Adaptive pattern mining model for early detection of botnet-propagation scale

Botnets are a disastrous threat because they execute malicious activities such as distributed denial-of-service, spam email, malware downloads (such as eggdownloads), and spying by exploiting zombie PCs under their control. Botnets infect PCs on a huge scale by initially scanning the service ports of vulnerable applications for the purpose of propagation, which is leveraged as the size of the botnet increases. Therefore, it is of crucial importance to detect botnet-propagation activities early and to determine the expectedsize of the attack. To address this issue, this paper proposes to recreate botnets’ port-scanning patterns using a simple text classifier that represents these patterns as a kind of matrix. The patterns obtained are then used to train a hidden Markov model and to perform early detection using the trained model. Early detection is achievable by catching the onset of suspicious propagation immediately, and a size estimate is obtained by monitoring fluctuations in botnet size. With this approach, early-detection rates increased to more than 30.6% on average, with a low false negative rate (less than 6%) and an F-measure greater than 96%. This significant improvement in performance will contribute to preventing botnet propagation in its earliest stages. Copyright © 2011 John Wiley & Sons, Ltd.