BotNet Detection Using Hidden Markov Model within Flow Intervals

Editorial

Authors

1 Faculty of Computer Science and Information Technology, Institute for Advanced Studies in Basic Sciences, Gava Zang, Zanjan, Iran

2 Faculty of Electrical and Computer Engineering, University of Zanjan, Zanjan, Iran

3 Department of Computer and Information Technology Engineering, Urmia University of Technology, Urmia, Iran

Abstract

Botnets are known to be among the most popular malwares in cyber criminals for their practicality in carrying many cyber-crimes as reported in the recent news. While many detection schemes have been developed, botnets remain the most powerful attack platform by constantly and continuously adopting new techniques and strategies. Thus, early identification and timely detection of botnets can take an effective step towards making perfect defense system. Most of existing botnet detection methods cannot detect botnets in real-time and in an early stage of their lifecycle before participating in a cyber-crime. In this work, we propose a novel approach to detect the BlackEnergy botnet traffic using Hidden Markov Model (HMM) within flow Intervals. In BlackEnergy, bots are controlled by attackers under a HTTP base command and control (C&C) infrastructure. First we analysis BlackEnergy’s network traffic and extract its main features and network behavior patterns. Then we adapt the proposed HMM model with BlackEnergy botnet patterns and features.  In addition to detecting the botnet communication traffic in both Attack and C&C stages, inferred HMM defines the stage of botnet lifecycle. Our proposed method detects botnet activity in small time intervals without having seen a complete network flow. Using existing datasets, we show experimentally that it is possible to identify the presence of botnets activity with high accuracy even in very small time windows.

Keywords

References

[1] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, “A multifaceted approach to understanding the botnet phenomenon,” in Internet Measurement Conference, pp. 41-52, 2006.
[2] M. Feily, A. Shahrestani, and S. Ramadass, “A survey of botnet and botnet detection,” in Emerging Security Information, Systems, and Technologies Conference, pp. 268-273, Greece, 2009.
[3] J. Leonard, S. Xu, and R. Sandhu, “A framework for understanding botnets,” in Availability, Reliability, and Security Conference, pp. 917-922, 2009.
[4] M. Bailey, E. Cooke, F. Jahanian, Y. Xu, and M. Karir, “A survey of botnet technology and defenses,” in Cybersecurity Applications and Technology Conference, pp. 299-304, USA, 2009.
[5] Lawrence Berkeley National Laboratory and ICSI, LBNL/ICSI enterprise tracing project, LBNL enterprise trace repository, http://www.icir.org/enterprise-tracing/2016-11-08.
[6] D. Zhao, I. Traore, B. Sayed, W. Lu, Sh. Saad, A. Ghorbani, and D. Garant, “Botnet detection based on traffic behavior analysis and flow intervals,” Computers & Security, vol. 39, Part A, pp. 2-16, 2013.
[7] J. Nazario, “BlackEnergy DDoS bot analysis,” Technical report, Arbor networks, 2007.
[8] F-secure labs security response, BLACKENERGY amd QUEDAGH, the convergence of crimeware and APT attacks, Malware analysis white paper, 2014.
[9] W. Chang, A. Mohaisen, A. Wang, and S. Chen, “Measuring botnets in the wild: some new trends,” in Information, Computer and Communications Security Conference, pp. 645-650, 2015.
[10] C. Livadas, R. Walsh, D. Lapsley, and W. T. Strayer, “Using machine learning technliques to identify botnet traffic”, in Local Computer Networks Conference, pp. 967-974, 2006.
[11] G. Gu, R. Perdisci, J. Zhang, and W. Lee, “BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection,” in Security Symposium, pp. 139-154, 2008.
[12] S. Saad, I. Traore, A. Ghorbani, B. Sayed, D. Zhao, and W. Lu, “Detecting P2P botnets through network behavior analysis and machine learning,” in Privacy, Security and Trust Conference, pp. 174-180, 2011.
[13]  B. Wang, Z. Li, H. Tu, and J. MaWang, “Measuring peer-to-peer botnets using control flow stability,” in Availability, Reliability and Security Conference,  pp. 663-669, 2009.
[14] H. R. Zeidanloo and S. Rouhani, Botnet detection by monitoring common network behaviors, Lambert Academic Publishing, 2012.
[15] G. Kirubavathi and R. Anitha, “Botnet detection via mining of traffic flow characteristics,” Computers and Electrical Engineering, vol. 50, pp. 91-101, 2016.
[16] B. K. Sin, J. Y. Ha, S. C. Oh, and J. H. Kim, “Network-based approach to online cursive script recognition,” IEEE Transactions on Systems, Man, and Cybernetics, Part B, vol. 29, no. 2, pp. 321-328, 1999.
[17] مسعود فرکی و مازیار پالهنگ، «بازشناسی برخط حروف فارسی بر پایه مدل مخفی مارکوف»، مجله مهندسی برق دانشگاه تبریز، دوره 40، شماره 1، صفحه 23- 34، 1389.
[18] K. Pulasinghe, K. Watanabe, K. Izumi, and K. Kiguchi, “Modular fuzzy-neuro controller driven by spoken language commands,” IEEE Transactions on Systems, Man, and Cybernetics, Part B, vol. 34, no. 1, pp.293-302, 2004.
[19] T. Starner and A. Pentland. “Visual recognition of american sign language using hidden markov models,” Perceptual Computing Section, the Media Laboratory, Massachusetts Institute of Technology, Technical Report, 1995.
[20] سیامک عبداله‌زاده، محمدعلی بالافر و لیلی محمدخانلی، «استفاده از خوشه‌بندی و مدل مارکوف جهت پیش‌بینی درخواست آتی کاربر در وب»، مجله مهندسی برق دانشگاه تبریز، دوره 45، شماره 3، صفحه 89- 96، 1394.
[21] C. Lu and R. Brooks, “Botnet traffic detection using hidden markov models,” in Cyber Security and Information Intelligence Research Conference, pp. 31-34, 201.
[22] D. H. Kim, T. Lee, J. Kang, H. Jeong, and H. Peter, “Adaptive pattern mining model for early detection of botnet-propagation scale,” Security and Communicaion Networks, vol. 5, no. 8, pp. 917-927, 2012.
[23] Z. Abaid, D. Sarkar, M. A. Kaafar, and S. Jha, “The early bird gets the Botnet: A Markov chain based early warning system for botnet attacks,” in Local Computer Networks Conference, pp. 61-68, 2016.
[24] A. Garivier, “The Baum-Welch algorithm for hidden Markov models: speed comparison between octave/python/R /scilab/matlab/C/C++,” http://www.math.univ-toulouse.fr/~agariv ie/Telecom/code/index.php/2017-09-15.
[25] W. Gobel, “Detecting botnets using hidden Markov models on network traces,” White paper, 2008.
[26] C. Lu and R. R. Brooks, “P2P hierarchical botnet traffic detection using hidden Markov models,” in Learning from Authoritative Security Experiment Results Conference, pp. 41-46, 2012.

Files

Share

How to cite

Statistics