lOMoARcPSD|30496647

AICS Unit III- Network Anomaly Detection with AI 29-03-2025

1.Classifiction Of Network Attacks

Network attacks can be broadly classified as active (aiming to disrupt or damage) and passive (aiming to steal
information). Common examples include Denial of Service (DoS), Distributed Denial of Service (DDoS), Man-in-the-
Middle (MitM) attacks, malware, phishing, and SQL injection. [1, 2, 3, 4, 5]

Here's a more detailed breakdown:

I. Active Attacks: [1, 3, 4, 6]

 Denial of Service (DoS) / Distributed Denial of Service (DDoS): Overwhelm a network or system with
traffic, making it unavailable to legitimate users. [1, 3, 4, 6]
o DDoS: Uses multiple compromised systems (a "botnet") to amplify the attack. [1, 4, 7]
 Man-in-the-Middle (MitM) Attacks: Intercept and potentially manipulate communications between two
parties without their knowledge. [1, 3, 4, 6]
 Malware: Malicious software designed to disrupt, damage, or gain unauthorized access to a computer
system. [4, 7]
o Viruses: Malware that requires user interaction to spread. [4, 7]
o Worms: Malware that can spread automatically across a network. [4, 7]
o Ransomware: Malware that encrypts a victim's data and demands a ransom for its release. [4, 8]
 SQL Injection: Exploits vulnerabilities in web applications to manipulate queries between applications and
databases, allowing attackers to execute malicious commands. [1, 3, 4, 9]
 Unauthorized Access: Gaining access to a network or system without proper authorization. [1, 3]
 Privilege Escalation: Exploiting vulnerabilities to gain higher-level access or control on a system. [1, 3]
 Insider Threats: Attacks carried out by individuals with legitimate access to a network or system. [1, 3, 10]
 Social Engineering: Manipulating individuals to reveal sensitive information or perform actions that
compromise security. [4, 11, 12]
 Phishing: Deceptive emails or messages that trick users into revealing personal information. [4, 5, 11]
 Spoofing: Impersonating a device or user to gain access or cause harm. [11, 13]

II. Passive Attacks: [2, 7]

 Eavesdropping: Monitoring network traffic to intercept sensitive information. [2, 7]

 Packet Sniffing: Capturing and analyzing network packets to gather information. [7]
 Reconnaissance: Gathering information about a target network or system before launching an attack. [14]

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

III. Other Notable Types: [5, 15]

 Brute-Force Attacks: Attempting to guess passwords or other credentials by trying all possible
combinations. [5, 15]
 Cross-Site Scripting (XSS): Injecting malicious scripts into websites to compromise users. [5]
 Zero-Day Exploits: Exploiting vulnerabilities that are not yet known or patched by vendors. [5]
 Credential Stuffing: Using stolen credentials from one website to log into other websites. [5]
 DNS Tunneling: Using DNS protocol to transmit data that bypasses security measures. [11]
 IoT-Based Attacks: Targeting vulnerabilities in Internet of Things (IoT) devices. [11]
 AI-Powered Attacks: Using AI to automate and enhance cyberattacks. [11]
 Supply Chain Attacks: Compromising a company's suppliers to gain access to their systems. [11]

[1] https://www.6clicks.com/resources/answers/what-are-the-six-6-types-of-attacks-on-network-security
[2] https://www.forcepoint.com/cyber-edu/network-attack
[3] https://www.cynet.com/network-attacks/network-attacks-and-network-security-threats/
[4] https://cisomag.com/top-10-common-types-of-network-security-attacks-explained/
[5] https://www.simplilearn.com/tutorials/cyber-security-tutorial/types-of-cyber-attacks
[6] https://www.youtube.com/watch?v=44nbeOHCVn4
[7] https://www.geeksforgeeks.org/basic-network-attacks-in-computer-network/
[8] https://www.fortinet.com/resources/cyberglossary/types-of-cyber-attacks
[9] https://pentera.io/glossary/defending-against-computer-network-attacks/
[10] https://blog.tbconsulting.com/the-biggest-computer-security-threats-in-2016
[11] https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/common-cyberattacks/
[12] https://www.wiz.io/academy/social-engineering-attacks
[13] https://zerogravitymarketing.com/blog/email-spoofing/
[14] https://www.stackscale.com/blog/osi-model/
[15] https://iopscience.iop.org/article/10.1088/1755-1315/644/1/012031/pdf

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

2.Network Anomaly Detection Techniques

A.What is Network Anomaly?

