Modelling to Simulate Botnet Command and Control Protocols for the Evaluation of Network Intrusion Detection Systems

Georges Bossert; Guillaume Hiet; Thibaut Henin

doi:10.1109/SAR-SSI.2011.5931397

Conference Papers Year : 2011

Modelling to Simulate Botnet Command and Control Protocols for the Evaluation of Network Intrusion Detection Systems

(1, 2) , (2) , (1)

1
2

Georges Bossert

Function : Author
PersonId : 765430
IdRef : 184446252

AMOSSYS

Confidentialité, Intégrité, Disponibilité et Répartition

Guillaume Hiet

Function : Author
PersonId : 16009
IdHAL : guillaume-hiet
ORCID : 0000-0002-7176-9760
IdRef : 133411206

Confidentialité, Intégrité, Disponibilité et Répartition

Thibaut Henin

Function : Author
PersonId : 843259

AMOSSYS

Abstract

The purpose of this paper is the modelization and simulation of zombie machines for the evaluation of Network Intrusion Detection Systems (NIDS), used to detect botnets. We propose an automatic method to infer zombies behaviors through the analysis of messages exchanged with their masters. Once computed, a model provides a solution to generate realistic and manageable traffic, which is mandatory for an NIDS evaluation. We propose to use a Stochastic Mealy Machine to model zombies behavior, and an active inference algorithm to learn it. With our approach, it is possible to generate a realistic traffic corresponding to the communications of botnets while ensuring its controllability in the context of an NIDS evaluation.

Keywords

computer network security inference mechanisms stochastic processes active inference algorithm botnet command and control protocols network intrusion detection systems stochastic mealy machine

Domains

Computer Science [cs] Cryptography and Security [cs.CR]

Anne Cloirec : Connect in order to contact the contributor

https://hal-centralesupelec.archives-ouvertes.fr/hal-00658396

Submitted on : Tuesday, January 10, 2012-2:12:02 PM

Last modification on : Friday, March 24, 2023-2:52:55 PM

Dates and versions

hal-00658396 , version 1 (10-01-2012)

Identifiers

HAL Id : hal-00658396 , version 1
DOI : 10.1109/SAR-SSI.2011.5931397

Cite

Georges Bossert, Guillaume Hiet, Thibaut Henin. Modelling to Simulate Botnet Command and Control Protocols for the Evaluation of Network Intrusion Detection Systems. SAR-SSI 2011, May 2011, La Rochelle, France. pp.1-8, ⟨10.1109/SAR-SSI.2011.5931397⟩. ⟨hal-00658396⟩

Export

BibTeX TEI Dublin Core DC Terms EndNote Datacite

Collections

SUPELEC INSTITUT-TELECOM EC-PARIS UNIV-RENNES1 CNRS INRIA INSA-RENNES IRISA SUP_CIDRE CENTRALESUPELEC IRISA-D1 INRIA2 UR1-MATH-STIC UR1-UFR-ISTIC UNIV-RENNES UR1-MATH-NUM

533 View

0 Download

Modelling to Simulate Botnet Command and Control Protocols for the Evaluation of Network Intrusion Detection Systems

Abstract

Keywords

Domains

Dates and versions

Identifiers

Cite

Export

Collections

Altmetric

Share