A Review of SSH Botnet Detection in Initial Stages of Infection: A Machine Learning-Based Approach

Botnets are exponentially increasing because of new zero-day attacks, a variation of their behavior, and obfuscation techniques that are not detected by traditional defense systems. Botnet detection has been focused on intermediate phases of the botnet’s life cycle during operation, underestimating the initial phase of infection. Using SSH-based High Interaction Honeypots, we have designed a Machine Learning-based system capable of detecting the botnet infection phase in near real time, which as trained with a real dataset of executed commands and the network data obtained during SSH sessions. This approach reached a very high level of prediction and zero false negatives,where all known and unknown SSH sessions aimed at infecting our honeypots were detected.