft, Matthew Caesar, Ahmed Khurshid, and Xuan Zou.

Presented at the Illinois ITI Joint Trust and Security/Science of Security Seminar, September 15, 2015.

Nikolai, J., Yong Wang.  2014.  Hypervisor-based cloud intrusion detection system. Computing, Networking and Communications (ICNC), 2014 International Conference on. :989-993.

Shared resources are an essential part of cloud computing. Virtualization and multi-tenancy provide a number of advantages for increasing resource utilization and for providing on demand elasticity. However, these cloud features also raise many security concerns related to cloud computing resources. In this paper, we propose an architecture and approach for leveraging the virtualization technology at the core of cloud computing to perform intrusion detection security using hypervisor performance metrics. Through the use of virtual machine performance metrics gathered from hypervisors, such as packets transmitted/received, block device read/write requests, and CPU utilization, we demonstrate and verify that suspicious activities can be profiled without detailed knowledge of the operating system running within the virtual machines. The proposed hypervisor-based cloud intrusion detection system does not require additional software installed in virtual machines and has many advantages compared to host-based and network based intrusion detection systems which can complement these traditional approaches to intrusion detection.

Lauer, H., Kuntze, N..  2016.  Hypervisor-Based Attestation of Virtual Environments. 2016 Intl IEEE Conferences on Ubiquitous Intelligence Computing, Advanced and Trusted Computing, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People, and Smart World Congress (UIC/ATC/ScalCom/CBDCom/IoP/SmartWorld). :333–340.
Several years ago, virtualization technologies, hypervisors were rediscovered, today virtualization is used in a variety of applications. Network operators have discovered the cost-effectiveness, flexibility,, scalability of virtualizing network functions (NFV). However, in light of current events, security breaches related to platform software manipulation the use of Trusted Computing technologies has become not only more popular but increasingly viewed as mandatory for adequate system protection. While Trusted Computing hardware for physical platforms is currently available, widely used, analogous support for virtualized environments, virtualized platforms is rare, not suitable for larger scale virtualization scenarios. Current remote, deep attestation protocols for virtual machines can support a limited amount of virtual machines before the inefficient use of the TPM device becomes a crucial bottle neck. We propose a scalable remote attestation scheme suitable for private cloud, NFV use cases supporting large amounts of VM attestations by efficient use of the physical TPM device.
Gary Wang, University of Illinois at Urbana-Champaign, Zachary J. Estrada, University of Illinois at Urbana-Champaign, Cuong Pham, University of Illinois at Urbana-Champaign, Zbigniew Kalbarczyk, University of Illinois at Urbana-Champaign, Ravishankar K. Iyer, University of Illinois at Urbana-Champaign.  2014.  Hypervisor Introspection: Exploiting Timing Side-Channels against VM Monitoring. 44th International Conference on Dependable Systems and Networks.

Hypervisor activity is designed to be hidden from guest Virtual Machines (VM) as well as external observers. In this paper, we demonstrate that this does not always occur. We present a method by which an external observer can learn sensitive information about hypervisor internals, such as VM scheduling or hypervisor-level monitoring schemes, by observing a VM. We refer to this capability as Hypervisor Introspection (HI).

HI can be viewed as the inverse process of the well-known Virtual Machine Introspection (VMI) technique. VMI is a technique to extract VMs’ internal state from the hypervi- sor, facilitating the implementation of reliability and security monitors[1]. Conversely, HI is a technique that allows VMs to autonomously extract hypervisor information. This capability enables a wide range of attacks, for example, learning a hypervisor’s properties (version, configuration, etc.), defeating hypervisor-level monitoring systems, and compromising the confidentiality of co-resident VMs. This paper focuses on the discovery of a channel to implement HI, and then leveraging that channel for a novel attack against traditional VMI.

