Conference Paper

Detection of botnets using combined host- and network-level information.

DOI: 10.1109/DSN.2010.5544306 Conference: Proceedings of the 2010 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2010, Chicago, IL, USA, June 28 - July 1 2010
Source: DBLP

ABSTRACT Bots are coordinated by a command and control (C&C) infrastructure to launch attacks that seriously threaten the Internet services and users. Most botnet-detection approaches function at the network level and require the analysis of packets' payloads, raising privacy concerns and incurring large computational overheads. Moreover, network traffic analysis alone can seldom provide a complete picture of botnets' behavior. By contrast, in-host detection approaches are useful to identify each bot's host-wide behavior, but are susceptible to the host-resident malware if used alone. To address these limitations, we consider both the coordination within a botnet and the malicious behavior each bot exhibits at the host level, and propose a C&C protocol-independent detection framework that combines host- and network-level information for making detection decisions. The framework is shown to be effective in detecting various types of botnets with low false-alarm rates.

  • [Show abstract] [Hide abstract]
    ABSTRACT: A Botnet is a network of compromised machines which are controlled by a person called botmaster via a typical Command and Control (C&C) structure. Besides malicious activity on infected host, bots are employed to deliver attacks against outside targets including phishing, Distributed Denial of Service (DDoS) attacks and spamming. Counter measures against Botnet phenomenon are usually formed based on passive traffic analysis at network level. This limits encountering Botnets in a proactive manner. In this paper, we proposed a real-time approach which not only detects Botnet traffic on the host, but also can filter it from outgoing traffic in order to suppress the Botnet. Our approach works by detecting Botnet communication patterns which belongs to a centralized C&C structure. The capability of bot detection by real-time processing of host-related data solely, distinguishes our work from other existing approaches.
    Telecommunications (IST), 2012 Sixth International Symposium on; 01/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: As Internet becomes part of our daily life, Botnet (BotNetwork) attacker take advantage of it to misuse in different ways. Botnet is a collection of interconnected compromised computers (Bots) which are remotely controlled by its owner (BotMaster) under a common command-and-control(C&C) infrastructure. Botnets can be innovatively designed propositionally for technology improvement, which makes the bonet detection a challenging problem. As P2P (peer to peer) Botnet has a unique distributed attacking behavior, it is difficult to detect this bot. Thus to build an efficient botnet detection system we coined a framework that combines host level information and network level information for p2p botnet detection.
    Computing Communication & Networking Technologies (ICCCNT), 2012 Third International Conference on; 01/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: Approximate Hash Based Matching (AHBM), also known as Fuzzy Hashing, is used to identify complex and unstructured data that has a certain amount of byte-level similarity. Common use cases include the identification of updated versions of documents and fragments recovered from memory or deleted files. Though several algorithms exist, there has not yet been an extensive focus on its practical use in digital investigations. The paper addresses the research question: How can AHBM be applied in digital investigations? It focuses on common scenarios in which AHBM can be applied, as well as the potential significance of its results. First, an assessment of AHBM for digital investigations with respect to existing algorithms and requirements for efficiency and precision is given. Then follows a description of scenarios in which it can be applied. The paper presents three modes of operation for Approximate Matching, namely searching, streaming and clustering. Each of the modes are tested in practical experiments. The results show that AHBM has great potential for helping investigators discover information based on data similarity. Three open source tools were implemented during the research leading up to this paper: Autopsy AHBM enables AHBM in an existing digital investigation framework, sddiff helps understanding AHBM results through visualization, and makecluster improves analysis of graphs generated from large datasets by storing each disjunct cluster separately.
    Digital Investigation 05/2014; · 0.63 Impact Factor


Available from