Botnet attacks are a major threat to networked systems because of their ability to turn the network nodes that they compromise into additional attackers, leading to the spread of high volume attacks over long periods. The detection of such Botnets is complicated by the fact that multiple network IP addresses will be simultaneously compromised, so that Collective Classification of compromised nodes, in addition to the already available traditional methods that focus on individual nodes, can be useful. Thus this work introduces a collective Botnet attack classification technique that operates on traffic from an n-node IP network with a novel Associated Random Neural Network (ARNN) that identifies the nodes which are compromised. The ARNN is a recurrent architecture that incorporates two mutually associated, interconnected and architecturally identical n-neuron random neural networks, that act simultneously as mutual critics to reach the decision regarding which of n nodes have been compromised. A novel gradient learning descent algorithm is presented for the ARNN, and is shown to operate effectively both with conventional off-line training from prior data, and with on-line incremental training without prior off-line learning. Real data from a 107 node packet network is used with over 700,000 packets to evaluate the ARNN, showing that it provides accurate predictions. Comparisons with other well-known state of the art methods using the same learning and testing datasets, show that the ARNN offers significantly better performance.

翻译：僵尸网络攻击对网络系统构成重大威胁，因其能够将被其攻陷的网络节点转化为额外的攻击者，从而长期传播大规模攻击。由于多个网络IP地址会同时被攻陷，因此对受攻陷节点进行集体分类（除已有的侧重单节点的传统方法外）可发挥作用。本研究提出一种集体僵尸网络攻击分类技术，该技术基于包含n个节点的IP网络流量，通过新型关联随机神经网络（ARNN）识别被攻陷节点。ARNN是一种循环架构，集成了两个相互关联、互连且结构相同的n神经元随机神经网络，两者同时作为互斥评判者，协同决策n个节点中哪些已被攻陷。针对ARNN提出了一种新型梯度下降学习算法，并证明该算法既能通过历史数据进行传统离线训练，也能在没有离线预训练的情况下进行在线增量训练。使用包含107个节点、超70万个数据包的真实数据对ARNN进行评估，结果表明其预测准确。与使用相同学习与测试数据集的其他公认先进方法对比，ARNN展现出显著更优的性能。