Split-and-Merge: Detecting Unknown Botnets

Agathe Blaise 1 Mathieu Bouet 2 Stefano Secci 3 Vania Conan 2
1 Phare
LIP6
3 CEDRIC - ROC - CEDRIC. Réseaux et Objets Connectés
CEDRIC - Centre d'études et de recherche en informatique et communications
Abstract : On September 20th, 2016, Mirai struck the Internet in a massive surprise attack. This is just but one example of unknown botnets, not detected nor mitigated at the time they happened. Current anomaly detection techniques can only detect them after they have spread. However such attacks are generally preceded by several stages, including infection of hosts or fingerprinting of devices. Being able to capture this activity would allow their early detection. In this paper, we propose a strategy aimed at the early detection of unknown botnets, which acts by (i) splitting and merging distributed monitoring data and related metrics, (ii) monitoring at the port-level, with a simple yet efficient change-detection algorithm based on a modified Z-score measure. The analysis of port usage is first split over different parts of the network, and then merged to retain only similar anomalies. This ensures detection of large-scale attacks and drastically reduces false positives. We validate the approach on the MAWI data set, which provides daily traces of a transpacific backbone link. We demonstrate that the solution generates a very low number of false positives. We show how it detects some main attacks (including Mirai) arisen the last three years that traditional anomaly detectors have not seen. Details about noticed anomalies are provided to help the administrator qualifying them through specific features.
Document type :
Conference papers
Complete list of metadatas

Cited literature [29 references]  Display  Hide  Download

https://hal.archives-ouvertes.fr/hal-02119801
Contributor : Stefano Secci <>
Submitted on : Saturday, August 10, 2019 - 6:58:48 PM
Last modification on : Monday, November 18, 2019 - 1:39:42 PM
Long-term archiving on: Wednesday, January 8, 2020 - 12:51:15 PM

File

188711.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-02119801, version 1

Citation

Agathe Blaise, Mathieu Bouet, Stefano Secci, Vania Conan. Split-and-Merge: Detecting Unknown Botnets. IFIP/IEEE Integrated Management (IM) Conference, Apr 2019, Arlington, United States. pp.153-161. ⟨hal-02119801⟩

Share

Metrics

Record views

58

Files downloads

132