Skip to content

Bot Detection by Building Markov Chain Models of Bots Network Behavior

Notifications You must be signed in to change notification settings

balahmadi-Ox/BOTection

Repository files navigation

BOTection

Bot Detection by Building Markov Chain Models of Bots Network Behavior image of logo BOTection is a privacy-preserving bot detection system that models the bot network flow behavior as a Markov Chain. Using the state transitions extracted from the Markov chains, we train a Random Forest classifier to first detect network flows produced by bots, and then identify their bot families. BOTection is content-agnostic and resilient to encryption, relying on high-level network features to model bots' network behavior. We evaluate our system on a dataset of over 7M malicious flows from 12 botnet families, showing its capability of detecting bots' network traffic with 99.78% F-measure. Notably, due to the modeling of general bot network behavior, BOTection can detect traffic belonging to unseen bot families with an F-measure of 93.03%. BOTection is also robust in classifying a bot family with a 99.09% F-measure score, which is essential in understanding their behavior for effective detection.

Image of Botection

About

This repository contains the code for the paper "BOTection: Bot Detection by Building Markov Chain Models of Bots' Network Behavior" to Appear in the 15th ACM ASIA Conference on Computer and Communications Security (ACM AsiaCCS'20).

Prerequisites

In order to convert the PCAPs to Bro/Zeek logs, make sure to install Zeek/Bro

Dataset

In our paper, we used the following datasets:

How to run the code

You can run this code on a python/anaconda environment.

Citation

If you use this repository please cite the paper as follows:

@inproceedings{balahmadi_botection,
author = {AlAhmadi, Bushra A. and Mariconti, Enrico and Spolaor, Riccardo and Stringhini, Gianluca and Martinovic, Ivan},
title = {BOTection: Bot Detection by Building Markov Chain Models of Bots Network Behavior},
year = {2020},
publisher = {Association for Computing Machinery},
booktitle = {Proceedings of the 15th ACM Asia Conference on Computer and Communications Security},
pages = {652–664},
numpages = {13},
location = {Taipei, Taiwan},
series = {ASIA CCS '20}
}

About

Bot Detection by Building Markov Chain Models of Bots Network Behavior

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published