Data analytics on network traffic flows for botnet behaviour detection

Botnets represent one of the most destructive cybersecurity threats. Given the evolution of the structures and protocols botnets use, many machine learning approaches have been proposed for botnet analysis and detection. In the literature, intrusion and anomaly detection systems based on unsupervised learning techniques showed promising performances. In this paper, we investigate the capability of employing the Self-Organizing Map (SOM), an unsupervised learning technique as a data analytics system. In doing so, our aim is to understand how far such an approach could be pushed to analyze unknown traffic to detect botnets. To this end, we employed three different unsupervised training schemes using publicly available botnet data sets. Our results show that SOMs possess high potential as a data analytics tool on unknown traffic. They can identify the botnet and normal flows with high confidence approximately 99% of the time on the data sets employed in this work.