BOTection: Bot Detection by Building Markov Chain Models of Bots Network Behavior


Botnets continue to be a threat to organizations, thus various machine learning-based botnet detectors have been proposed. However, the capability of such systems in detecting new or unseen botnets is crucial to ensure its robustness against the rapid evolution of botnets. Moreover, it prolongs the effectiveness of the system in detecting bots, avoiding frequent and time-consuming classifier re-training. We present BOTection, a privacy-preserving bot detection system that models the bot network flow behavior as a Markov Chain. Using the state transitions extracted from the Markov chains, we train a classifier to first detect network flows produced by bots, and then identify their bot families. BOTection is content-agnostic and resilient to encryption, relying on high-level network features to model bots’ network behavior. We evaluate our system on a dataset of over 7M malicious flows from 12 botnet families, showing its capability of detecting bots’ network traffic with 99.78% F-measure. Notably, due to the modeling of general bot network behavior, BOTection can detect traffic belonging to unseen bot families that launch similar attacks to those previously known with an F-measure of 93.03%. We also assess BOTection robustness in classifying a bot family with a 99.09% F-measure score, which is essential in understanding their behavior for effective detection.

ACM ASIA Conference on Computer and Communications Security