The detection of hosts infected with botnet malware in a timely manner is an important task, since botnets are responsible for many recent security incidents. We propose Themis, an approach based on inferring the structure of time varying IPto-IP communication with the Stochastic Block Model (SBM). Themis use the inferred structure to detect and quantify abnormal behavior of individual hosts. The novelty of our approach is the use of probabilistic inference directly on host interactions to model normality. The challenges of our approach are adapting the inference process to obtain a usable output in a dynamic system, and to specify abnormal behavior with respect to the inferred structure. Themis is able to distinguish between infected and benign hosts with accuracy larger 95 % and compares favorably against state of the art botnet detection mechanisms [1].

Top