US 12,464,015 B2
Device, method, and system for supporting botnet traffic detection
Gergely Matefi, Budapest (HU)
Assigned to TELEFONAKTIEBOLAGET LM ERICSSON (PUBL), Stockholm (SE)
Appl. No. 18/268,774
Filed by Telefonaktiebolaget LM Ericsson (publ), Stockholm (SE)
PCT Filed Dec. 22, 2020, PCT No. PCT/SE2020/051257
§ 371(c)(1), (2) Date Jun. 21, 2023,
PCT Pub. No. WO2022/139642, PCT Pub. Date Jun. 30, 2022.
Prior Publication US 2024/0080337 A1, Mar. 7, 2024
Int. Cl. H04L 9/40 (2022.01); G06F 21/55 (2013.01); G06N 20/00 (2019.01); H04L 41/16 (2022.01)
CPC H04L 63/1458 (2013.01) [G06F 21/554 (2013.01); G06N 20/00 (2019.01); H04L 41/16 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 2463/144 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A device for supporting botnet traffic detection, the device comprising:
a processor; and
a memory, the memory containing instructions executable by the processor, wherein the instructions, when executed by the processor, cause the device to:
obtain information associated with a first data flow of a first communication device and information associated with a second data flow of the first communication device or a second communication device;
associate the first data flow with a first network flow aggregate, and the second data flow with a second network flow aggregate;
create a first feature set for the first network flow aggregate as a first training set, and a second feature set for the second network flow aggregate as a second training set;
train a first prediction model using the first training set, and a second prediction model using the second training set;
apply the first prediction model and the second prediction model to the second feature set of the second network flow aggregate;
select an output of the first prediction model as a first anomaly score for the second network flow aggregate, and an output of the second prediction model as a second anomaly score for the second network flow aggregate;
associate the second network flow aggregate with a connection, wherein the connection is based on source and destination information, protocol and destination port of the second data flow of the second network flow aggregate;
determine an average difference value for the connection, wherein the average difference value is an average of a difference between the first anomaly score and the second anomaly score;
associate the connection with a label based on the average difference value and a first threshold, wherein the label either indicates benign traffic or malicious traffic;
determine whether or not the label indicates malicious traffic; and
after determining that the label indicates malicious traffic, raise an alarm and/or initiate a remedial action.