A network anomaly refers to any unusual or unexpected behavior in network traffic that deviates from normal
patterns. These anomalies can be a sign of cyberattacks, hardware failures, misconfigurations, or unexpected user
behavior.

A network anomaly happens when something unusual or unexpected occurs in network traffic. Normally,
data flows in a predictable way, but sometimes, strange patterns appear. These unusual activities could
be signs of problems like:

 Cyberattacks – Hackers trying to break into a system.

 Hardware Failures – A device (like a router or server) stops working properly.
 Misconfigurations – A mistake in network settings causes problems.
 Unexpected User Behavior – Someone is using the network in an unusual way, which could be
accidental or intentional.

For example, if a company usually gets 100 login attempts per hour, but suddenly there are 10,000
attempts, this could be a sign of an attack. Detecting these anomalies helps keep networks secure and
running smoothly.

B.Types of Network Anomalies

Network anomalies can be classified into three main types:

1. Performance Anomalies

 Occur due to system failures, congestion, or misconfigurations.

 Examples:
o High Latency: Slow network response times.
o Packet Loss: Data packets getting dropped.
o Jitter: Irregular time delays in data transmission.

2. Security Anomalies

 Indicate potential cyber threats or unauthorized activities.

 Examples:
o Unusual Traffic Spikes: Possible Denial-of-Service (DoS) attack.
o Unexpected Data Transfers: Could be data exfiltration.
o Abnormal Access Patterns: Signs of unauthorized access or compromised credentials.

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

3. Operational Anomalies

 Result from policy violations, incorrect configurations, or human errors.

 Examples:
o Unauthorized Device Connections: Unrecognized devices on the network.
o Unusual Software Behavior: Unexpected updates or installations.
o Misconfigured Firewalls/Routing Issues: Incorrect rules leading to security vulnerabilities.

C.Detection of Network Anomalies

Network anomalies can be detected using various methods:

1. Signature-Based Detection

 Uses predefined attack patterns (signatures).

 Works well for known threats but fails for new/unknown attacks.
 Example: Intrusion Detection Systems (IDS) like Snort.

2. Statistical-Based Detection

 Monitors network behavior and flags significant deviations from historical data.
 Example: Threshold-based alerting for unusual bandwidth usage.

3. Machine Learning-Based Detection

 Uses AI/ML models to learn normal traffic patterns and identify anomalies.
 Example: Anomaly detection using clustering algorithms like K-Means or deep learning models.

4. Behavioral Analysis

 Tracks user and device behavior over time to detect deviations.

 Example: User and Entity Behavior Analytics (UEBA).

D.Why is Network Anomaly Detection Important?

1. Detects Cyber Threats Early – Identifies potential attacks like DDoS, malware, and insider threats.
2. Prevents Data Breaches – Stops unauthorized access before data theft occurs.
3. Ensures Network Performance – Helps troubleshoot slowdowns, outages, and configuration
issues.
4. Compliance & Security – Helps meet regulatory security requirements.

1. Signature-Based Detection (Rule-Based)

 Compares network activity against a database of known attack signatures.

 Works well for detecting known threats but fails for new/zero-day attacks.

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

 Example: Intrusion Detection Systems (IDS) like Snort.

2. Statistical-Based Detection

 Uses statistical models to establish a baseline of normal network behavior and flags deviations.
 Techniques include:
o Mean & Standard Deviation Analysis: Detects spikes in traffic.
o Chi-Square Test: Identifies significant variations.
o Time-Series Analysis: Tracks network behavior over time.
 Example: Detecting abnormal bandwidth usage.

3. Machine Learning-Based Detection

 Uses AI models to learn normal traffic patterns and detect deviations.

