A Combined Fusion and Data Mining Framework for the Detection of Botnets

This paper describes a combined fusion and mining framework applied to the detection of stealthy botnets.The framework leverages a fusion engine that tracks hosts through the use of feature-based profiles generated from multiple network sensor types. These profiles are classified and correlated based on a set of known host profiles, e.g., web servers, mail servers,and bot behavioral characteristics. A mining engine discovers emergent threat profiles and delivers them to the fusion engine for processing. We describe the distributed nature of botnets and how they are created and managed. We then describe a combined fusion and mining model that builds on recent work in the cybersecurity domain. The framework we present employs an adaptive fusion system driven by a mining system focused on the discovery of new threats. We conclude with a discussion of experimental results, deployment issues, and a summary of our arguments.