AAU Student Projects - visit Aalborg University's student projects portal
A master's thesis from Aalborg University
Book cover


Botnet detection using Hidden Markov Models

Translated title

Botnet detektion ved brug af Skjulte Markov Modeller

Author

Term

4. term

Education

Networks and Distributed Systems, Master

Publication year

2014

Submitted on

Pages

96

Abstract

Denne afhandling foreslår en ny metode til at opdage og håndtere botnets, dvs. netværk af computere, som i hemmelighed styres af angribere via bot-malware. Metoden beskriver, hvordan en værtsmaskine bevæger sig gennem en livscyklus fra infektion til deltagelse i et botnet. Da disse faser ikke kan iagttages direkte, bruger tilgangen alarmer fra Intrusion Detection Systems (IDS) – sikkerhedsværktøjer, der overvåger netværkstrafik – som signaler om værters ukendte tilstand. Denne struktur passer til en skjult Markov-model (Hidden Markov Model, HMM), en statistisk metode, der kan udlede skjulte tilstande ud fra observerbare hændelser. Ved at kombinere livscyklusmodellen, IDS-alarmerne og HMM estimerer metoden, hvilken fase en værtsmaskine befinder sig i, udelukkende ud fra data, der kan ses i netværket. I evalueringen opnås en true positive rate på 100.000 %, en false positive rate på 1.068 % og en samlet nøjagtighed på 98.947 % for at opdage værter inficeret med bot-malware.

This thesis proposes a new method to address botnets, which are networks of computers secretly controlled by attackers through bot malware. The method models how a host computer moves through a life cycle of stages, from becoming infected to taking part in a botnet. Because these stages cannot be directly observed, the approach uses alerts from Intrusion Detection Systems (IDS)—security tools that monitor network traffic—as signals about a host’s unknown state. This setup aligns with a Hidden Markov Model (HMM), a statistical technique that infers hidden states from observable events. By combining the life-cycle model, IDS alerts, and the HMM, the method estimates each host’s life-cycle stage using only data visible on the network. In evaluation, it achieved a true positive rate of 100.000%, a false positive rate of 1.068%, and an overall accuracy of 98.947% in detecting hosts infected with bot malware.

[This abstract was generated with the help of AI]

Keywords

malware ; bot ; botnet ; detection ; hidden markov model ; hmm ; life-cycle

Documents

Download
View record in AAU Student Projects