Botnet traffic detection using hidden Markov models

We develop a novel approach to detect botnet traffic using hidden Markov models (HMMs). Botnets are becoming a major source of spam, distributed denial-of-service attacks (DDoS) and other cybercrime [21]. Analogs to botnets are likely to become threats to supervisory control and data acquisition (SCADA) and smart grid systems [19]. Malware that spies on and subverts SCADA systems or their SCADA analogs has been found recently [4]. More sabotage and cyberattacks are expected on the energy infrastructure [2], [3]. Attack detection on energy infrastructure is important. In this work, we detect node corruption by the largest botnet in the wild, Zeus. In Zeus, bots are controlled by attackers under a centralized command and control (C&C) infrastructure. We infer hidden Markov models from Zeus botnet traffic timing data. Inter-packet timings are due to botnet behaviors and C&C communication patterns among bots are usually similar. Inferred HMMs detect the botnet communication traffic. Experiment results on real-world traffic data show that this approach accurately differentiates between botnet traffic and normal traffic.

[1]  Thad Starner,et al.  Visual Recognition of American Sign Language Using Hidden Markov Models. , 1995 .

[2]  James P. Crutchfield,et al.  Computational Mechanics: Pattern and Prediction, Structure and Simplicity , 1999, ArXiv.

[3]  Ali A. Ghorbani,et al.  Automatic discovery of botnet communities on large-scale communication networks , 2009, ASIACCS '09.

[4]  Harikrishnan Bhanu,et al.  Timing Side-Channel Attacks on SSH , 2010 .

[5]  Satish T. S. Bukkapatnam,et al.  Zero knowledge hidden Markov model inference , 2009, Pattern Recognit. Lett..

[6]  James P. Crutchfield,et al.  An Algorithm for Pattern Discovery in Time Series , 2002, ArXiv.

[7]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[8]  Jason M. Schwier,et al.  Inferring Statistically Significant Hidden Markov Models , 2013, IEEE Transactions on Knowledge and Data Engineering.

[9]  K. Kiguchi,et al.  Modular fuzzy-neuro controller driven by spoken language commands , 2004, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[10]  C. Wilson Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress , 2008 .

[11]  Jin Hyung Kim,et al.  Network-based approach to online cursive script recognition , 1999, IEEE Trans. Syst. Man Cybern. Part B.

[12]  Yong Wang,et al.  Computational Intelligence Algorithms Analysis for Smart Grid Cyber Security , 2010, ICSI.

[13]  Jason M. Schwier,et al.  Behavior Detection Using Confidence Intervals of Hidden Markov Models , 2009, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).