 Techniques:
o Supervised Learning (e.g., Decision Trees, SVM): Requires labeled normal/anomalous
data.
o Unsupervised Learning (e.g., Clustering, Autoencoders): Detects anomalies without
labeled data.
o Deep Learning (e.g., LSTMs, CNNs): Analyzes complex patterns in network traffic.
 Example: Anomaly detection using K-Means clustering or neural networks.

4. Behavior-Based Detection

 Monitors user and device behavior over time and flags unusual activities.
 Uses techniques like:
o User and Entity Behavior Analytics (UEBA).
o Deviation from Access Patterns: Identifies unauthorized logins or data transfers.
 Example: Detecting an insider threat by tracking login patterns.

5. Heuristic-Based Detection

 Uses predefined rules and expert knowledge to identify anomalies.

 More flexible than signature-based but may generate false positives.
 Example: Flagging multiple failed login attempts.

6. Hybrid Detection

 Combines two or more techniques (e.g., Signature + Machine Learning) to improve accuracy.
 Example: A firewall using rule-based filtering combined with AI-driven threat detection.

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

Comparison of Techniques

Technique Strengths Weaknesses

Signature-Based Detects known threats with high accuracy Cannot detect new attacks
Statistical-Based Simple and effective for threshold-based alerts May have false positives
Machine Learning-Based Detects unknown anomalies Requires training data
Behavior-Based Identifies insider threats Needs continuous monitoring
Heuristic-Based Flexible and adaptable High false positive rate
Hybrid High accuracy and broad coverage Complex implementation

3.Detection of Botnet Topology

A botnet is a network of compromised devices (bots) controlled by an attacker (botmaster) to carry out malicious
activities such as DDoS attacks, spam campaigns, and data theft. Detecting the topology (structure) of a botnet helps in
identifying its communication patterns and dismantling it.

A botnet is a group of infected devices (called bots) that are secretly controlled by a hacker (botmaster).
The hacker uses these bots to do bad things like:

 Launching cyberattacks (e.g., slowing down websites with too much traffic – DDoS attacks).
 Sending spam emails (junk mail or fake messages).
 Stealing information (like passwords or credit card details).

To stop a botnet, we need to detect its structure (how the bots are connected and communicate). This
helps cybersecurity experts track how the hacker controls the bots and find ways to break the botnet
apart.

For example, if all bots receive orders from a single server, blocking that server can stop the attack. If the
bots talk to each other in a peer-to-peer way, we need to find and remove infected devices one by one.

Botnet Topologies
Botnets can be structured in different ways, and each topology requires a specific detection approach:

1. Centralized (Star Model)

o All bots communicate with a central Command & Control (C&C) server.
o Example: IRC-based botnets.
o Detection Method:
 Monitor unusual traffic to a single IP/server.
 Detect spikes in connection requests.
2. Peer-to-Peer (P2P) Model
o Bots communicate directly with each other, making them harder to track.
o Example: Storm and Waledac botnets.

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

o Detection Method:
 Identify abnormal patterns in peer connections.
 Use graph-based anomaly detection to find clusters of infected hosts.
3. Hybrid Model
o A mix of centralized and P2P, where some bots act as relay nodes.
o Detection Method:
 Combination of centralized and P2P detection methods.
4. Random Model
o Bots communicate unpredictably to avoid detection.
o Detection Method:
 Use Machine Learning (ML) techniques to identify suspicious traffic patterns.

Techniques for Botnet Detection

1. Network Traffic Analysis

 Flow-based detection: Monitor sudden spikes in traffic or unusual communication patterns.

 Deep Packet Inspection (DPI): Analyze packet contents for botnet signatures.

2. Machine Learning-Based Detection

 Supervised Learning: Train models on normal and botnet traffic data.

 Unsupervised Learning: Cluster similar traffic patterns to identify anomalies.
 Neural Networks & AI: Detect complex botnet behaviors.

3. DNS and IP Reputation Analysis

 Bots often use fast-flux DNS to change IPs rapidly.

 Checking domain reputation can help block malicious C&C servers.

4. Behavioral Analysis

 Identify repetitive behaviors like frequent connections to unknown IPs.

 Detect unusual login activities across multiple devices.

5. Honeypots & Sandboxing

 Deploy fake vulnerable systems to attract botnet traffic and analyze behavior.

