Conference Paper

Detection of botnets using combined host- and network-level information.

DOI: 10.1109/DSN.2010.5544306 Conference: Proceedings of the 2010 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2010, Chicago, IL, USA, June 28 - July 1 2010
Source: DBLP

ABSTRACT Bots are coordinated by a command and control (C&C) infrastructure to launch attacks that seriously threaten the Internet services and users. Most botnet-detection approaches function at the network level and require the analysis of packets' payloads, raising privacy concerns and incurring large computational overheads. Moreover, network traffic analysis alone can seldom provide a complete picture of botnets' behavior. By contrast, in-host detection approaches are useful to identify each bot's host-wide behavior, but are susceptible to the host-resident malware if used alone. To address these limitations, we consider both the coordination within a botnet and the malicious behavior each bot exhibits at the host level, and propose a C&C protocol-independent detection framework that combines host- and network-level information for making detection decisions. The framework is shown to be effective in detecting various types of botnets with low false-alarm rates.

  • Source
    Advances in Digital Forensics VII - 7th IFIP WG 11.9 International Conference on Digital Forensics, Orlando, FL, USA, January 31 - February 2, 2011, Revised Selected Papers; 01/2011
  • [Show abstract] [Hide abstract]
    ABSTRACT: As Internet becomes part of our daily life, Botnet (BotNetwork) attacker take advantage of it to misuse in different ways. Botnet is a collection of interconnected compromised computers (Bots) which are remotely controlled by its owner (BotMaster) under a common command-and-control(C&C) infrastructure. Botnets can be innovatively designed propositionally for technology improvement, which makes the bonet detection a challenging problem. As P2P (peer to peer) Botnet has a unique distributed attacking behavior, it is difficult to detect this bot. Thus to build an efficient botnet detection system we coined a framework that combines host level information and network level information for p2p botnet detection.
    Computing Communication & Networking Technologies (ICCCNT), 2012 Third International Conference on; 01/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: Approximate Hash Based Matching (AHBM), also known as Fuzzy Hashing, is used to identify complex and unstructured data that has a certain amount of byte-level similarity. Common use cases include the identification of updated versions of documents and fragments recovered from memory or deleted files. Though several algorithms exist, there has not yet been an extensive focus on its practical use in digital investigations. The paper addresses the research question: How can AHBM be applied in digital investigations? It focuses on common scenarios in which AHBM can be applied, as well as the potential significance of its results. First, an assessment of AHBM for digital investigations with respect to existing algorithms and requirements for efficiency and precision is given. Then follows a description of scenarios in which it can be applied. The paper presents three modes of operation for Approximate Matching, namely searching, streaming and clustering. Each of the modes are tested in practical experiments. The results show that AHBM has great potential for helping investigators discover information based on data similarity. Three open source tools were implemented during the research leading up to this paper: Autopsy AHBM enables AHBM in an existing digital investigation framework, sddiff helps understanding AHBM results through visualization, and makecluster improves analysis of graphs generated from large datasets by storing each disjunct cluster separately.
    Digital Investigation 05/2014; · 0.63 Impact Factor


Available from