Botnet Fingerprinting: a Frequency Distributions Scheme for Lightweight Bot Detection

Autor: Agathe Blaise, Mathieu Bouet, Vania Conan, Stefano Secci
Přispěvatelé: Phare, LIP6, Sorbonne Université (SU)-Centre National de la Recherche Scientifique (CNRS)-Sorbonne Université (SU)-Centre National de la Recherche Scientifique (CNRS), THALES, CEDRIC. Réseaux et Objets Connectés (CEDRIC - ROC), Centre d'études et de recherche en informatique et communications (CEDRIC), Ecole Nationale Supérieure d'Informatique pour l'Industrie et l'Entreprise (ENSIIE)-Conservatoire National des Arts et Métiers [CNAM] (CNAM)-Ecole Nationale Supérieure d'Informatique pour l'Industrie et l'Entreprise (ENSIIE)-Conservatoire National des Arts et Métiers [CNAM] (CNAM)
Jazyk: angličtina
Rok vydání: 2020
Předmět:
Zdroj: IEEE Transactions on Network and Service Management
IEEE Transactions on Network and Service Management, IEEE, In press, 17 (3), pp.1701-1714. ⟨10.1109/TNSM.2020.2996502⟩
ISSN: 1932-4537
Popis: International audience; Efficient bot detection is a crucial security matter and widely explored in the past years. Recent approaches supplant flow-based detection techniques and exploit graph-based features, incurring however in scalability issues, with high time and space complexity. Bots exhibit specific communication patterns: they use particular protocols, contact specific domains, hence can be identified by analyzing their communication with the outside. A way we follow to simplify the communication graph and avoid scalability issues is looking at frequency distributions of protocol attributes capturing the specificity of botnets behaviour. We propose a bot detection technique named BotFP, for BotFin-gerPrinting, which acts by (i) characterizing hosts behaviour with attribute frequency distribution signatures, (ii) learning benign hosts and bots behaviours through either clustering or supervised Machine Learning (ML), and (iii) classifying new hosts either as bots or benign ones, using distances to labelled clusters or relying on a ML algorithm. We validate BotFP on the CTU-13 dataset, which contains 13 scenarios of bot infections, connecting to a Command-and-Control (C&C) channel and launching malicious actions such as port scanning or Denial-of-Service (DDoS) attacks. Compared to state-of-the-art techniques, we show that BotFP is more lightweight, can handle large amounts of data, and shows better accuracy.
Databáze: OpenAIRE