DOI

We present a novel way to detect infected hosts and identify malware in networks by analyzing network communication statistics with state-of-the-art automata learning algorithms. The automata encode patterns of short-term interactions in known malicious hosts, and are used to obtain small but effective fingerprints of machine behavior. We showcase the effectiveness of our system, named BASTA1 (Behavioral Analytics System using Timed Automata), on a public dataset containing Netflow traces of real-world botnet malware. Compared to a deep packet inspection of communication content, Netflows are easy and cheap to collect and analyze, and preserve a greater degree of privacy. Even though the high level of abstraction in Netflow data makes it more difficult to utilize it, BASTA shows very impressive results achieving high accuracy in several settings while returning few false positives. It is also capable of detecting infections of previously unseen malware.
Original languageEnglish
Title of host publication2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)
EditorsP. Chemouil, E. Monteiro, M. Charalambides, E. Madeira, P. Simoes, S. Secci, L.P. Gaspary, C.R.P. dos Santos
PublisherIEEE
Pages308-316
Number of pages9
ISBN (Electronic)978-3-901882-89-0
ISBN (Print)978-1-5090-5658-3
DOIs
StatePublished - 24 Jul 2017
EventIFIP/IEEE Symposium on Integrated Network and Service Management - Lisbon, Portugal

Conference

ConferenceIFIP/IEEE Symposium on Integrated Network and Service Management
Abbreviated titleIM
CountryPortugal
CityLisbon
Period8/05/1712/05/17
Internet address

    Research areas

  • Malware, Learning Automata, Hidden Markov models, Protocols, Monitoring, Tools

ID: 28357092