Modelling to Simulate Botnet Command and Control Protocols for the Evaluation of Network Intrusion Detection Systems

Georges Bossert, Guillaume Hiet, Thibaut Henin
2011 2011 Conference on Network and Information Systems Security  
The purpose of this paper is the modelization and simulation of zombie machines for the evaluation of Network Intrusion Detection Systems (NIDS), used to detect botnets. We propose an automatic method to infer zombies behaviours through the analysis of messages exchanged with their masters. Once computed, a model provides a solution to generate realistic and manageable traffic, which is mandatory for an NIDS evaluation. We propose to use a Stochastic Mealy Machine to model zombies behaviour,
more » ... an active inference algorithm to learn it. With our approach, it is possible to generate a realistic traffic corresponding to the communications of botnets while ensuring its controllability in the context of an NIDS evaluation.
doi:10.1109/sar-ssi.2011.5931397 fatcat:ecz6j346srfcdcpjyjcczskh2q