Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification


Fariba Haddadi
A. Nur Zincir-Heywood

Author Addresses: 

Faculty of Computer Science
Dalhousie University
6050 University Ave.
PO Box 15000
Halifax, Nova Scotia, Canada
B3H 4R2

Email: {haddadi, zincir}


Botnets represent one of the most aggressive threats against cyber security. Therefore, botnet traffic analysis is one the main approaches to study and classify such threats. Different techniques using different feature sets were proposed for botnet traffic analysis and classification. However, no work has been performed to study the effect of such differences. In this work, we perform a systematic study on the effect of (if any) these feature sets differences employed in such works. To this end, we explore five different traffic flow exporters (each with a different set of flow features) using two different protocol filters (HTTP and DNS) and five different classifiers. We evaluate all these on eight different botnet traffic data sets. Our results indicate that the use of a flow exporter and a protocol filter does indeed have an effect on the performance of botnet traffic classification.

Tech Report Number: 
Report Date: 
February 25, 2014
PDF icon CS-2014-02.pdf986.64 KB