Apriori–PrefixSpan Hybrid Approach for Automated Detection of Botnet Coordinated Attacks Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada, Hitachi, Ltd. Nur Rohman Rosyid, KMITL NBiS2011-S4: Network Security

3. Botnet2. Variants Generation of Malware 2 1. Single NBiS2011 PEPE WORM AA BB CC PE TR The Botnet Coordinated Attacks WO

Definition of Coordinated Attacks Time1st AttackC&CCoordinated AttacksUser 0:00 1:00 1:30 NBiS20113 PE 1st Attack IRC DNS Command WO TR DNS GET

Number of Downloads ( ) NBiS20114 CCC DATAset [3 years] Number of Downloads [DL/Week] Decreasing Tendency

Avg. Length of Coordinated Attacks NBiS20115 Number of Rules [Rules/Month] Number of Patterns [Patterns/Day] CCC DATAset 2009 ～ 2010 [2 years] Complication

Objectives NBiS20116 Difficulty

Previous Works  M. Ohrui, H. Kikuchi and M, Terada, “Mining Association Rules Consisting of Download Servers from Distributed Honeypot Observation”, The 13th Int’l Conf. on Network- Based Information Systems (NBiS 2010), pp ,  N. R. Rosyid, M. Ohrui, H. Kikuchi and P. Sooraksa, M. Terada, “A Discovery of Sequential Attack Patterns of Malware in Botnets”, The 2010 IEEE Int’l Conf. on Systems, Man, and Cybernetics (SMC 2010), pp , NBiS Apriori 2. PrefixSpan

 Sequence  in order Comparison of 2 Algorythms  A set of items  unordered  if X then Y NBiS Apriori 2. PrefixSpan  Given honeypot log: WO TR PE PE WO TR PEWO TR PETR WO 50 patterns (Answer) 50/50 extracts 30/50 extracts 20/50 extracts Same Time

1. Example of Apriori NBiS20119 WeekPE1PE2WORM1WORM2TROJ1TROJ2 Sun321 Mon Tue2212 Wed5321 Thu1143 Fri223 Sat31153

2. Example of PrefixSpan  Given a sequence database and minimum support threshold 2.  : 5, : 5, : 5, : 2, and : 2 NBiS201110

Pros and Cons NBiS Date AprioriPrefixSpan RuleSlotsTrueRulePtnsTrue 09/02/04 BK,TS ⇒ WO 14 TS ⇒ BK ⇒ WO 329 TS ⇒ WO ⇒ BK 7 WO ⇒ BK ⇒ TS 4 WO ⇒ TS ⇒ BK 12 … 09/02/28 BK,TS ⇒ WO 77 TS ⇒ WO ⇒ BK 514 BK,WO ⇒ TS 7 WO ⇒ TS ⇒ BK 3 Failed detection False detection Perfect detection Many Patterns

Our Idea  Hybrid detection of Apriori and PrefixSpan. NBiS BK, TR ⇒ WO PE, WO ⇒ TR TS, WO ⇒ BK …etc BK ⇒ TR ⇒ WO: 4 BK ⇒ WO ⇒ TR: 3 TR ⇒ BK ⇒ WO: 3 WO ⇒ BK ⇒ TR: 3 Dataset Step.1 Apriori Step.1 Apriori Useless Step.2 Prefix Span Step.2 Prefix Span Useless The Botnet Coordinated Attacks The Botnet Coordinated Attacks YES NO TR ⇒ WO ⇒ BK: 10 WO ⇒ TR ⇒ BK: 12 Detected.

Experiment Experiment NBiS201113

CCC DATAset  CCC DATAset have observed malware traffic at the Japanese tier-1 backbone under the Cyber Clean Center (CCC).  The malware downloading logs  112(2008), 94(2009), 92(2010) honeypot  3 years ( November 01, April 30, 2010 )  The captured packets data  1 honeypot  2(2008), 2(2009), 7(2010) days NBiS201114

Evaluation NBiS Recall Precision B. True rules A. Detected rulesC A B C. Correctly detected rules 40 rules 50 rules 30 rules

Accuracy NBiS2011  We can deduce from the data that hybrid approach is effective. AprioriPrefixSpanHybrid Recall315/315 =1.0482/575 = /575 = 0.95 Precision315/464 = /482 =

Conclusions  We have proposed the hybrid Approach of Apriori and PrefixSpan for automated detection of botnet coordinated attacks.  Our experiment shows that the proposed scheme improves accuracy of detection by recall of 0.95 and precision of 1.0. NBiS201117

Thank you! NBiS201118