Presentation is loading. Please wait.

Presentation is loading. Please wait.

Apriori–PrefixSpan Hybrid Approach for Automated Detection of Botnet Coordinated Attacks Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada,

Published byRichard Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "Apriori–PrefixSpan Hybrid Approach for Automated Detection of Botnet Coordinated Attacks Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada,"— Presentation transcript:

1 Apriori–PrefixSpan Hybrid Approach for Automated Detection of Botnet Coordinated Attacks Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada, Hitachi, Ltd. Nur Rohman Rosyid, KMITL NBiS2011-S4: Network Security

2 3. Botnet2. Variants Generation of Malware 2 1. Single NBiS2011 PEPE WORM AA BB CC PE TR The Botnet Coordinated Attacks WO

3 Definition of Coordinated Attacks Time1st AttackC&CCoordinated AttacksUser 0:00 1:00 1:30 NBiS20113 PE 1st Attack IRC DNS Command WO TR DNS GET

4 Number of Downloads (2007-2010) NBiS20114 CCC DATAset [3 years] Number of Downloads [DL/Week] Decreasing Tendency

5 Avg. Length of Coordinated Attacks NBiS20115 Number of Rules [Rules/Month] Number of Patterns [Patterns/Day] CCC DATAset 2009 ~ 2010 [2 years] Complication

6 Objectives NBiS20116 Difficulty

7 Previous Works  M. Ohrui, H. Kikuchi and M, Terada, “Mining Association Rules Consisting of Download Servers from Distributed Honeypot Observation”, The 13th Int’l Conf. on Network- Based Information Systems (NBiS 2010), pp. 541-545, 2010.  N. R. Rosyid, M. Ohrui, H. Kikuchi and P. Sooraksa, M. Terada, “A Discovery of Sequential Attack Patterns of Malware in Botnets”, The 2010 IEEE Int’l Conf. on Systems, Man, and Cybernetics (SMC 2010), pp. 2564- 2570, 2010. NBiS20117 1. Apriori 2. PrefixSpan

8  Sequence  in order Comparison of 2 Algorythms  A set of items  unordered  if X then Y NBiS20118 1. Apriori 2. PrefixSpan  Given honeypot log: WO TR PE PE WO TR PEWO TR PETR WO 50 patterns (Answer) 50/50 extracts 30/50 extracts 20/50 extracts Same Time

9 1. Example of Apriori NBiS20119 WeekPE1PE2WORM1WORM2TROJ1TROJ2 Sun321 Mon122133 Tue2212 Wed5321 Thu1143 Fri223 Sat31153

10 2. Example of PrefixSpan  Given a sequence database and minimum support threshold 2.  : 5, : 5, : 5, : 2, and : 2 NBiS201110

11 Pros and Cons NBiS201111 Date AprioriPrefixSpan RuleSlotsTrueRulePtnsTrue 09/02/04 BK,TS ⇒ WO 14 TS ⇒ BK ⇒ WO 329 TS ⇒ WO ⇒ BK 7 WO ⇒ BK ⇒ TS 4 WO ⇒ TS ⇒ BK 12 … 09/02/28 BK,TS ⇒ WO 77 TS ⇒ WO ⇒ BK 514 BK,WO ⇒ TS 7 WO ⇒ TS ⇒ BK 3 Failed detection False detection Perfect detection Many Patterns

12 Our Idea  Hybrid detection of Apriori and PrefixSpan. NBiS201112 BK, TR ⇒ WO PE, WO ⇒ TR TS, WO ⇒ BK …etc BK ⇒ TR ⇒ WO: 4 BK ⇒ WO ⇒ TR: 3 TR ⇒ BK ⇒ WO: 3 WO ⇒ BK ⇒ TR: 3 Dataset Step.1 Apriori Step.1 Apriori Useless Step.2 Prefix Span Step.2 Prefix Span Useless The Botnet Coordinated Attacks The Botnet Coordinated Attacks YES NO TR ⇒ WO ⇒ BK: 10 WO ⇒ TR ⇒ BK: 12 Detected.

