A self‐learning stream classifier for flow‐based botnet detection

Summary Botnets have been recently recognized as one of the most formidable threats on the Internet. Different approaches have been designed to detect these types of attacks. However, as botnets evolve their behavior to mislead the signature‐based detection systems, learning‐based methods may be deployed to provide a generalization capacity in identifying unknown botnets. Developing an adaptable botnet detection system, which incrementally evolves with the incoming flow stream, remains as a challenge. In this paper, a self‐learning botnet detection system is proposed, which uses an adaptable classification model. The system uses an ensemble classifier and, in order to enhance its generalization capacity, updates its model continuously on receiving new unlabeled traffic flows. The system is evaluated with a comprehensive data set, which contains a wide variety of botnets. The experiments demonstrate that the proposed system can successfully adapt in a dynamic environment where new botnet types are observed during the system operation. We also compare the system performance with other methods. This paper presents a self‐learning botnet detection system with an adaptable ensemble classifier, which may improve its classification accuracy by self‐learning from new unlabeled traffic flows. The proposed system uses a small training set to build its initial model and incrementally updates its model to adapt to the evolving network traffic. We evaluate and compare the system performance using one of the most comprehensive and diverse data sets available for botnet research.