Open AccessProceedings Article
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
Guofei Gu,Junjie Zhang,Wenke Lee +2 more
TLDR
This paper proposes an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowledge of signatures or C &C server addresses, and shows that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.Abstract:
Botnets are now recognized as one of the most serious security threats. In contrast to previous malware, botnets have the characteristic of a command and control (C&C) channel. Botnets also often use existing common protocols, e.g., IRC, HTTP, and in protocol-conforming manners. This makes the detection of botnet C&C a challenging problem. In this paper, we propose an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowledge of signatures or C&C server addresses. This detection approach can identify both the C&C servers and infected hosts in the network. Our approach is based on the observation that, because of the pre-programmed activities related to C&C, bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity. For example, they engage in coordinated communication, propagation, and attack and fraudulent activities. Our prototype system, BotSniffer, can capture this spatial-temporal correlation in network traffic and utilize statistical algorithms to detect botnets with theoretical bounds on the false positive and false negative rates. We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.read more
Citations
More filters
Proceedings Article
Understanding the mirai botnet
Manos Antonakakis,Tim April,Michael Bailey,Matthew Bernhard,Elie Bursztein,Jaime Cochran,Zakir Durumeric,J. Alex Halderman,Luca Invernizzi,Michalis Kallitsis,Deepak Kumar,Chaz Lever,Zane Ma,Joshua Mason,D. Menscher,Chad Seaman,Nick Sullivan,Kurt Thomas,Yi Zhou +18 more
TL;DR: It is argued that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, and that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets.
Proceedings Article
BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection
TL;DR: This paper presents a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C &C server names/addresses).
Proceedings ArticleDOI
Attacks against process control systems: risk assessment, detection, and response
TL;DR: By incorporating knowledge of the physical system under control, this paper is able to detect computer attacks that change the behavior of the targeted control system and analyze the security and safety of the mechanisms by exploring the effects of stealthy attacks, and by ensuring that automatic attack-response mechanisms will not drive the system to an unsafe state.
Journal ArticleDOI
An empirical comparison of botnet detection methods
TL;DR: It is concluded that comparing methods indeed helps to better estimate how good the methods are, to improve the algorithms, to build better datasets and to build a comparison methodology.
Proceedings Article
From throw-away traffic to bots: detecting the rise of DGA-based malware
Manos Antonakakis,Roberto Perdisci,Yacin Nadji,Nikolaos Vasiloglou,Saeed Abu-Nimeh,Wenke Lee,David Dagon +6 more
TL;DR: A new technique to detect randomly generated domains without reversing is presented, finding that most of the DGA-generated domains that a bot queries would result in Non-Existent Domain (NXDomain) responses, and that bots from the same bot-net (with the same DGA algorithm) would generate similar NXDomain traffic.
References
More filters
Journal Article
Spectral Analysis and Time Series
TL;DR: In this article, the authors introduce the concept of Stationary Random Processes and Spectral Analysis in the Time Domain and Frequency Domain, and present an analysis of Processes with Mixed Spectra.
Proceedings Article
Snort - Lightweight Intrusion Detection for Networks
TL;DR: Snort provides a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected.
Book
Probability and statistics
TL;DR: In this paper, the authors define the notion of conditional probability as the probability of a union of events with respect to a given set of variables, and define a set of classes of variables.
Proceedings Article
BotHunter: detecting malware infection through IDS-driven dialog correlation
TL;DR: A new kind of network perimeter monitoring strategy, which focuses on recognizing the infection and coordination dialog that occurs during a successful malware infection, and contrast this strategy to other intrusion detection and alert correlation methods.
Proceedings ArticleDOI
Fast portscan detection using sequential hypothesis testing
TL;DR: TRW (Threshold Random Walk), an online detection algorithm that identifies malicious remote hosts requires a much smaller number of connection attempts compared to previous schemes, while also providing theoretical bounds on the low probabilities of missed detection and false alarms.