A discovery of sequential attack patterns of malware in botnets

More than 90 independent honeypots have observed malware traffic at the Japanese tier-1 backbone. Typical attacks were made by multiple servers, coordinating to send many kinds of malware. This paper aims to discover some frequent new sequential attack patterns of malware. It is not easy to identify particular patterns logs of one year because the volume of dataset is too large to investigate one by one. To overcome the problem, this paper proposes data mining algorithm, the PrefixSpan method. We implement the PrefixSpan algorithm to analyze the malware footprints and show the experimental result. The result of analysis shows that the attacks are performed by multiple sequential attack patterns within a short amount of time.

[1]  Ramakrishnan Srikant,et al.  Mining sequential patterns , 1995, Proceedings of the Eleventh International Conference on Data Engineering.

[2]  Masato Terada,et al.  Mining Association Rules Consisting of Download Servers from Distributed Honeypot Observation , 2010, 2010 13th International Conference on Network-Based Information Systems.

[3]  R. Agrawal,et al.  Research Report Mining Sequential Patterns: Generalizations and Performance Improvements Limited Distribution Notice Mining Sequential Patterns: Generalizations and Performance Improvements , 1996 .

[4]  Umeshwar Dayal,et al.  PrefixSpan: Mining Sequential Patterns by Prefix-Projected Growth , 2001, ICDE 2001.

[5]  Ramakrishnan Srikant,et al.  Mining Sequential Patterns: Generalizations and Performance Improvements , 1996, EDBT.

[6]  Masashi Fujiwara,et al.  Heuristics for Detecting Botnet Coordinated Attacks , 2010, 2010 International Conference on Availability, Reliability and Security.

[7]  Marc Dacier,et al.  A framework for attack patterns' discovery in honeynet data , 2008 .

[8]  Hongsheng Xi,et al.  Application of PrefixSpan* Algorithm in Malware Detection Expert System , 2009, 2009 First International Workshop on Education Technology and Computer Science.

[9]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.