02 A review of SSH botnet detection in initial stages of infection: a Machine Learning-based approach

Botnets are exponentially increasing because of new zero-day attacks, a variation of their behavior, and obfuscation techniques that are not detected by traditional defense systems. Botnet detection has been focused on intermediate phases of the botnet’s life cycle during operation, underestimating...

ver descrição completa

Detalhes bibliográficos
Autores: Martínez Garre, José Tomás, Gil Pérez, Manuel, Ruiz-Martínez, Antonio
Formato: capítulo de livro
Fecha de publicación:2021
País:España
Recursos:Universidad de Castilla-La Mancha
Repositorio:RUIdeRA. Repositorio Institucional de la UCLM
OAI Identifier:oai:ruidera.uclm.es:10578/28600
Acesso em linha:http://doi.org/10.18239/jornadas_2021.34.02
http://hdl.handle.net/10578/28600
Access Level:acceso abierto
Palavra-chave:Botnet
Machine Learning
Zero-day malware
Honeypot
High interaction
Descrição
Resumo:Botnets are exponentially increasing because of new zero-day attacks, a variation of their behavior, and obfuscation techniques that are not detected by traditional defense systems. Botnet detection has been focused on intermediate phases of the botnet’s life cycle during operation, underestimating the initial phase of infection. Using SSH-based High Interaction Honeypots, we have designed a Machine Learning-based system capable of detecting the botnet infection phase in near real time, which as trained with a real dataset of executed commands and the network data obtained during SSH sessions. This approach reached a very high level of prediction and zero false negatives,where all known and unknown SSH sessions aimed at infecting our honeypots were detected.