Ricardo Villamarín-Salomón
José Carlos Brustoloni
ABSTRACT
Bots often are detected by their communication with a command and control (C&C) infrastructure. To evade detection, botmasters are increasingly obfuscating C&C communications, e.g., by using fastflux or peer-to-peer protocols. However, commands tend to elicit similar actions in bots of a same botnet. We propose and evaluate a Bayesian approach for detecting bots based on the similarity of their DNS traffic to that of known bots. Experimental results and sensitivity analysis suggest that the proposed method is effective and robust.
- K. Ishibashi, T. Toyono, K. Toyama, M. Ishino, H. Ohshima, I. Mizukoshi, "Detecting MassMailing Worm Infected Hosts by Mining DNS Traffic Data," ACM Symposium proceedings on Communications architectures and protocols (SIGCOMM '05), pp 159--164, August 2005. Google Scholar
Digital Library
- J. Stewart. "Truman - The Reusable Unknown Malware Analysis Net." {Online} http://www.secureworks.com/research/tools/truma.htmlGoogle Scholar
- Pang-Ning Tan, Michael Steinbach, Vipin Kumar, "Introduction to Data Mining" (1st ed.) Google ScholarDigital Library
- McAfee © SiteAdvisor, "Report for cpaclicks.com," {Online} http://www.siteadvisor.com/sites/cpaclicks.comGoogle Scholar
- The Honeynet Project, "Know your Enemy: Tracking Botnets -- Bot-Commands", {Online} http://honeynet.org/papers/bots/botnet-commands.htmlGoogle Scholar
- Kaspersky Lab's VirusList.com, "Backdoor.SdBot.gen" http://viruslist.com/en/viruses/encyclopedia?virusid=24976Google Scholar
- Kaspersky Lab's VirusList.com, "Net-Worm.Win32.Bobic.k", {Online} http://viruslist.com/en/viruses/encyclopedia?virusid=90085Google Scholar
- Shawn Collins' Affiliate Marketing Blog, "Florida Attorney General Investigates Affiliate Marketers," {Online} http://blog.affiliatetip.com/archives/florida-attorney-general-investigates-affiliate-marketers/Google Scholar
- F. Weimer. "Passive DNS Replication," in Proc. 17th Annual FIRST Conf., July 2005. {Online} http://www.first.org/conference/2005/papers/florian-weimer-paper-1.pdfGoogle Scholar
- Kaspersky Lab's VirusList.com, "Email-Worm.Win32.NetSky.ae," {Online} http://viruslist.com/en/viruses/encyclopedia?virusid=50431Google Scholar
- MWCollect. "Malware Dedicated Whitehats." {Online} http://www.mwcollect.org/Google Scholar
- VirusTotal. "Free Online Virus and Malware Scan." {Online} http://www.virustotal.com/Google Scholar
- Gary Robinson. "A statistical approach to the spam problem". In Linux Journal 107, March 2003, {Online} http://www.linuxjournal.com/article.php?sid=6467 Google ScholarDigital Library
- Gary Robinson, "Spam Detection", {Online} http://radio.weblogs.com/0101454/stories/2002/09/16/spamDetection.htmlGoogle Scholar
- Greg Louis, "Bogofilter Calculations: Comparing Geometric Mean with Fisher's Method for Combining Probabilities," {Online} http://www.bgl.nu/bogofilter/fisher.htmlGoogle Scholar
- N. Ianelli and A. Hackworth. Botnets as a Vehicle for Online Crime. CERT Coordination Center, 2005.Google Scholar
- Evan Cooke and Farnam Jahanian. The zombie roundup: Understanding, detecting, and disrupting botnets. In Steps to Reducing Unwanted Traffic on the Internet Workshop, 2005. Google ScholarDigital Library
- Shadowserver Foundation. {Online} http://shadowserver.org/wiki/pmwiki.php?n=Shadowserver.ShadowserverGoogle Scholar
- Honeynet Project. "Know Your Enemy: Fast-Flux Service Networks." {Online} http://www.honeynet.org/papers/ff/fast-flux.pdfGoogle Scholar
- Paul Graham, "A Plan for Spam," {Online} http://www.paulgraham.com/spam.html.Google Scholar
- Jonathan Zdziarski, "Ending Spam: Bayesian Content Filtering and the Art of Statistical Language Classification". No Starch Press, 2005. Google ScholarDigital Library
- Paul Albitzand and Cricket Liu, "DNS and BIND". O'Reilly and Associates, 2001. Google ScholarDigital Library
- Hyunsang Choi, Hanwoo Lee, Heejo Lee, Hyogon Kim, "Botnet Detection by Monitoring Group Activities in DNS Traffic," in 7th IEEE International Conference on Computer and Information Technology (CIT), 2007. Google ScholarDigital Library
- G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. Lee: "BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In Proc. of USENIX Security Symposium, Boston, MA, August 2007. Google ScholarDigital Library
- M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. "A multi-faceted approach to understanding the botnet phenomenon". In Proceedings of ACM SIGCOMM/USENIX Internet Measurement Conference, Brazil, October 2006. Google ScholarDigital Library
- G. Gu, J. Zhang and W. Lee. "BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic," in Proceedings of the 15th Annual Network and Distributed System Security Symposium, ISOC, February 2008.Google Scholar
- David Heckerman. "A tutorial on learning with Bayesian networks." In Michael Jordan, editor, Learning in Graphical Models, pages 301--354. Kluwer Academic, 1998. Google ScholarDigital Library
- M. K. Reiter and T.-F. Yen. "Traffic aggregation for malware detection." In Proceedings of the Fifth GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'08), 2008. Google ScholarDigital Library
- Inoue, D. Yoshioka, K. Eto, M. Hoshizawa, Y. Nakao, K. "Malware Behavior Analysis in Isolated Miniature Network for Revealing Malware's Network Activity". IEEE International Conference on Communications (ICC) 2008.Google Scholar
- Villamarín-Salomón, R., Brustoloni, J. C. "Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic". 5th IEEE Consumer Communications and Networking Conference (CCNC), 2008.Google Scholar
Index Terms
- Bayesian bot detection based on DNS traffic similarity
Recommendations
Identifying botnets by capturing group activities in DNS traffic
Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, ...
Classification of Botnet Detection Based on Botnet Architechture
CSNT '12: Proceedings of the 2012 International Conference on Communication Systems and Network TechnologiesNowadays, Botnets pose a major threat to the security of online ecosystems and computing assets. A Botnet is a network of computers which are compromised under the influence of Bot (malware) code. This paper clarifies Botnet phenomenon and discusses ...
The Next Malware Battleground: Recovery After Unknown Infection
Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Comments