In order to perform HI, there must be a method of extracting information from the hypervisor. Since this information is intentionally hidden from a VM, we make use of a side channel. When the hypervisor checks a VM using VMI, VM execution (e.g. network communication between a VM and a remote system) must pause. Therefore, information regarding the hypervisor’s activity can be leaked through this suspension of execution. We call this side channel the VM suspend side channel, illustrated in Fig. 1. As a proof of concept, this paper presents how correlating the results of in-VM micro- benchmarking and out-of-VM reference monitoring can be used to determine when hypervisor-level monitoring tools are vulnerable to attacks.

HeydariGorji, Ali, Rezaei, Siavash, Torabzadehkashi, Mahdi, Bobarshad, Hossein, Alves, Vladimir, Chou, Pai H..  2020.  HyperTune: Dynamic Hyperparameter Tuning for Efficient Distribution of DNN Training Over Heterogeneous Systems. 2020 IEEE/ACM International Conference On Computer Aided Design (ICCAD). :1–8.
Distributed training is a novel approach to accelerating training of Deep Neural Networks (DNN), but common training libraries fall short of addressing the distributed nature of heterogeneous processors or interruption by other workloads on the shared processing nodes. This paper describes distributed training of DNN on computational storage devices (CSD), which are NAND flash-based, high-capacity data storage with internal processing engines. A CSD-based distributed architecture incorporates the advantages of federated learning in terms of performance scalability, resiliency, and data privacy by eliminating the unnecessary data movement between the storage device and the host processor. The paper also describes Stannis, a DNN training framework that improves on the shortcomings of existing distributed training frameworks by dynamically tuning the training hyperparameters in heterogeneous systems to maintain the maximum overall processing speed in term of processed images per second and energy efficiency. Experimental results on image classification training benchmarks show up to 3.1x improvement in performance and 2.45x reduction in energy consumption when using Stannis plus CSD compare to the generic systems.
Bianco, Federica B., Koonin, Steven E., Mydlarz, Charlie, Sharma, Mohit S..  2016.  Hypertemporal Imaging of NYC Grid Dynamics: Short Paper. Proceedings of the 3rd ACM International Conference on Systems for Energy-Efficient Built Environments. :61–64.
Hypertemporal visible imaging of an urban lightscape can reveal the phase of the electrical grid granular to individual housing units. In contrast to in-situ monitoring or metering, this method offers broad, persistent, real-time, and non-permissive coverage through a single camera sited at an urban vantage point. Rapid changes in the phase of individual housing units signal changes in load (e.g., appliances turning on and off), while slower building- or neighborhood-level changes can indicate the health of distribution transformers. We demonstrate the concept by observing the 120 Hz flicker of lights across a NYC skyline. A liquid crystal shutter driven at 119.75 Hz down-converts the flicker to 0.25 Hz, which is imaged at a 4 Hz cadence by an inexpensive CCD camera; the grid phase of each source is determined by analysis of its sinusoidal light curve over an imaging "burst" of some 25 seconds. Analysis of bursts taken at \textbackslashtextasciitilde 15 minute cadence over several hours demonstrates both the stability and variation of phases of halogen, incandescent, and some fluorescent lights. Correlation of such results with ground-truth data will validate a method that could be applied to better monitor electricity consumption and distribution in both developed and developing cities.
Zhan, Ying, Qin, Jin, Huang, Tao, Wu, Kang, Hu, Dan, Zhao, Zhengang, Wang, Yuntao, Cao, Ying, Jiao, RunCheng, Medjadba, Yasmine et al..  2019.  Hyperspectral Image Classification Based on Generative Adversarial Networks with Feature Fusing and Dynamic Neighborhood Voting Mechanism. IGARSS 2019 - 2019 IEEE International Geoscience and Remote Sensing Symposium. :811–814.

