Traditional reactive approach of blacklisting botnets fails to adapt to the
rapidly evolving landscape of cyberattacks. An automated and proactive approach
to detect and block botnet hosts will immensely benefit the industry.
Behavioral analysis of botnet is shown to be effective against a wide variety
of attack types. Current works, however, focus solely on analyzing network
traffic from and to the bots. In this work we take a different approach of
analyzing the chain of commands input by attackers in a compromised host. We
have deployed several honeypots to simulate Linux shells and allowed attackers
access to the shells to collect a large dataset of commands. We have further
developed an automated mechanism to analyze these data. For the automation we
have developed a system called CYbersecurity information Exchange with Privacy
(CYBEX-P). Finally, we have done a sequential analysis on the dataset to show
that we can successfully predict attacker behavior from the shell commands
without analyzing network traffic like previous works.

By admin