Botnet Detection Using Anomalous IDS-Driven Correlation
A botnet is a network of zombie computers controlled by criminals for their personal gain without owner consent or knowledge. This project is a reproduction of methods to detect botnets in an internal network, a payload-based anomaly detector PAYL for intrusion detection. PAYL models the normal application payload of network traffic in a fully automatic and efficient fashion. During a training phase, PAYL computes a profile byte frequency distribution and their standard deviation of the application payload flowing to and from a single host and port. Then is uses Mahalanobis distance during the detection phase to calculate the similarity of new data against the pre-computed profile. The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold. The result of the experiments with DARPA 1999 IDS Dataset is effective. In one case nearly 100% accuracy is achieved with a 1% false positive rate. This PAYL method then led to the creation of a new kind of network perimeter monitoring tool to detect Botnets called BotHunter. BotHunter, on a high level, is an application designed to monitor two-way network communication between the internal protected asset and external untrusted entities. BotHunter works on developing an evidence trail of these communication flow that matches with a state-based infection sequence model.
Major Advisor: Jesse Walker
Committee: Rakesh Bobba
Committee: Yeongjin Jang
Thursday, May 30 at 11:00am to 1:00pm
Kelley Engineering Center, 1007
110 SW Park Terrace, Corvallis, OR 97331