PhD Seminar Course on

Botnet detection and malware analysis - A Machine Learning Approach

Cagliari, November 18-20, 2008



Instructor: Prof. Wenke Lee
College of Computing, Georgia Tech (Atlanta, USA)
Duration: 8 hours
Schedule:
  • Tue November 18 14-16
  • Wed November 19 14-17
  • Thu November 20 10-13
Venue:
  • Tue 18, Wed 19 - Aula Mocci, Padiglione A
  • Thu 20 - Aula X Ingegneria (via is Maglias)
Topics:

Lecture 1: Data Mining for Intrusion Detection
In this lecture, the basics in applying data mining techniques to intrusion detection will be discussed. Basic elements in building an intrusion detection system will be first provided. Then, a data mining framework for constructing features and models for intrusion detection systems will be described. Moreover, how to learn models that are cost-sensitive and how to lean attack scenarios from intrusion alert data will be discussed.

Lecture 2: Accuracy and Robustness Issues in Intrusion Detection
The first part of this lecture concerns how to learn a cascade anomaly detection system that has high detection rate and low false positive rate. Also, both a "polymorphic blending attack" that can defeat simple anomaly detection system and machine-learning based method to improve the robustness of detection models will be described. Moreover, a "noise injection attack" that can defeat syntactic learners of worm signatures will be described.

Lecture 3: Botnet detection in enterprise network
A brief background on botnets will be firstly provided. Then, three botnet detection systems (BotHunter, BotSniffer, and BotMiner) will be described. BotHunter uses "vertical correlation" to analyze events involving a host that match the life-cycle of botnet. BotSniffer uses "horizontal correlation" to detect a host or group of hosts that have synchronized communication or malicious activity traffic that suggest bot-like behavior. BotMiner is more general: it clusters hosts with similar communication traffic, clusters hosts with similar malicious activity traffic, and find the intersection of the hosts to detect bots.

Organizer: Prof. Fabio Roli
Dep. of Electrical and Electronic Engineering
University of Cagliari, Italy
Email: roli@diee.unica.it