Classifying Hyperspectral images with few training samples is a challenging problem. The generative adversarial networks (GAN) are promising techniques to address the problems. GAN constructs an adversarial game between a discriminator and a generator. The generator generates samples that are not distinguishable by the discriminator, and the discriminator determines whether or not a sample is composed of real data. In this paper, by introducing multilayer features fusion in GAN and a dynamic neighborhood voting mechanism, a novel algorithm for HSIs classification based on 1-D GAN was proposed. Extracting and fusing multiple layers features in discriminator, and using a little labeled samples, we fine-tuned a new sample 1-D CNN spectral classifier for HSIs. In order to improve the accuracy of the classification, we proposed a dynamic neighborhood voting mechanism to classify the HSIs with spatial features. The obtained results show that the proposed models provide competitive results compared to the state-of-the-art methods.

Liu, Wenqing, Zhang, Kun, Tu, Bibo, Lin, Kunli.  2019.  HyperPS: A Hypervisor Monitoring Approach Based on Privilege Separation. 2019 IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems (HPCC/SmartCity/DSS). :981–988.

In monolithic operating system (OS), any error of system software can be exploit to destroy the whole system. The situation becomes much more severe in cloud environment, when the kernel and the hypervisor share the same address space. The security of guest Virtual Machines (VMs), both sensitive data and vital code, can no longer be guaranteed, once the hypervisor is compromised. Therefore, it is essential to deploy some security approaches to secure VMs, regardless of the hypervisor is safe or not. Some approaches propose microhypervisor reducing attack surface, or a new software requiring a higher privilege level than hypervisor. In this paper, we propose a novel approach, named HyperPS, which separates the fundamental and crucial privilege into a new trusted environment in order to monitor hypervisor. A pivotal condition for HyperPS is that hypervisor must not be allowed to manipulate any security-sensitive system resources, such as page tables, system control registers, interaction between VM and hypervisor as well as VM memory mapping. Besides, HyperPS proposes a trusted environment which does not rely on any higher privilege than the hypervisor. We have implemented a prototype for KVM hypervisor on x86 platform with multiple VMs running Linux. KVM with HyperPS can be applied to current commercial cloud computing industry with portability. The security analysis shows that this approach can provide effective monitoring against attacks, and the performance evaluation confirms the efficiency of HyperPS.

Zhi, Li, Yanzhu, Liu, Di, Liu, Nan, Zhang, Xueying, Ding, Yuanyuan, Liu.  2019.  A Hypergraph-Based Key Management Scheme for Smart Charging Networking. 2019 Chinese Control And Decision Conference (CCDC). :4904–4908.

In this article, to deal with data security requirements of electric vehicle users, a key management scheme for smart charging has been studied. According to the characteristics of the network, three elements and a two-subnetwork model between the charging and the electric vehicle users have been designed. Based on the hypergraph theory, the hypergraph structure of the smart charging network is proposed. And the key management scheme SCHKM is designed to satisfy the operational and security requirements of this structure. The efficiency of SCHKM scheme is analyzed from the cost experiment of key generation and key storage. The experimental results show that compared with the LKH, OFT and GKMP, the proposed key management scheme has obvious advantages in multi-user and key generation cost.

Xi, Bowei, Kamhoua, Charles A..  2020.  A Hypergame‐Based Defense Strategy Toward Cyber Deception in Internet of Battlefield Things (IoBT). Modeling and Design of Secure Internet of Things. :59–77.
In this chapter, we develop a defense strategy to secure Internet of Battlefield Things (IoBT) based on a hypergame employing deceptive techniques. The hypergame is played multiple rounds. At each round, the adversary updates its perception of the attack graph and chooses the next node to compromise. The defender updates its perceived list of compromised nodes and actively feeds false signals to the adversary to create deception. The hypergame developed in this chapter provides an important theoretical framework for us to model how a cyberattack spreads on a network and the interaction between the adversary and the defender. It also provides quantitative metrics such as the time it takes the adversary to explore the network and compromise the target nodes. Based on these metrics, the defender can reboot the network devices and reset the network topology in time to clean up all potentially compromised devices and to protect the critical nodes. The hypergame provides useful guidance on how to create cyber deceptions so that the adversary cannot obtain information about the correct network topology and can be deterred from reaching the target critical nodes on a military network while it is in service.
Ferraiuolo, Andrew, Zhao, Mark, Myers, Andrew C., Suh, G. Edward.  2018.  HyperFlow: A Processor Architecture for Nonmalleable, Timing-Safe Information Flow Security. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. :1583-1600.

