Salting public traces with attack traffic to test flow classifiers

Z. Berkay Celik, Jayaram Raghuram, George Kesidis, David J. Miller

Research output: Contribution to conferencePaperpeer-review


We consider the problem of using flow-level data for detection of botnet command and control (C&C) activity. We find that current approaches do not consider timing-based calibration of the C&C traffic traces prior to using this traffic to salt a background traffic trace. Thus, timing-based features of the C&C traffic may be artificially distinctive, potentially leading to (unrealistically) optimistic flow classification results. In this paper, we show that round-trip times (RTT) of the C&C traffic are significantly smaller than that of the background traffic. We present a method to calibrate the timing-based features of the simulated botnet traffic by estimating eligible RTT samples from the background traffic. We then salt C&C traffic, and design flow classifiers under four scenarios: with and without calibrating timing-based features of C&C traffic, without using timing-based features, and calibrating C&C traffic only in the test set. In the flow classifier, we strive to use features that are not readily susceptible to obfuscation or tampering such as port numbers or protocol-specific information in the payload header. We discuss the results for several supervised classifiers, evaluating botnet C&C traffic precision, recall, and overall classification accuracy. Our experiments reveal to what extent the presence of timing artifacts in botnet traces leads to changes in classifier results.

Original languageEnglish (US)
StatePublished - Jan 1 2011
Event4th Workshop on Cyber Security Experimentation and Test, CSET 2011 - San Francisco, United States
Duration: Aug 8 2011 → …


Conference4th Workshop on Cyber Security Experimentation and Test, CSET 2011
Country/TerritoryUnited States
CitySan Francisco
Period8/8/11 → …

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'Salting public traces with attack traffic to test flow classifiers'. Together they form a unique fingerprint.

Cite this