A Combined Fusion and Data Mining Framework for the Detection of Botnets

This paper describes a combined fusion and mining framework applied to the detection of stealthy botnets. The framework leverages a fusion engine that tracks hosts through the use of feature-based profiles generated front multiple network sensor types. These profiles are classified and correlated based oil a set of known host profiles, e.g., web servers, mail servers, and hot behavioral characteristics. A mining engine discovers emergent threat profiles and delivers them to the fusion engine for processing. We describe the distributed nature of botnets and how they are created and managed. We then describe a combined fusion and mining model that builds orgy recent work in the cyber security domain. Pie framework tie present employs an adaptive fusion system driven by a mining system focused oil the discovery of new threats. We conclude with a discussion of experimental results, deployment issues, anal a summary of our arguments.