Learning behavioral fingerprints from Netflows using Timed Automata

Conference paper (2017)

Authors

G. Pellegrino Cyber Security -

Q. Lin Cyber Security -

C.A. Hammerschmidt University of Luxembourg

S.E. Verwer Cyber Security -

Research Group

Cyber Security () (TU Delft)

Monitoring Protocols Tools Hidden Markov models Malware Learning Automata

More Info

expand_more

To reference this document use:

http://resolver.tudelft.nl/uuid:2437fdfc-4d0f-4242-a892-efd1b3638052

Published Date

24-07-2017

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Department

Intelligent Systems

Research Group

Cyber Security

Abstract

We present a novel way to detect infected hosts and identify malware in networks by analyzing network communication statistics with state-of-the-art automata learning algorithms. The automata encode patterns of short-term interactions in known malicious hosts, and are used to obtain small but effective fingerprints of machine behavior. We showcase the effectiveness of our system, named BASTA1 (Behavioral Analytics System using Timed Automata), on a public dataset containing Netflow traces of real-world botnet malware. Compared to a deep packet inspection of communication content, Netflows are easy and cheap to collect and analyze, and preserve a greater degree of privacy. Even though the high level of abstraction in Netflow data makes it more difficult to utilize it, BASTA shows very impressive results achieving high accuracy in several settings while returning few false positives. It is also capable of detecting infections of previously unseen malware.

Files

07987293.pdf

(.pdf | 1.24 Mb)