Similar presentations:
presentation Sannikov Nikita
1.
Behavioral Analysis of WebTraffic for Automated Bot
Detection
Bachelor’s Thesis
Prepared by: Nikita Sannikov
Supervisor: Andrei Petrovskii
Innopolis, 2026
2.
Why this mattersUseful automation
Crawlers, monitoring, testing
Harmful
Scraping, credential attacks, DDoS, botnets
Automated traffic is not always bad.
Network defenders often see only flow-level metadata.
Core challenge: detect harmful automation without relying on content inspection.
Related work: Suchacka et al. [1]; Li et al. [2]; Anderson et al. [3].
2
3.
Research gap and question3
Common setup
Research gap
malicious vs benign
Positioning: flow-level metadata [3]; beyond
binary CICIDS-based attack detection [4].
Our setup
botnet vs benign, DDoS, DoS, infiltration
Research question
Can flow-level features support automated Botnet
detection when Botnet traffic must be separated from
Benign, DDoS, DoS, and Infiltration traffic?
4.
4Dataset and task design
Unit of analysis
network flow
Classes
benign, botnet, DDoS, DoS, infiltration
(after family-level class grouping)
Retained data
about 15.85M flows
Excluded from input
IPs, ports, protocol, timestamp
Dataset
CSE-CIC-IDS2018
5.
5Experimental plan
Models
→ Logistic Regression
→ SGD linear SVM
→ Random Forest
→ Random Forest unweighted
→ ExtraTrees
→ HistGradientBoosting
01
02
Balanced split
Raw distribution
Fair model
comparison under
equal class weights
Check behavior
under original
imbalance
Evaluation stages
6.
Main results: Botnet detectionBalanced split
Best controlled model: HistGradientBoosting
Macro-F1 / Accuracy: ≈0.8965
Raw distribution
Final model: Random Forest
Accuracy: 0.7710
Balanced Accuracy: 0.9223
Botnet class:
Precision 0.9538 | Recall 0.9996 | F1 0.9762
*raw distribution
6
7.
7Error analysis
Dominant error channel
Benign → Infiltration: 3,583,739 flows
Interpretation: Infiltration is not a compact traffic family.
It may include several stages: scanning, exploitation, backdoor
activity, and normal-looking flows.
Follow-up
After confirmation
60-second temporal confirmation
Accuracy: 0.7710 → 0.9659
Bal. Accuracy: 0.9223 → 0.9546
Botnet remained stable after
confirmation
8.
ConclusionAnswer to the research question
Yes, within CSE-CIC-IDS2018 and the selected protocol
Main contribution
A focused flow-level evaluation of Botnet as a separate family
Main limitation:
External validity: one main benchmark, row-wise split, no host/time-aware validation.
Future work:
More external validation and temporal/host-level context.
8
9.
Thank youfor your
attention!
10.
Bibliographical references[1] G. Suchacka, A. Cabri, S. Rovetta, and F. Masulli, “Efficient on-the-fly web
bot detection,” Knowledge-Based Systems, vol. 223, p. 107 074, Jul. 2021.
DOI: 10.1016/j.knosys.2021.107074
[2] X. Li, B. Azad, A. Rahmati, and N. Nikiforakis, “Good bot, bad bot: Characterizing automated browsing activity,” in 2021 IEEE Symposium on SP,
May 2021, pp. 1589–1605. DOI: 10.1109/SP40001.2021.00079
[3] B. Anderson, S. Paul, and D. McGrew, “Deciphering malware’s use of tls
(without decryption),” Journal of Computer Virology and Hacking Techniques, vol. 14, Aug. 2018. DOI: 10.1007/s11416-017-0306-6
[4] M.N. Goryunov, A.G. Matskevich, D.A. “Rybolovlev Synthesis of a Machine Learning Model
for Detecting Computer Attacks Based on the CICIDS2017 Dataset.“ Proceedings of the
Institute for System Programming of the RAS (Proceedings of ISP RAS). 2020;32(5):81-94.
(In Russ.) https://doi.org/10.15514/ISPRAS-2020-32(5)-6