The Early Bird Gets the Botnet

A Markov Chain Based Early Warning System for Botnet Attacks

Zainab Abaid, Dilip Sarkar, Mohamed Ali Kaafar, Sanjay Jha

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Botnet threats include a plethora of possible attacks ranging from distributed denial of service (DDoS), to drive-by-download malware distribution and spam. While for over two decades, techniques have been proposed for either improving accuracy or speeding up the detection of attacks, much of the damage is done by the time attacks are contained. In this work we take a new direction which aims to predict forthcoming attacks (i.e. before they occur), providing early warnings to network administrators who can then prepare to contain them as soon as they manifest or simply quarantine hosts. Our approach is based on modelling the Botnet infection sequence as a Markov chain with the objective of identifying behaviour that is likely to lead to attacks. We present the results of applying a Markov model to real world Botnets' data, and show that with this approach we are successfully able to predict more than 98% of attacks from a variety of Botnet families with a very low false alarm rate.

Original languageEnglish (US)
Title of host publicationProceedings - 2016 IEEE 41st Conference on Local Computer Networks, LCN 2016
PublisherIEEE Computer Society
Pages61-68
Number of pages8
ISBN (Electronic)9781509020546
DOIs
StatePublished - Dec 22 2016
Event41st IEEE Conference on Local Computer Networks, LCN 2016 - Dubai, United Arab Emirates
Duration: Nov 7 2016Nov 10 2016

Other

Other41st IEEE Conference on Local Computer Networks, LCN 2016
CountryUnited Arab Emirates
CityDubai
Period11/7/1611/10/16

Fingerprint

Alarm systems
Markov processes
Botnet

Keywords

  • attack prediction
  • botnet
  • markov chain

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Hardware and Architecture

Cite this

Abaid, Z., Sarkar, D., Kaafar, M. A., & Jha, S. (2016). The Early Bird Gets the Botnet: A Markov Chain Based Early Warning System for Botnet Attacks. In Proceedings - 2016 IEEE 41st Conference on Local Computer Networks, LCN 2016 (pp. 61-68). [7796763] IEEE Computer Society. https://doi.org/10.1109/LCN.2016.17

The Early Bird Gets the Botnet : A Markov Chain Based Early Warning System for Botnet Attacks. / Abaid, Zainab; Sarkar, Dilip; Kaafar, Mohamed Ali; Jha, Sanjay.

Proceedings - 2016 IEEE 41st Conference on Local Computer Networks, LCN 2016. IEEE Computer Society, 2016. p. 61-68 7796763.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abaid, Z, Sarkar, D, Kaafar, MA & Jha, S 2016, The Early Bird Gets the Botnet: A Markov Chain Based Early Warning System for Botnet Attacks. in Proceedings - 2016 IEEE 41st Conference on Local Computer Networks, LCN 2016., 7796763, IEEE Computer Society, pp. 61-68, 41st IEEE Conference on Local Computer Networks, LCN 2016, Dubai, United Arab Emirates, 11/7/16. https://doi.org/10.1109/LCN.2016.17
Abaid Z, Sarkar D, Kaafar MA, Jha S. The Early Bird Gets the Botnet: A Markov Chain Based Early Warning System for Botnet Attacks. In Proceedings - 2016 IEEE 41st Conference on Local Computer Networks, LCN 2016. IEEE Computer Society. 2016. p. 61-68. 7796763 https://doi.org/10.1109/LCN.2016.17
Abaid, Zainab ; Sarkar, Dilip ; Kaafar, Mohamed Ali ; Jha, Sanjay. / The Early Bird Gets the Botnet : A Markov Chain Based Early Warning System for Botnet Attacks. Proceedings - 2016 IEEE 41st Conference on Local Computer Networks, LCN 2016. IEEE Computer Society, 2016. pp. 61-68
@inproceedings{1db07672be3f41debcd83f03db67cd7a,
title = "The Early Bird Gets the Botnet: A Markov Chain Based Early Warning System for Botnet Attacks",
abstract = "Botnet threats include a plethora of possible attacks ranging from distributed denial of service (DDoS), to drive-by-download malware distribution and spam. While for over two decades, techniques have been proposed for either improving accuracy or speeding up the detection of attacks, much of the damage is done by the time attacks are contained. In this work we take a new direction which aims to predict forthcoming attacks (i.e. before they occur), providing early warnings to network administrators who can then prepare to contain them as soon as they manifest or simply quarantine hosts. Our approach is based on modelling the Botnet infection sequence as a Markov chain with the objective of identifying behaviour that is likely to lead to attacks. We present the results of applying a Markov model to real world Botnets' data, and show that with this approach we are successfully able to predict more than 98{\%} of attacks from a variety of Botnet families with a very low false alarm rate.",
keywords = "attack prediction, botnet, markov chain",
author = "Zainab Abaid and Dilip Sarkar and Kaafar, {Mohamed Ali} and Sanjay Jha",
year = "2016",
month = "12",
day = "22",
doi = "10.1109/LCN.2016.17",
language = "English (US)",
pages = "61--68",
booktitle = "Proceedings - 2016 IEEE 41st Conference on Local Computer Networks, LCN 2016",
publisher = "IEEE Computer Society",

}

TY - GEN

T1 - The Early Bird Gets the Botnet

T2 - A Markov Chain Based Early Warning System for Botnet Attacks

AU - Abaid, Zainab

AU - Sarkar, Dilip

AU - Kaafar, Mohamed Ali

AU - Jha, Sanjay

PY - 2016/12/22

Y1 - 2016/12/22

N2 - Botnet threats include a plethora of possible attacks ranging from distributed denial of service (DDoS), to drive-by-download malware distribution and spam. While for over two decades, techniques have been proposed for either improving accuracy or speeding up the detection of attacks, much of the damage is done by the time attacks are contained. In this work we take a new direction which aims to predict forthcoming attacks (i.e. before they occur), providing early warnings to network administrators who can then prepare to contain them as soon as they manifest or simply quarantine hosts. Our approach is based on modelling the Botnet infection sequence as a Markov chain with the objective of identifying behaviour that is likely to lead to attacks. We present the results of applying a Markov model to real world Botnets' data, and show that with this approach we are successfully able to predict more than 98% of attacks from a variety of Botnet families with a very low false alarm rate.

AB - Botnet threats include a plethora of possible attacks ranging from distributed denial of service (DDoS), to drive-by-download malware distribution and spam. While for over two decades, techniques have been proposed for either improving accuracy or speeding up the detection of attacks, much of the damage is done by the time attacks are contained. In this work we take a new direction which aims to predict forthcoming attacks (i.e. before they occur), providing early warnings to network administrators who can then prepare to contain them as soon as they manifest or simply quarantine hosts. Our approach is based on modelling the Botnet infection sequence as a Markov chain with the objective of identifying behaviour that is likely to lead to attacks. We present the results of applying a Markov model to real world Botnets' data, and show that with this approach we are successfully able to predict more than 98% of attacks from a variety of Botnet families with a very low false alarm rate.

KW - attack prediction

KW - botnet

KW - markov chain

UR - http://www.scopus.com/inward/record.url?scp=85010064676&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85010064676&partnerID=8YFLogxK

U2 - 10.1109/LCN.2016.17

DO - 10.1109/LCN.2016.17

M3 - Conference contribution

SP - 61

EP - 68

BT - Proceedings - 2016 IEEE 41st Conference on Local Computer Networks, LCN 2016

PB - IEEE Computer Society

ER -