Please use this identifier to cite or link to this item:
https://hdl.handle.net/20.500.11851/6233
Title: | An Automated Bot Detection System through Honeypots for Large-Scale | Authors: | Haltas, Fatih Uzun, Erkam Siseci, Necati Posul, Abdulkadir Emre, Bakır |
Keywords: | Botnet honeypots NetFlow analysis machine learning |
Publisher: | IEEE | Source: | 6th International Conference on Cyber Conflict (CyCon) -- JUN 03-06, 2014 -- Tallinn, ESTONIA | Series/Report no.: | International Conference on Cyber Conflict | Abstract: | One of the purposes of active cyber defense systems is identifying infected machines in enterprise networks that are presumably root cause and main agent of various cyber-attacks. To achieve this, researchers have suggested many detection systems that rely on host-monitoring techniques and require deep packet inspection or which are trained by malware samples by applying machine learning and clustering techniques. To our knowledge, most approaches are either lack of being deployed easily to real enterprise networks, because of practicability of their training system which is supposed to be trained by malware samples or dependent to host-based or deep packet inspection analysis which requires a big amount of storage capacity for an enterprise. Beside this, honeypot systems are mostly used to collect malware samples for analysis purposes and identify coining attacks. Rather than keeping experimental results of hot detection techniques as theory and using honeypots for only analysis purposes, in this paper, we present a novel automated hot-infected machine detection system BFH (BotFinder through Honeypots), based on BotFinder, that identifies infected hosts in a real enterprise network by learning approach. Our solution, relies on NetFlow data, is capable of detecting hots which are infected by most-recent malwares whose samples are caught via 97 different honeypot systems. We train BFH by created models, according to malware samples, provided and updated by 97 honeypot systems. BFH system automatically sends caught malwares to classification unit to construct family groups. Later, samples are automatically given to training unit for modeling and perform detection over Net Flow data. Results are double checked by using full packet capture of a month and through tools that identify rogue domains. Our results show that BFH is able to detect infected hosts with very few false-positive rates and successful on handling most-recent malware families since it is fed by 97 Honey pot and it supports large networks with scalability of Hadoop infrastructure, as deployed in a large-scale enterprise network in Turkey. | URI: | https://hdl.handle.net/20.500.11851/6233 | ISBN: | 978-9949-9544-0-7 | ISSN: | 2325-5366 |
Appears in Collections: | Bilgisayar Mühendisliği Bölümü / Department of Computer Engineering Scopus İndeksli Yayınlar Koleksiyonu / Scopus Indexed Publications Collection WoS İndeksli Yayınlar Koleksiyonu / WoS Indexed Publications Collection |
Show full item record
CORE Recommender
WEB OF SCIENCETM
Citations
6
checked on Aug 31, 2024
Page view(s)
50
checked on Nov 11, 2024
Google ScholarTM
Check
Altmetric
Items in GCRIS Repository are protected by copyright, with all rights reserved, unless otherwise indicated.