Hidden Markov model for malicious hosts detection in a computer network

  • Yakov V. Bubnov Belarusian State University of Informatics and Radioelectronics, 6 Pietrusia Broŭki Street, Minsk 220013, Belarus https://orcid.org/0000-0003-0768-5746
  • Nick N. Ivanov Belarusian State University of Informatics and Radioelectronics, 6 Pietrusia Broŭki Street, Minsk 220013, Belarus https://orcid.org/0000-0002-8253-2793
DOI: https://doi.org/10.33581/2520-6508-2020-3-73-79

Abstract

The problem of malicious host detection in a computer network is reviewed. Activity of computer network hosts is tracking by a noisy detector. The paper suggests method for detection malicious hosts using activity timeseries classification. The approach is based on hidden Markov chain model that analyses timeseries and consecutive search of the most probable final state of the model. Efficiency of the approach is based on assumption that advanced persisted threats are localised in time, therefore malicious hosts in a computer network can be detected by virtue of activity comparison with reliable safe hosts.

Author Biographies

Yakov V. Bubnov, Belarusian State University of Informatics and Radioelectronics, 6 Pietrusia Broŭki Street, Minsk 220013, Belarus

postgraduate student at the department of electronic computing machines, faculty of computer systems and networks

Nick N. Ivanov, Belarusian State University of Informatics and Radioelectronics, 6 Pietrusia Broŭki Street, Minsk 220013, Belarus

PhD (physics and mathematics); associate professor at the department of electronic computing machines, faculty of computer systems and networks

References

  1. Qi C, Chen X, Xu C, Shi J, Liu P. A bigram based real time DNS tunnel detection approach. Procedia Computer Science. 2013;17:852–860. DOI: 10.1016/j.procs.2013.05.109.
  2. Souri A, Hosseini R. A state-of-the-art survey of malware detection approaches using data mining techniques. Human-Centric Computing and Information Sciences. 2018;8(1):2–22. DOI: 10.1186/s13673-018-0125-x.
  3. Skvortsov P, Hoppe D, Tenschert A, Geinger M. Monitoring in the clouds: comparison of ECO2Clouds and EXCESS monitoring approaches. arXiv:1601.07355 [Preprint]. 2016 [cited 2020 June 2]. Available from: https://arxiv.org/abs/1601.07355.
  4. Rong K, Bailis P. ASAP: prioritizing attention via time series smoothing. Proceedings of the Very Large Data Bases Endowment. 2017;10(11):1358–1369. DOI: 10.14778/3137628.3137645.
  5. Knuth DE. A generalization of Dijkstra’s algorithm. Information Processing Letters. 1977;6(1):1–5. DOI: 10.1016/0020-0190(77)90002-3.
  6. Deitrich CJ, Rossow C, Freiling FC, Bos H, van Steen M, Pohlmann N. On botnets that use DNS for command and control. In: 7 th European Conference on Computer Network Defense; 2011 September 6–7; Gotheburg, Sweden. Piscataway: IEEE; 2011. p. 9–16. DOI: 10.1109/EC2ND.2011.16.
  7. Tatang D, Quinket F, Dolecki N, Holz T. A study of newly observed hostnames and DNS tunneling in the wild. arXiv:1902.08454 [Preprint]. 2019 [cited 2020 June 2]. Available from: https://arxiv.org/abs/1902.08454.
  8. Bubnov Y. DNS tunneling queries for binary classification. Mendeley Data [Internet]. 2019 [cited 2020 August 17]. Available from: https://data.mendeley.com/datasets/mzn9hvdcxg/1. DOI: 10.17632/mzn9hvdcxg.1.
  9. Bubnov Y. DNS tunneling detection using feedforward neural network. European Journal of Engineering Research and Science. 2018;3(11):16–19. DOI: 10.24018/ejers.2018.3.11.963.
Published
2020-12-08
Keywords: hidden Markov model, computer network, advanced persisted threat, timeseries classification
How to Cite
Bubnov, Y. V., & Ivanov, N. N. (2020). Hidden Markov model for malicious hosts detection in a computer network. Journal of the Belarusian State University. Mathematics and Informatics, 3, 73-79. https://doi.org/10.33581/2520-6508-2020-3-73-79
Issue
No 3 (2020): Journal of the Belarusian State University. Mathematics and Informatics
Section
Short Communications

Copyright (c) 2020 Journal of the Belarusian State University. Mathematics and Informatics

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

The authors who are published in this journal agree to the following:

  1. The authors retain copyright on the work and provide the journal with the right of first publication of the work on condition of license Creative Commons Attribution-NonCommercial. 4.0 International (CC BY-NC 4.0).
  2. The authors retain the right to enter into certain contractual agreements relating to the non-exclusive distribution of the published version of the work (e.g. post it on the institutional repository, publication in the book), with the reference to its original publication in this journal.
  3. The authors have the right to post their work on the Internet (e.g. on the institutional store or personal website) prior to and during the review process, conducted by the journal, as this may lead to a productive discussion and a large number of references to this work. (See The Effect of Open Access.)