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

Detailed Explanation of Machine Learning Algorithms for Botnet Detection

Botnet detection requires analyzing large amounts of network traffic to identify abnormal patterns.
Machine learning (ML) provides powerful techniques to automatically recognize botnets based on their
behavior. These techniques can be broadly classified into Supervised Learning, Unsupervised Learning,
and Hybrid Approaches.

1. Supervised Learning Algorithms

Supervised learning models are trained on labeled datasets, meaning the data is already categorized into
botnet traffic and normal traffic. These algorithms learn patterns and then classify new data accordingly.

A. Decision Trees (DT)

A decision tree is a flowchart-like structure where each node represents a decision based on network
traffic features (e.g., packet size, IP addresses, request frequency).

 How it Works:
o The model learns decision rules from training data.
o It classifies traffic by following the decision path based on feature values.
 Pros:
o Easy to interpret.
o Fast and efficient for small datasets.
 Cons:
o Prone to overfitting (memorizing patterns instead of generalizing).
 Use Case:
o Identifying botnets based on network request frequency and abnormal connection
attempts.

B. Random Forest (RF)

Random Forest is an extension of Decision Trees, where multiple trees are trained on different parts of
the dataset, and the final decision is made by averaging their outputs.

 How it Works:
o Generates multiple decision trees using different subsets of features.
o Votes on the most likely classification.
 Pros:
o More accurate than a single decision tree.
o Handles large datasets effectively.
 Cons:
o Slower than a single decision tree.

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

 Use Case:
o Detecting botnet-infected devices by analyzing multiple traffic parameters like request
intervals, payload size, and IP addresses.

C. Support Vector Machine (SVM)

SVM is used to classify data by finding the best hyperplane (decision boundary) that separates botnet
traffic from normal traffic.

 How it Works:
o Maps data points in a high-dimensional space and finds the best boundary that separates
classes.
 Pros:
o Works well for small and medium-sized datasets.
o Handles complex relationships between features.
 Cons:
o Slow when handling large datasets.
 Use Case:
o Identifying botnet traffic based on TCP/IP packet features such as source and destination
ports

D. Neural Networks (NN)

Neural networks use layers of interconnected nodes to detect complex patterns in botnet traffic.

 How it Works:
o The model learns from historical data by adjusting weights in a network of artificial
neurons.
 Pros:
o Can detect sophisticated and evolving botnets.
 Cons:
o Requires a large amount of labeled training data.
o Computationally expensive.
 Use Case:
o Detecting botnets in encrypted traffic by analyzing payload structures and timing patterns.

2. Unsupervised Learning Algorithms

Unsupervised learning is useful when labeled data (botnet vs. normal) is not available. It identifies hidden
patterns and anomalies in network traffic.

A. K-Means Clustering

K-Means groups similar network behaviors into clusters. It identifies botnets by detecting clusters with
unusual activity.

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

 How it Works:
o Partitions network data into ‘k’ clusters based on similarity.
o Botnet traffic often forms separate clusters due to its unique communication pattern.

 Pros:
o Works well when botnet behaviors are distinct.
 Cons:
o Requires defining the number of clusters.
 Use Case:
o Detecting unknown botnets by grouping devices with unusual communication patterns.

B. DBSCAN (Density-Based Spatial Clustering)

DBSCAN is a clustering technique that identifies botnets based on density (i.e., how close devices are to
each other in network communication).

 How it Works:
o Groups together closely packed data points and marks outliers as anomalies.
 Pros:
o Can detect botnets that use stealthy, low-profile communication.
 Cons:
o Sensitive to parameter selection.
 Use Case:
o Detecting botnets that operate intermittently by identifying small groups of suspicious
traffic.

C. Autoencoders (Deep Learning)

Autoencoders are a type of neural network that learns normal traffic behavior and flags deviations.

 How it Works:
o The model is trained to reconstruct normal traffic data.
o Anomalies (such as botnet behavior) cause high reconstruction errors, leading to
detection.
 Pros:
o Can detect unknown or evolving botnets.
 Cons:
o Requires significant computational resources.
 Use Case:
o Identifying new botnets that evade traditional signature-based detection.