13 Experiment Experiment NBiS201113

14 CCC DATAset 2008-2010  CCC DATAset have observed malware traffic at the Japanese tier-1 backbone under the Cyber Clean Center (CCC).  The malware downloading logs  112(2008), 94(2009), 92(2010) honeypot  3 years ( November 01, 2007 -April 30, 2010 )  The captured packets data  1 honeypot  2(2008), 2(2009), 7(2010) days NBiS201114

15 Evaluation NBiS201115 Recall Precision B. True rules A. Detected rulesC A B C. Correctly detected rules 40 rules 50 rules 30 rules

16 Accuracy NBiS2011  We can deduce from the data that hybrid approach is effective. AprioriPrefixSpanHybrid Recall315/315 =1.0482/575 = 0.84545/575 = 0.95 Precision315/464 = 0.68482/482 = 1.01.0 16

17 Conclusions  We have proposed the hybrid Approach of Apriori and PrefixSpan for automated detection of botnet coordinated attacks.  Our experiment shows that the proposed scheme improves accuracy of detection by recall of 0.95 and precision of 1.0. NBiS201117

18 Thank you! NBiS201118

Download ppt "Apriori–PrefixSpan Hybrid Approach for Automated Detection of Botnet Coordinated Attacks Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada,"

Similar presentations

PREFIXSPAN ALGORITHM Mining Sequential Patterns Efficiently by Prefix- Projected Pattern Growth al113301m@student.etf.rs.

PREFIXSPAN ALGORITHM Mining Sequential Patterns Efficiently by Prefix- Projected Pattern Growth
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
1 2345678 9101112131415 16171819202122 23/3024/312526272829 SUN MON TUE WED THU FRI SAT JANUARY 2011 February 2011 SMTWTFS 12345 6789101112 13141516171819.

/3024/ SUN MON TUE WED THU FRI SAT JANUARY 2011 February 2011 SMTWTFS
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,
Mining Multidimensional Sequential Patterns over Data Streams Chedy Raїssi and Marc Plantevit DaWak_2008.

Mining Multidimensional Sequential Patterns over Data Streams Chedy Raїssi and Marc Plantevit DaWak_2008.
Botnet behavior and detection October 2014 - RONOG Silviu Sofronie – a Head of Forensics.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.
Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.

Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Internet Observation with ISDAS: How long does a worm perform scanning? Tomohiro Kobori , Hiroaki Kikuchi (Tokai Univ, Japan) Masato Terada (Hitachi, Ltd.,

Internet Observation with ISDAS: How long does a worm perform scanning? Tomohiro Kobori , Hiroaki Kikuchi (Tokai Univ, Japan) Masato Terada (Hitachi, Ltd.,
Frequent Sequential Attack Patterns of Malware in Botnets Nur Rohman Rosyid.

Frequent Sequential Attack Patterns of Malware in Botnets Nur Rohman Rosyid.
The great fast food survey 2012 Get ready to record your data!

The great fast food survey 2012 Get ready to record your data!
HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG 124862 Supervisor : AP. Dr. Mohamed Othman.

HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.
Kazuya Kuwabara, Hiroaki Kikuchi, Tokai University Masato Terada and Masashi Fujiwara, Hitachi Ltd.,

Kazuya Kuwabara, Hiroaki Kikuchi, Tokai University Masato Terada and Masashi Fujiwara, Hitachi Ltd.,
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada, Hitachi Ltd.

Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada, Hitachi Ltd.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.

CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
An Energy-Efficient Approach for Real-Time Tracking of Moving Objects in Multi-Level Sensor Networks Vincent S. Tseng, Eric H. C. Lu, & Kawuu W. Lin Institute.

An Energy-Efficient Approach for Real-Time Tracking of Moving Objects in Multi-Level Sensor Networks Vincent S. Tseng, Eric H. C. Lu, & Kawuu W. Lin Institute.

Similar presentations

Ads by Google