Show simple item record

dc.contributor.authorAlAhmadi, Bushra A.en_US
dc.contributor.authorMariconti, Enricoen_US
dc.contributor.authorSpolaor, Riccardoen_US
dc.contributor.authorStringhini, Gianlucaen_US
dc.contributor.authorMartinovic, Ivanen_US
dc.date.accessioned2021-02-02T19:10:41Z
dc.date.available2021-02-02T19:10:41Z
dc.date.issued2020-10-05
dc.identifier.citationBushra A AlAhmadi, Enrico Mariconti, Riccardo Spolaor, Gianluca Stringhini, Ivan Martinovic. 2020. "BOTection: Bot Detection by Building Markov Chain Models of Bots Network Behavior." Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. ASIA CCS '20: The 15th ACM Asia Conference on Computer and Communications Security. https://doi.org/10.1145/3320269.3372202
dc.identifier.urihttps://hdl.handle.net/2144/41968
dc.descriptionThis paper was presented at the 15th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2020), 5-9 October 2020, Taipei, Taiwan. This is the accepted manuscript version of the paper. The final version is available online from the Association for Computing Machinery at: https://doi.org/10.1145/3320269.3372202.en_US
dc.description.abstractBotnets continue to be a threat to organizations, thus various machine learning-based botnet detectors have been proposed. However, the capability of such systems in detecting new or unseen botnets is crucial to ensure its robustness against the rapid evolution of botnets. Moreover, it prolongs the effectiveness of the system in detecting bots, avoiding frequent and time-consuming classifier re-training. We present BOTection, a privacy-preserving bot detection system that models the bot network flow behavior as a Markov Chain. The Markov Chain state transitions capture the bots' network behavior using high-level flow features as states, producing content-agnostic and encryption resilient behavioral features. These features are used to train a classifier to first detect flows produced by bots, and then identify their bot families. We evaluate our system on a dataset of over 7M malicious flows from 12 botnet families, showing its capability of detecting bots' network traffic with 99.78% F-measure and classifying it to a malware family with a 99.09% F-measure. Notably, due to the modeling of general bot network behavior by the Markov Chains, BOTection can detect traffic belonging to unseen bot families with an F-measure of 93.03% making it robust against malware evolution.en_US
dc.language.isoen_US
dc.publisherACMen_US
dc.relation.ispartofProceedings of the 15th ACM Asia Conference on Computer and Communications Security
dc.rights© 2020 Association for Computing Machinery.en_US
dc.titleBOTection: bot detection by building Markov Chain models of bots network behavioren_US
dc.typeConference materialsen_US
dc.description.versionAccepted manuscripten_US
dc.identifier.doi10.1145/3320269.3372202
pubs.elements-sourcecrossrefen_US
pubs.notesEmbargo: Not knownen_US
pubs.organisational-groupBoston Universityen_US
pubs.organisational-groupBoston University, College of Engineeringen_US
pubs.organisational-groupBoston University, College of Engineering, Department of Electrical & Computer Engineeringen_US
pubs.publication-statusPublisheden_US
dc.date.online2020-10-05
dc.identifier.mycv585559


This item appears in the following Collection(s)

Show simple item record