BOTection

Bot Detection by Building Markov Chain Models of Bots Network Behavior

BOTection is a privacy-preserving bot detection system that models the bot network flow behavior as a Markov Chain. Using the state transitions extracted from the Markov chains, we train a Random Forest classifier to first detect network flows produced by bots, and then identify their bot families. BOTection is content-agnostic and resilient to encryption, relying on high-level network features to model bots' network behavior. We evaluate our system on a dataset of over 7M malicious flows from 12 botnet families, showing its capability of detecting bots' network traffic with 99.78% F-measure. Notably, due to the modeling of general bot network behavior, BOTection can detect traffic belonging to unseen bot families with an F-measure of 93.03%. BOTection is also robust in classifying a bot family with a 99.09% F-measure score, which is essential in understanding their behavior for effective detection.

About

This repository contains the code for the paper "BOTection: Bot Detection by Building Markov Chain Models of Bots' Network Behavior" to Appear in the 15th ACM ASIA Conference on Computer and Communications Security (ACM AsiaCCS'20).

Prerequisites

In order to convert the PCAPs to Bro/Zeek logs, make sure to install Zeek/Bro

Dataset

In our paper, we used the following datasets:

• Stratosphere IPS
• CTU-13
• ISCX Botnet 2014 Dataset

How to run the code

You can run this code on a python/anaconda environment.

• Read the paper, to understand how the system works.
• The code is split according to the system modules, described in the paper:
  • Network Flow Reassembly
  • Connection State Extraction
  • Markov Chain Modeling
  • Detection (Binary Classifier)
  • Family Classification (Multi-Class Classifier)
• Add your PCAPs (dataset) to the PCAP sub-folder in Data - benign samples in Benign sub-folder, malicious in Malicious sub-folder, mix traffic in Mixed subfolder
• You need to execute each module individually in order.

Citation

If you use this repository please cite the paper as follows:

@article{alahmadi2020botection,
  title={BOTection: bot detection by building Markov Chain models of bots network behavior},
  author={Alahmadi, B and Mariconti, E and Spolaor, R and Stringhini, G and Martinovic, I},
  year={October 5-9, 2020},
  publisher={Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (AsiaCCS'20}
}