HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

Split-and-Merge: Detecting Unknown Botnets

Agathe Blaise 1 Mathieu Bouet 2 Stefano Secci 3 Vania Conan 2
1 Phare
3 CEDRIC - ROC - CEDRIC. Réseaux et Objets Connectés
CEDRIC - Centre d'études et de recherche en informatique et communications
Abstract : On September 20th, 2016, Mirai struck the Internet in a massive surprise attack. This is just but one example of unknown botnets, not detected nor mitigated at the time they happened. Current anomaly detection techniques can only detect them after they have spread. However such attacks are generally preceded by several stages, including infection of hosts or fingerprinting of devices. Being able to capture this activity would allow their early detection. In this paper, we propose a strategy aimed at the early detection of unknown botnets, which acts by (i) splitting and merging distributed monitoring data and related metrics, (ii) monitoring at the port-level, with a simple yet efficient change-detection algorithm based on a modified Z-score measure. The analysis of port usage is first split over different parts of the network, and then merged to retain only similar anomalies. This ensures detection of large-scale attacks and drastically reduces false positives. We validate the approach on the MAWI data set, which provides daily traces of a transpacific backbone link. We demonstrate that the solution generates a very low number of false positives. We show how it detects some main attacks (including Mirai) arisen the last three years that traditional anomaly detectors have not seen. Details about noticed anomalies are provided to help the administrator qualifying them through specific features.
Document type :
Conference papers
Complete list of metadata

Cited literature [29 references]  Display  Hide  Download

Contributor : Stefano Secci Connect in order to contact the contributor
Submitted on : Saturday, August 10, 2019 - 6:58:48 PM
Last modification on : Monday, April 4, 2022 - 10:40:41 AM
Long-term archiving on: : Wednesday, January 8, 2020 - 12:51:15 PM


Files produced by the author(s)


  • HAL Id : hal-02119801, version 1


Agathe Blaise, Mathieu Bouet, Stefano Secci, Vania Conan. Split-and-Merge: Detecting Unknown Botnets. IFIP/IEEE Integrated Management (IM) Conference, Apr 2019, Arlington, United States. pp.153-161. ⟨hal-02119801⟩



Record views


Files downloads