ABSTRACT
Recent malicious attempts are intended to obtain financial benefits using a botnet which has become one of the major Internet security problems. Botnets can cause severe Internet threats such as DDoS attacks, identity theft, spamming, click fraud. In this paper, we define a group activity as an inherent property of the botnet. Based on the group activity model and metric, we develop a botnet detection mechanism, called BotGAD (Botnet Group Activity Detector). BotGAD enables to detect unknown botnets from large scale networks in real-time. Botnets frequently use DNS to rally infected hosts, launch attacks and update their codes. We implemented BotGAD using DNS traffic and showed the effectiveness by experiments on real-life network traces. BotGAD captured 20 unknown and 10 known botnets from two day campus network traces.
- P. Barford and V. Yegneswaran. An inside look at botnets, 2006. Special Workshop on Malware Detection, Advances in Information Security, Springer Verlag.Google Scholar
- J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection. In The 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI '06), 2006. Google ScholarDigital Library
- H. Choi, H. Lee, H. Lee, and H. Kim. Botnet Detection by Monitoring Group Activities in DNS Traffic. In Proceedings of IEEE Int'l Conf. Computer and Information Technology (CIT'07), Oct 2007. Google ScholarDigital Library
- E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: Understanding, detecting, and disturbing botnets. In The 1st Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI '05), July 2005. Google ScholarDigital Library
- Cyber-TA. SRI Honeynet and BotHunter Malware Analysis Automatic Summary Analysis Table. http://www.cyber-ta.org/releases/malware-analysis/public/.Google Scholar
- D. Dagon. Botnet detection and response. In OARC Workshop, 2005, 2005.Google Scholar
- D. Dagon, G. Gu, C. Lee, and W. Lee. A taxonomy of botnet structures. In Proceedings of the 23 Annual Computer Security Applications Conference (ACSAC'07), Dec 2007.Google ScholarCross Ref
- Domaincrawler. Domain Information Services. http://www.domaincrawler.com/.Google Scholar
- J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by IRC nickname evaluation. In Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots'07), Apr 2007. Google ScholarDigital Library
- J. Grizzard, V. Sharma, C. Nunnery, B. Kang, and D. Dagon. Peer-to-peer botnets: Overview and case study. In Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots'07), Apr 2007. Google ScholarDigital Library
- G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the 17th USENIX Security Symposium (Security'08), July 2008. Google ScholarDigital Library
- G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium (Security'07), August 2007. Google ScholarDigital Library
- G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.Google Scholar
- S. Herona. Working the botnet: how dynamic DNS is revitalising the zombie army. Network Security, pages 9--11, Jan 2007. Google ScholarDigital Library
- T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling. Detection and mitigation of fast-flux service networks. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), Feb 2008.Google Scholar
- T. Holz, M. Steiner, F. Dahl, E. Biersacky, and F. Freiling. Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In Proceedings of the Firts workshop on Large-scale Exploits and Emergent Threats (LEET'08), Apr 2008. Google ScholarDigital Library
- H. Husna, S. Phithakkitnukoon, S. Palla, and R. Dantu. Behavior analysis of spam botnets. In Proceedings of The 3rd Intl. Conf. on COMmunication System softWAre and MiddlewaRE (COMSWARE'08), Jan 2008.Google ScholarCross Ref
- J. Jones. Botnets: Detection and mitigation, Feb 2003. FEDCIRC.Google Scholar
- A. Karasaridis, B. Rexroad, and D. Hoeflin. Wide-scale botnet detection and characterization. In Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots'07), Apr 2007. Google ScholarDigital Library
- Korea Information Security Agency (KISA). Botnet C&C server domain list. http://www.knsp.org/sink_dns/total.uniq.dns.rr.txt.Google Scholar
- L. Liu, S. Chen, G. Yan, and Z. Zhang. BotTracer: Execution-based bot-like malware detection. In Proceedings of the 11th Information Security Conference (ISC 2008), Sep 2008. Google ScholarDigital Library
- Microsoft Help and Support. http://support.microsoft.com/kb/318803.Google Scholar
- Nmap, Network Mapper. Free Security Scanner. http://nmap.org/.Google Scholar
- J. Oikarinen and D. Reed. Internet Relay Chat Protocol. RFC 1459, 1993.Google Scholar
- A. Ramachandran, N. Feamster, and D. Dagon. Revealing botnet membership using dnsbl counter-intelligence. In The 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI '06), 2006. Google ScholarDigital Library
- E. Stinson and J. C. Mitchell. Towards systematic evaluation of the evadability of bot/botnet detection methods. In Proceedings of the 2nd USENIX Workshop on Offensive Technologies (WOOT'08), July 2008. Google ScholarDigital Library
- I. Trestian, S. Ranjan, A. Kuzmanovic, and A. Nucci. Unconstrained endpoint profiling (googling the internet). In Proceedings of the ACM SIGCOMM 2008 conference on Data communication (SIGCOMM'08), Aug 2008. Google ScholarDigital Library
- P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic updates in the domain name system (DNS update), 1997. http://www.faqs.org/rfcs/rfc2136.html/.Google Scholar
- Wikipedia. Network Access Control. http://en.wikipedia.org/wiki/Network_Access_Control.Google Scholar
- Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldszmidt, and T. Wobber. How dynamic are ip addresses? In Proceedings of the ACM SIGCOMM 2007 conference on Data communication (SIGCOMM'07), Aug 2007. Google ScholarDigital Library
- L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten, and J. D. Tygar. Characterizing botnets from email spam records. In Proceedings of the Firts workshop on Large-scale Exploits and Emergent Threats (LEET'08), Apr 2008. Google ScholarDigital Library
Index Terms
- BotGAD: detecting botnets by capturing group activities in network traffic
Recommendations
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsThe fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAlthough network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
A Survey on Intrusion Detection and Prevention Systems
AbstractIn the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Comments