This paper presents HyperFlow, a processor that enforces secure information flow, including control over timing channels. The design and implementation of HyperFlow offer security assurance because it is implemented using a security-typed hardware description language that enforces secure information flow. Unlike prior processors that aim to enforce simple information-flow policies such as noninterference, HyperFlow allows complex information flow policies that can be configured at run time. Its fine-grained, decentralized information flow mechanisms allow controlled communication among mutually distrusting processes and system calls into different security domains. We address the significant challenges in designing such a processor architecture with contributions in both the hardware architecture and the security type system. The paper discusses the architecture decisions that make the processor secure and describes ChiselFlow, a new secure hardware description language supporting lightweight information-flow enforcement. The HyperFlow architecture is prototyped on a full-featured processor that offers a complete RISC-V instruction set, and is shown to add moderate overhead to area and performance.

Bushouse, Micah, Reeves, Douglas.  2018.  Hyperagents: Migrating Host Agents to the Hypervisor. Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. :212–223.

Third-party software daemons called host agents are increasingly responsible for a modern host's security, automation, and monitoring tasks. Because of their location within the host, these agents are at risk of manipulation by malware and users. Additionally, in virtualized environments where multiple adjacent guests each run their own set of agents, the cumulative resources that agents consume adds up rapidly. Consolidating agents onto the hypervisor can address these problems, but places a technical burden on agent developers. This work presents a development methodology to re-engineer a host agent in to a hyperagent, an out-of-guest agent that gains unique hypervisor-based advantages while retaining its original in-guest capabilities. This three-phase methodology makes integrating Virtual Machine Introspection (VMI) functionality in to existing code easier and more accessible, minimizing an agent developer's re-engineering effort. The benefits of hyperagents are illustrated by porting the GRR live forensics agent, which retains 89% of its codebase, uses 40% less memory than its in-guest counterparts, and enables a 4.9x speedup for a representative data-intensive workload. This work shows that a conventional off-the-shelf host agent can be feasibly transformed into a hyperagent and provide a powerful, efficient tool for defending virtualized systems.

Nieto-Chaupis, H..  2020.  Hyper Secure Cognitive Radio Communications in an Internet of Space Things Network Based on the BB84 Protocol. 2020 Intermountain Engineering, Technology and Computing (IETC). :1–5.
Once constellation of satellites are working in a collaborative manner, the security of their messages would have to be highly secure from all angles of scenarios by which the praxis of eavesdropping constitutes a constant thread for the instability of the different tasks and missions. In this paper we employ the Bennet-Brassard commonly known as the BB84 protocol in conjunction to the technique of Cognitive Radio applied to the Internet of Space Things to build a prospective technology to guarantee the communications among geocentric orbital satellites. The simulations have yielded that for a constellation of 5 satellites, the probability of successful of completion the communication might be of order of 75% ±5%.
Khanmohammadi, K., Hamou-Lhadj, A..  2017.  HyDroid: A Hybrid Approach for Generating API Call Traces from Obfuscated Android Applications for Mobile Security. 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS). :168–175.

The growing popularity of Android applications makes them vulnerable to security threats. There exist several studies that focus on the analysis of the behaviour of Android applications to detect the repackaged and malicious ones. These techniques use a variety of features to model the application's behaviour, among which the calls to Android API, made by the application components, are shown to be the most reliable. To generate the APIs that an application calls is not an easy task. This is because most malicious applications are obfuscated and do not come with the source code. This makes the problem of identifying the API methods invoked by an application an interesting research issue. In this paper, we present HyDroid, a hybrid approach that combines static and dynamic analysis to generate API call traces from the execution of an application's services. We focus on services because they contain key characteristics that allure attackers to misuse them. We show that HyDroid can be used to extract API call trace signatures of several malware families.

