Learning behavioral fingerprints from Netflows using Timed Automata

Nino Pellegrino, Qin Lin, Christian Hammerschmidt, Sicco Verwer

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

8 Citations (Scopus)

Abstract

We present a novel way to detect infected hosts and identify malware in networks by analyzing network communication statistics with state-of-the-art automata learning algorithms. The automata encode patterns of short-term interactions in known malicious hosts, and are used to obtain small but effective fingerprints of machine behavior. We showcase the effectiveness of our system, named BASTA1 (Behavioral Analytics System using Timed Automata), on a public dataset containing Netflow traces of real-world botnet malware. Compared to a deep packet inspection of communication content, Netflows are easy and cheap to collect and analyze, and preserve a greater degree of privacy. Even though the high level of abstraction in Netflow data makes it more difficult to utilize it, BASTA shows very impressive results achieving high accuracy in several settings while returning few false positives. It is also capable of detecting infections of previously unseen malware.
Original languageEnglish
Title of host publication2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)
EditorsP. Chemouil, E. Monteiro, M. Charalambides, E. Madeira, P. Simoes, S. Secci, L.P. Gaspary, C.R.P. dos Santos
PublisherIEEE
Pages308-316
Number of pages9
ISBN (Electronic)978-3-901882-89-0
ISBN (Print)978-1-5090-5658-3
DOIs
Publication statusPublished - 24 Jul 2017
EventIFIP/IEEE Symposium on Integrated Network and Service Management - Lisbon, Portugal
Duration: 8 May 201712 May 2017
http://im2017.ieee-im.org/

Conference

ConferenceIFIP/IEEE Symposium on Integrated Network and Service Management
Abbreviated titleIM
Country/TerritoryPortugal
CityLisbon
Period8/05/1712/05/17
Internet address

Keywords

  • Malware
  • Learning Automata
  • Hidden Markov models
  • Protocols
  • Monitoring
  • Tools

Fingerprint

Dive into the research topics of 'Learning behavioral fingerprints from Netflows using Timed Automata'. Together they form a unique fingerprint.

Cite this