Patent · US Active

Botnet early detection using hybrid hidden markov model algorithm

US8307459B2 · kind B2 · utility

4Cited by

1References

18Claims

0Family size

Assignee

National Taiwan University of Science and Technology · TW

Inventors

Hahn-Ming Lee · New Taipei, TW
Ching-Hao Mao · Taipei, TW
Yu-Jie Chen · Taipei, TW
Yi-Hsun Wang · New Taipei, TW
Jerome Yeh · Taipei, TW
Tsu-Han Chen · Wexford, US

Key dates

Filing date	Mar 17, 2010
Grant date	Nov 6, 2012
Priority date	—
Expiry date	Jan 4, 2031

Classification

Technology area (CPC H)Electricity
CPC primaryH04L2463/144
WIPO fieldDigital communication
WIPO sectorElectrical engineering

Abstract

A botnet detection system is provided. A bursty feature extractor receives an Internet Relay Chat (IRC) packet value from a detection object network, and determines a bursty feature accordingly. A Hybrid Hidden Markov Model (HHMM) parameter estimator determines probability parameters for a Hybrid Hidden Markov Model according to the bursty feature. A traffic profile generator establishes a probability sequential model for the Hybrid Hidden Markov Model according to the probability parameters and pre-defined network traffic categories. A dubious state detector determines a traffic state corresponding to a network relaying the IRC packet in response to reception of a new IRC packet, determines whether the IRC packet flow of the object network is dubious by applying the bursty feature to the probability sequential model for the Hybrid Hidden Markov Model, and generates a warning signal when the IRC packet flow is regarded as having a dubious traffic state.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.