Title :
Modelling to Simulate Botnet Command and Control Protocols for the Evaluation of Network Intrusion Detection Systems
Author :
Bossert, Georges ; Hiet, Guillaume ; Henin, Thibaut
Author_Institution :
AMOSSYS-SUPELEC, Rennes, France
Abstract :
The purpose of this paper is the modelization and simulation of zombie machines for the evaluation of Network Intrusion Detection Systems (NIDS), used to detect botnets. We propose an automatic method to infer zombies behaviours through the analysis of messages exchanged with their masters. Once computed, a model provides a way to generate realistic and manageable traffic, which is mandatory for an NIDS evaluation. We propose to use a Stochastic Mealy Machine to model zombies behaviours, and an active inference algorithm to learn it. With our approach, it is possible to generate a realistic traffic corresponding to the communications of botnets while ensuring its controllability in the context of an NIDS evaluation.
Keywords :
computer network security; inference mechanisms; stochastic processes; active inference algorithm; botnet command and control protocols; network intrusion detection systems; stochastic mealy machine; zombie machines; Computational modeling; Gold; Hidden Markov models; IP networks; Intrusion detection; Irrigation; Protocols;
Conference_Titel :
Network and Information Systems Security (SAR-SSI), 2011 Conference on
Conference_Location :
La Rochelle
Print_ISBN :
978-1-4577-0735-3
DOI :
10.1109/SAR-SSI.2011.5931397
