PADKK '00 Proceedings of the 4th Pacific-Asia Conference on Knowledge Discovery and Data Mining, Current Issues and New Applications
Worm Detection, Early Warning and Response Based on Local Victim Information
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Data Mining: Concepts and Techniques
Data Mining: Concepts and Techniques
Inference in Hidden Markov Models (Springer Series in Statistics)
Inference in Hidden Markov Models (Springer Series in Statistics)
The monitoring and early detection of internet worms
IEEE/ACM Transactions on Networking (TON)
Botnets: The Killer Web Applications
Botnets: The Killer Web Applications
Exposure maps: removing reliance on attribution during scan detection
HOTSEC'06 Proceedings of the 1st USENIX Workshop on Hot Topics in Security
Additive and nonadditive fuzzy hidden Markov models
IEEE Transactions on Fuzzy Systems
Multivariate stream data classification using simple text classifiers
DEXA'06 Proceedings of the 17th international conference on Database and Expert Systems Applications
Type-2 fuzzy hidden Markov models and their application to speech recognition
IEEE Transactions on Fuzzy Systems
Hi-index | 0.00 |
Botnets are a disastrous threat because they execute malicious activities such as distributed denial-of-service, spam email, malware downloads (such as eggdownloads), and spying by exploiting zombie PCs under their control. Botnets infect PCs on a huge scale by initially scanning the service ports of vulnerable applications for the purpose of propagation, which is leveraged as the size of the botnet increases. Therefore, it is of crucial importance to detect botnet-propagation activities early and to determine the expectedsize of the attack. To address this issue, this paper proposes to recreate botnets' port-scanning patterns using a simple text classifier that represents these patterns as a kind of matrix. The patterns obtained are then used to train a hidden Markov model and to perform early detection using the trained model. Early detection is achievable by catching the onset of suspicious propagation immediately, and a size estimate is obtained by monitoring fluctuations in botnet size. With this approach, early-detection rates increased to more than 30.6% on average, with a low false negative rate (less than 6%) and an F-measure greater than 96%. This significant improvement in performance will contribute to preventing botnet propagation in its earliest stages. Copyright © 2011 John Wiley & Sons, Ltd.