3. Hybrid Approaches
Combining supervised and unsupervised learning can improve accuracy in botnet detection.

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

A. Random Forest + K-Means

 How it Works:
o Random Forest classifies known botnets.
o K-Means identifies new botnet clusters.
 Use Case:
o Detecting evolving botnets while maintaining high accuracy on known threats.

B. SVM + Autoencoder

 How it Works:
o SVM detects structured patterns in labeled data.
o Autoencoder detects unknown anomalies.
 Use Case:
o Identifying both old and new botnet behaviors.

C. LSTM (Long Short-Term Memory) + CNN (Convolutional Neural Network)

 How it Works:
o LSTM detects time-dependent patterns in traffic logs.
o CNN identifies spatial patterns in packet payloads.
 Use Case:
o Detecting botnets that change behavior over time (e.g., Mirai botnet).

Comparison of Algorithms
Algorithm Type Strengths Weaknesses
Decision Trees Supervised Fast and interpretable Can overfit
Random Forest Supervised High accuracy Computationally
expensive
SVM Supervised Effective in high-dimensional data Slow on large datasets
Neural Networks Supervised Good for complex botnets Requires large datasets
K-Means Clustering Unsupervised Detects unknown botnets Needs cluster tuning
DBSCAN Unsupervised Identifies hidden botnets Sensitive to parameters
Autoencoders Unsupervised Detects advanced botnets High computational cost
Hybrid (RF + K- Hybrid Detects both known and unknown Complex to implement
Means) threats

For well-known botnets: Use Supervised Learning (Random Forest, SVM, Neural Networks).

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

For unknown botnets: Use Unsupervised Learning (K-Means, Autoencoders, DBSCAN).

For best results: Use Hybrid models combining multiple techniques.

*For Extra Inforation

Example 1: Mirai Botnet Detection (IoT Attack)

What happened?

 The Mirai botnet infected thousands of IoT devices (like security cameras and routers).
 It used these devices to launch DDoS attacks, overloading websites and servers.
 The botnet spread by scanning the internet for devices with weak or default passwords.

How was it detected?

 Random Forest was used to analyze IoT device traffic.

 The system identified abnormal behavior, such as unusual login attempts and continuous
scanning of IP addresses.
 When a device acted like a Mirai bot (scanning too much), it was flagged as infected.

Simple Explanation:

Imagine a city where security cameras behave normally. Suddenly, some cameras start making calls to
thousands of unknown locations. The system notices this strange activity and alerts security teams before
the cameras can be used in an attack.

Example 2: Spam Botnet Detection in Email Servers

What happened?

 A botnet was spreading spam emails with phishing links.

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

 Normal email traffic includes conversations, but spam bots send thousands of identical messages.
 Traditional spam filters failed because the botnet constantly changed email formats.

How was it detected?

 K-Means Clustering was used to analyze email patterns.

 The system grouped emails into clusters:
o Cluster A: Normal emails with different content.
o Cluster B: Thousands of similar emails sent at the same time.
 Emails in Cluster B were flagged as bot-generated spam.

Simple Explanation:

Imagine a school where students write unique essays. Suddenly, hundreds of students submit the exact
same essay. The teacher (ML model) notices this and marks them as copied (spam).

Example 3: Banking Botnet Attack Detection (Credential Stuffing)

What happened?

 A botnet launched a credential stuffing attack against an online banking system.

 It used stolen usernames and passwords to try logging into thousands of accounts.
 Normal users log in a few times a day, but the botnet attempted millions of logins per hour.

How was it detected?

 LSTM (Long Short-Term Memory Neural Networks) was used to monitor login behavior.
 The system flagged accounts with unusual failed login attempts from different locations.
 If an account had thousands of failed logins in minutes, it was blocked and investigated.

Simple Explanation:

Imagine a bank where customers withdraw money once or twice a day. Suddenly, one account tries to
withdraw money 10,000 times in a few minutes. The bank system detects this as a bot attack and blocks
it.

Downloaded by Krishna Birla ([email protected])

 lOMoARcPSD|30496647

Downloaded by Krishna Birla ([email protected])