Bot detection using machine learning (ML), with network flow-level features, has been extensively studied in the literature. However, existing flow-based approaches typically incur a high computational overhead and do not completely capture the network communication patterns, which can expose additional aspects of malicious hosts. Recently, bot detection systems that leverage communication graph analysis using ML have gained attention to overcome these limitations. A graph-based approach is rather intuitive, as graphs are true representation of network communications. In this paper, we propose BotChase, a two-phased graph-based bot detection system that leverages both unsupervised and supervised ML. The first phase prunes presumable benign hosts, while the second phase achieves bot detection with high precision. Our prototype implementation of BotChase detects multiple types of bots and exhibits robustness to zero-day attacks. It also accommodates different network topologies and is suitable for large-scale data. Compared to the state-of-the-art, BotChase outperforms an end-to-end system that employs flow-based features and performs particularly well in an online setting.

中文翻译：

---

BotChase：使用机器学习的基于图的机器人检测

使用机器学习 (ML) 进行机器人检测，具有网络流级特征，已在文献中得到广泛研究。然而，现有的基于流的方法通常会产生很高的计算开销，并且不能完全捕获网络通信模式，这可能会暴露恶意主机的其他方面。最近，利用 ML 进行通信图分析的机器人检测系统已引起人们的注意，以克服这些限制。基于图的方法相当直观，因为图是网络通信的真实表示。在本文中，我们提出了 BotChase，这是一个基于图的两阶段机器人检测系统，它利用了无监督和有监督的机器学习。第一阶段修剪可能的良性主机，而第二阶段实现高精度机器人检测。我们的 BotChase 原型实现可以检测多种类型的机器人，并表现出对零日攻击的稳健性。它还适应不同的网络拓扑结构，适用于大规模数据。与最先进的技术相比，BotChase 的性能优于采用基于流的功能的端到端系统，并且在在线环境中表现尤其出色。