A conformalized density-based clustering analysis of malicious traffic for botnet detection

In this work, we present a clustering technique within the conformal prediction framework and describe its application to bot-generated network traffic in order to build botnet behavioral models, with a view to improving the detection of compromised hosts. The technique has a natural connection to density-based clustering. Once a required significance level has been set, this technique can discover the clusters and the noise in the data. To obtain a clustering of the underlying distribution, we use conformal prediction in combination with a density estimator which is used for point prediction, to identify a few so-called focal points that are indeed the centers of possibly overlapping spheres or ellipsoids, that represent the clusters. There are several advantages to the developed technique: the number of clusters is determined automatically. Furthermore, the technique is able to find nonlinearly separable clusters. Moreover, a new conformity measure related to BotFinder, an algorithm for finding bots in network traffic, is developed that can be used as a method for point prediction. We performed an experimental evaluation of the proposed approach in terms of efficiency and accuracy. The results suggest that the approach obtains relatively high accuracies and is more effective when compared with previous conformal clustering techniques.