Benyo, Brett, Clark, Shane, Paulos, Aaron, Pal, Partha.  2018.  HYDRA: Hypothesis Driven Repair Automation. Proceedings of the 13th International Conference on Availability, Reliability and Security. :8:1–8:10.
HYDRA is an automated mechanism to repair code in response to successful attacks. Given a set of malicious inputs that include the attack and a set of benign inputs that do not, along with an ability to test the victim application with these labelled inputs, HYDRA quickly provides rank ordered patches to close the exploited vulnerability. HYDRA also produces human-readable summaries of its findings and repair actions to aid the manual vulnerability mitigation process. We tested HYDRA using 8 zero-days, HYDRA produced patches that stopped the attacks in all 8 cases and preserved application functionality in 7 of the 8 cases.
Kapoor, Mehul, Kaur, Puneet Jai.  2022.  Hybridization of Deep Learning & Machine Learning For IoT Based Intrusion Classification. 2022 International Conference on Breakthrough in Heuristics And Reciprocation of Advanced Technologies (BHARAT). :138—143.
With the rise of IoT applications, about 20.4 billion devices will be online in 2020, and that number will rise to 75 billion a month by 2025. Different sensors in IoT devices let them get and process data remotely and in real time. Sensors give them information that helps them make smart decisions and manage IoT environments well. IoT Security is one of the most important things to think about when you're developing, implementing, and deploying IoT platforms. People who use the Internet of Things (IoT) say that it allows people to communicate, monitor, and control automated devices from afar. This paper shows how to use Deep learning and machine learning to make an IDS that can be used on IoT platforms as a service. In the proposed method, a cnn mapped the features, and a random forest classifies normal and attack classes. In the end, the proposed method made a big difference in all performance parameters. Its average performance metrics have gone up 5% to 6%.
Sharma, Mudita, Kazakov, Dimitar.  2017.  Hybridisation of Artificial Bee Colony Algorithm on Four Classes of Real-valued Optimisation Functions. Proceedings of the Genetic and Evolutionary Computation Conference Companion. :1439–1442.
Hybridisation of algorithms in evolutionary computation (EC) has been used by researchers to overcome drawbacks of population-based algorithms. The introduced algorithm called mutated Artificial Bee Colony algorithm, is a novel variant of standard Artificial Bee Colony algorithm (ABC) which successfully moves out of local optima. First, new parameters are found and tuned in ABC algorithm. Second, the mutation operator is employed which is responsible for bringing diversity into solution. Third, to avoid tuning 'limit' parameter and prevent abandoning good solutions, it is replaced by average fitness comparison of worst employed bee. Thus, proposed algorithm gives the global solution thus improving the exploration capability of ABC. The proposed algorithm is tested on four classes of problems. The results are compared with six other population-based algorithms, namely Genetic Algorithm (GA), Particle Swarm Optimsation (PSO), Differential Evolution (DE), standard Artificial Bee Colony algorithm (ABC) and its two variants- quick Artificial Bee Colony algorithm (qABC) and adaptive Artificial Bee Colony algorithm (aABC). Overall results show that mutated ABC is at par with aABC and better than above-mentioned algorithms. The novel algorithm is best suited to 3 of the 4 classes of functions under consideration. Functions belonging to UN class have shown near optimal solution.
Tirupathi, Chittibabu, Hamdaoui, Bechir, Rayes, Ammar.  2020.  HybridCache: AI-Assisted Cloud-RAN Caching with Reduced In-Network Content Redundancy. GLOBECOM 2020 - 2020 IEEE Global Communications Conference. :1–6.
The ever-increasing growth of urban populations coupled with recent mobile data usage trends has led to an unprecedented increase in wireless devices, services and applications, with varying quality of service needs in terms of latency, data rate, and connectivity. To cope with these rising demands and challenges, next-generation wireless networks have resorted to cloud radio access network (Cloud-RAN) technology as a way of reducing latency and network traffic. A concrete example of this is New York City's LinkNYC network infrastructure, which replaces the city's payphones with kiosk-like structures, called Links, to provide fast and free public Wi-Fi access to city users. When enabled with data storage capability, these Links can, for example, play the role of edge cloud devices to allow in-network content caching so that access latency and network traffic are reduced. In this paper, we propose HybridCache, a hybrid proactive and reactive in-network caching scheme that reduces content access latency and network traffic congestion substantially. It does so by first grouping edge cloud devices in clusters to minimize intra-cluster content access latency and then enabling cooperative-proactively and reactively-caching using LSTM-based prediction to minimize in-network content redundancy. Using the LinkNYC network as the backbone infrastructure for evaluation, we show that HybridCache reduces the number of hops that content needs to traverse and increases cache hit rates, thereby reducing both network traffic and content access latency.
Merchant, Arpit, Singh, Navjyoti.  2017.  Hybrid Trust-Aware Model for Personalized Top-N Recommendation. Proceedings of the Fourth ACM IKDD Conferences on Data Sciences. :4:1–4:5.

