Conference Paper

Detection of Botnets Using Combined Host- and Network-Level Information

DOI: 10.1109/DSN.2010.5544306 Conference: Proceedings of the 2010 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2010, Chicago, IL, USA, June 28 - July 1 2010
Source: DBLP


Bots are coordinated by a command and control (C&C) infrastructure to launch attacks that seriously threaten the Internet services and users. Most botnet-detection approaches function at the network level and require the analysis of packets' payloads, raising privacy concerns and incurring large computational overheads. Moreover, network traffic analysis alone can seldom provide a complete picture of botnets' behavior. By contrast, in-host detection approaches are useful to identify each bot's host-wide behavior, but are susceptible to the host-resident malware if used alone. To address these limitations, we consider both the coordination within a botnet and the malicious behavior each bot exhibits at the host level, and propose a C&C protocol-independent detection framework that combines host- and network-level information for making detection decisions. The framework is shown to be effective in detecting various types of botnets with low false-alarm rates.

38 Reads
  • Source
    • "On the other hand the botnet is dynamic, and it may reduce its dimension (i.e., the botmaster leaves the host) or it may increase it only on hosts not occupied, i.e., protected by an agent. Honest agents may expand towards the untrusted hosts which are not controlled by the botmaster anymore by running botnet detection mechanisms (see, e.g., [27]). We are then interested in solving the rendezvous problem in the trusted subnetwork, and we want to study how this malicious behaviour affects the solvability of the Rendezvous problem. "
    [Show abstract] [Hide abstract]
    ABSTRACT: We consider a number of `honest' mobile agents which are initially scattered in an asynchronous network. In the network there is also a hostile mobile agent that is able to block the agents' movements. The honest agents need to meet (rendezvous) at a node. We study this problem under a weakest scenario in which the agents do not have any information about the size of the network or their number, they do not have distinct identities, they cannot see or communicate with each-other unless they are at the same node, and they only have constant memory. We give a universal distributed deterministic algorithm that solves the problem for any number of more than two honest agents in oriented rings, and for any odd number of agents in unoriented rings, despite the existence of a malicious agent. We prove that the problem is unsolvable in any other configuration in a ring network. Then, we study the problem in an oriented mesh network and we prove that the problem can be solved if and only if the honest agents initially form a connected configuration without holes and they can see at a distance two. To the best of our knowledge, this is the first attempt to study such a weak setting with a malicious agent in which the aim of the honest agents is to achieve a task in the `trusted' subnetwork, i.e., in the part of the network where the malicious agent has no access.
  • Source
    • "All of the above-mentioned approaches only apply to specific types of botnets requiring in-depth understanding of the C&C profiles prior to their detection. A few generic approaches can detect different types of botnets regardless of the C&C structure based on network packet and flow analysis [9] or combined host and flow analysis [10]. These approaches are effective for small-scale networks, such as in a campus or an enterprise network, but do not scale to large networks, because they need to obtain finegrained information, such as packet content, flow patterns and host behavior. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Botnets are one of the most serious security threats to the Internet and its end users. In recent years, utilizing P2P as a Command and Control (C&C) protocol has become popular due to its decentralized nature that can help hide the botmaster's identity. Most bot detection approaches targeting P2P botnets either rely on behavior monitoring or traffic flow and packet analysis, requiring fine-grained information collected locally. This requirement limits the scale of detection. In this paper, we consider detection of P2P botnets at a high-level - the infrastructure level-by exploiting their structural properties from a graph analysis perspective. Using three different P2P overlay structures, we measure the effectiveness of detecting each structure at various locations (the Autonomous System (AS), the Point of Presence (PoP), and the router rendezvous) in the Internet infrastructure.
    19th International Workshop on Quality of Service, IWQoS 2011, San Jose, California, USA, 6-7 June 2011.; 01/2011
  • Source
Show more


38 Reads
Available from