Author : Hacker Academy
Get smarter about what matters to you. We are on Medium!
The Active Defense System aims to detect malware and bots. Researchers have suggested different ways to identify malware through machine learning and clustering techniques. However, most of these methods are not suitable for real enterprise networks due to impractical training systems or the requirement for large storage space. In this paper, we introduce a new automated system called BFH (BotFinder through Honeypots). This system utilises honeypots to recognise infected hosts in a real enterprise network using a machine learning approach. Our solution detects malware-infected bots by analysing NetFlow data and samples from 97 different honeypot systems. The BFH model is trained using these samples and sent to a classification unit for grouping. The system is then trained to detect malware from NetFlow data. Results are verified through a full packet capture of one month and tools to identify malicious domains. BFH effectively detects infected hosts with minimal false positives and handles recent malware families from the 97 honeypots. It is scalable and supports large networks, as demonstrated in its deployment in a large-scale enterprise network in Turkey using Hadoop infrastructure.