Due to the large quantity and diversity of content being easily available to users, recommender systems (RS) have become an integral part of nearly every online system. They allow users to resolve the information overload problem by proactively generating high-quality personalized recommendations. Trust metrics help leverage preferences of similar users and have led to improved predictive accuracy which is why they have become an important consideration in the design of RSs. We argue that there are additional aspects of trust as a human notion, that can be integrated with collaborative filtering techniques to suggest to users items that they might like. In this paper, we present an approach for the top-N recommendation task that computes prediction scores for items as a user specific combination of global and local trust models to capture differences in preferences. Our experiments show that the proposed method improves upon the standard trust model and outperforms competing top-N recommendation approaches on real world data by upto 19%.

Ibrahim, Rosziati, Omotunde, Habeeb.  2017.  A Hybrid Threat Model for Software Security Requirement Specification - IEEE Conference Publication.

Security is often treated as secondary or a non- functional feature of software which influences the approach of vendors and developers when describing their products often in terms of what it can do (Use Cases) or offer customers. However, tides are beginning to change as more experienced customers are beginning to demand for more secure and reliable software giving priority to confidentiality, integrity and privacy while using these applications. This paper presents the MOTH (Modeling Threats with Hybrid Techniques) framework designed to help organizations secure their software assets from attackers in order to prevent any instance of SQL Injection Attacks (SQLIAs). By focusing on the attack vectors and vulnerabilities exploited by the attackers and brainstorming over possible attacks, developers and security experts can better strategize and specify security requirements required to create secure software impervious to SQLIAs. A live web application was considered in this research work as a case study and results obtained from the hybrid models extensively exposes the vulnerabilities deep within the application and proposed resolution plans for blocking those security holes exploited by SQLIAs.

Khan, Riaz Ullah, Kumar, Rajesh, Alazab, Mamoun, Zhang, Xiaosong.  2019.  A Hybrid Technique To Detect Botnets, Based on P2P Traffic Similarity. 2019 Cybersecurity and Cyberforensics Conference (CCC). :136–142.
The botnet has been one of the most common threats to the network security since it exploits multiple malicious codes like worm, Trojans, Rootkit, etc. These botnets are used to perform the attacks, send phishing links, and/or provide malicious services. It is difficult to detect Peer-to-peer (P2P) botnets as compare to IRC (Internet Relay Chat), HTTP (HyperText Transfer Protocol) and other types of botnets because of having typical features of the centralization and distribution. To solve these problems, we propose an effective two-stage traffic classification method to detect P2P botnet traffic based on both non-P2P traffic filtering mechanism and machine learning techniques on conversation features. At the first stage, we filter non-P2P packages to reduce the amount of network traffic through well-known ports, DNS query, and flow counting. At the second stage, we extract conversation features based on data flow features and flow similarity. We detected P2P botnets successfully, by using Machine Learning Classifiers. Experimental evaluations show that our two-stage detection method has a higher accuracy than traditional P2P botnet detection methods.