Conference Paper

Detection of botnets using combined host- and network-level information.

DOI: 10.1109/DSN.2010.5544306 Conference: Proceedings of the 2010 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2010, Chicago, IL, USA, June 28 - July 1 2010
Source: DBLP

ABSTRACT Bots are coordinated by a command and control (C&C) infrastructure to launch attacks that seriously threaten the Internet services and users. Most botnet-detection approaches function at the network level and require the analysis of packets' payloads, raising privacy concerns and incurring large computational overheads. Moreover, network traffic analysis alone can seldom provide a complete picture of botnets' behavior. By contrast, in-host detection approaches are useful to identify each bot's host-wide behavior, but are susceptible to the host-resident malware if used alone. To address these limitations, we consider both the coordination within a botnet and the malicious behavior each bot exhibits at the host level, and propose a C&C protocol-independent detection framework that combines host- and network-level information for making detection decisions. The framework is shown to be effective in detecting various types of botnets with low false-alarm rates.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: We consider a number of `honest' mobile agents which are initially scattered in an asynchronous network. In the network there is also a hostile mobile agent that is able to block the agents' movements. The honest agents need to meet (rendezvous) at a node. We study this problem under a weakest scenario in which the agents do not have any information about the size of the network or their number, they do not have distinct identities, they cannot see or communicate with each-other unless they are at the same node, and they only have constant memory. We give a universal distributed deterministic algorithm that solves the problem for any number of more than two honest agents in oriented rings, and for any odd number of agents in unoriented rings, despite the existence of a malicious agent. We prove that the problem is unsolvable in any other configuration in a ring network. Then, we study the problem in an oriented mesh network and we prove that the problem can be solved if and only if the honest agents initially form a connected configuration without holes and they can see at a distance two. To the best of our knowledge, this is the first attempt to study such a weak setting with a malicious agent in which the aim of the honest agents is to achieve a task in the `trusted' subnetwork, i.e., in the part of the network where the malicious agent has no access.
  • [Show abstract] [Hide abstract]
    ABSTRACT: As Internet becomes part of our daily life, Botnet (BotNetwork) attacker take advantage of it to misuse in different ways. Botnet is a collection of interconnected compromised computers (Bots) which are remotely controlled by its owner (BotMaster) under a common command-and-control(C&C) infrastructure. Botnets can be innovatively designed propositionally for technology improvement, which makes the bonet detection a challenging problem. As P2P (peer to peer) Botnet has a unique distributed attacking behavior, it is difficult to detect this bot. Thus to build an efficient botnet detection system we coined a framework that combines host level information and network level information for p2p botnet detection.
    Computing Communication & Networking Technologies (ICCCNT), 2012 Third International Conference on; 01/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: Approximate Hash Based Matching (AHBM), also known as Fuzzy Hashing, is used to identify complex and unstructured data that has a certain amount of byte-level similarity. Common use cases include the identification of updated versions of documents and fragments recovered from memory or deleted files. Though several algorithms exist, there has not yet been an extensive focus on its practical use in digital investigations. The paper addresses the research question: How can AHBM be applied in digital investigations? It focuses on common scenarios in which AHBM can be applied, as well as the potential significance of its results. First, an assessment of AHBM for digital investigations with respect to existing algorithms and requirements for efficiency and precision is given. Then follows a description of scenarios in which it can be applied. The paper presents three modes of operation for Approximate Matching, namely searching, streaming and clustering. Each of the modes are tested in practical experiments. The results show that AHBM has great potential for helping investigators discover information based on data similarity. Three open source tools were implemented during the research leading up to this paper: Autopsy AHBM enables AHBM in an existing digital investigation framework, sddiff helps understanding AHBM results through visualization, and makecluster improves analysis of graphs generated from large datasets by storing each disjunct cluster separately.
    Digital Investigation 05/2014; · 0.99 Impact Factor


Available from