UCL Discovery
UCL home » Library Services » Electronic resources » UCL Discovery

BOTection: Bot Detection by Building Markov Chain Models of Bots Network Behavior

Alahmadi, BA; Mariconti, E; Spolaor, R; Stringhini, G; Martinovic, I; (2020) BOTection: Bot Detection by Building Markov Chain Models of Bots Network Behavior. In: ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. (pp. pp. 652-664). ACM: Taipei, Taiwan. Green open access

[thumbnail of botection-asiaccs2020.pdf]
Preview
Text
botection-asiaccs2020.pdf - Published Version

Download (3MB) | Preview

Abstract

Botnets continue to be a threat to organizations, thus various machine learning-based botnet detectors have been proposed. However, the capability of such systems in detecting new or unseen botnets is crucial to ensure its robustness against the rapid evolution of botnets. Moreover, it prolongs the effectiveness of the system in detecting bots, avoiding frequent and time-consuming classifier re-training. We present BOTection, a privacy-preserving bot detection system that models the bot network flow behavior as a Markov Chain. The Markov Chain state transitions capture the bots' network behavior using high-level flow features as states, producing content-agnostic and encryption resilient behavioral features. These features are used to train a classifier to first detect flows produced by bots, and then identify their bot families. We evaluate our system on a dataset of over 7M malicious flows from 12 botnet families, showing its capability of detecting bots' network traffic with 99.78% F-measure and classifying it to a malware family with a 99.09% F-measure. Notably, due to the modeling of general bot network behavior by the Markov Chains, BOTection can detect traffic belonging to unseen bot families with an F-measure of 93.03% making it robust against malware evolution.

Type: Proceedings paper
Title: BOTection: Bot Detection by Building Markov Chain Models of Bots Network Behavior
Event: 15th ACM Asia Conference on Computer and Communications Security
ISBN-13: 9781450367509
Open access status: An open access version is available from UCL Discovery
DOI: 10.1145/3320269.3372202
Publisher version: https://doi.org/10.1145/3320269.3372202
Language: English
Additional information: This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions.
Keywords: Malware; Botnet; Network Security; Malware Detection
UCL classification: UCL
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science
URI: https://discovery.ucl.ac.uk/id/eprint/10116951
Downloads since deposit
169Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item