Botnet detection using Hidden Markov Models

Student thesis: Master Thesis and HD Thesis

  • Egon Kidmose
4. term, Networks and Distributed Systems, Master (Master Programme)
Based on a study of the botnet problem and related work solving it, a novel method to solve the problem is proposed.
The method encompasses a life-cycle model for a host machine becoming infected with bot malware and being part of a botnet.
It is argued that Intrusion Detection Systems can be used to obtain alerts conveying information about the unknown life-cycle state of hosts.
The life-cycle model with unobservable states and the alerts related to states fits perfectly with a Hidden Markov Model.
It is shown that the life-cycle, the alerts and the Hidden Markov Model can be combined to estimate the life-cycle state of hosts, only relying on data observable in the network.
The result is a true positive rate of 100.000%, a false positive rate of 1.068%, yielding an accuracy of 98.947%, on the detection of host with a bot malware infection.
Publication date2 Jun 2014
Number of pages96
ID: 198454758