Detection of Botnet Activities Through the Lens of a Large-Scale Darknet

The growing cyber-threats from botnets compel us to devise proper countermeasures to detect infected hosts in an efficient and timely manner. In this paper, botnet-host identification is approached from a new perspective: by exploring the temporal coincidence in botnet activities visible in the darknet, botnet probing campaigns and botnet hosts can be detected with high accuracy and efficiency. The insights to botnet behavioral characteristics and automated detection results obtained from this study suggest a promising expedient for botnet take-down and host reputation management on the Internet.

[1]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[2]  Vinod Yegneswaran,et al.  Active Botnet Probing to Identify Obscure Command and Control Channels , 2009, 2009 Annual Computer Security Applications Conference.

[3]  Dawn Xiaodong Song,et al.  Inference and analysis of formal models of botnet command and control protocols , 2010, CCS '10.

[4]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[5]  D. Inoue,et al.  nicter: An Incident Analysis System Toward Binding Network Monitoring with Malware Analysis , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[6]  Vladimir N. Vapnik,et al.  The Nature of Statistical Learning Theory , 2000, Statistics for Engineering and Information Science.

[7]  Heejo Lee,et al.  Botnet Detection by Monitoring Group Activities in DNS Traffic , 2007, 7th IEEE International Conference on Computer and Information Technology (CIT 2007).

[8]  Koji Nakao,et al.  An Incident Analysis System NICTER and Its Analysis Engines Based on Data Mining Techniques , 2008, ICONIP.

[9]  T. Lai Sequential changepoint detection in quality control and dynamical systems , 1995 .

[10]  Alberto Dainotti,et al.  Gaining insight into AS-level outages through analysis of Internet background radiation , 2012, 2013 Proceedings IEEE INFOCOM.

[11]  A Dainotti,et al.  Analysis of a “/0” Stealth Scan From a Botnet , 2012, IEEE/ACM Transactions on Networking.

[12]  Lei Zhu,et al.  Behavior Analysis of Long-term Cyber Attacks in the Darknet , 2012, ICONIP.

[13]  Heejo Lee,et al.  Identifying botnets by capturing group activities in DNS traffic , 2012, Comput. Networks.

[14]  Jeremy T. Bradley,et al.  Observing Internet Worm and Virus Attacks with a Small Network Telescope , 2006, PASM@FM.

[15]  Claudio Mazzariello IRC Traffic Analysis for Botnet Detection , 2008, 2008 The Fourth International Conference on Information Assurance and Security.

[16]  Thomas Hyslip,et al.  A Survey of Botnet Detection Techniques by Command and Control Infrastructure , 2015, J. Digit. Forensics Secur. Law.

[17]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[18]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[19]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, ACSAC.

[20]  Kouichi Sakurai,et al.  Implementation and evaluation of bot detection scheme based on data transmission intervals , 2010, 2010 6th IEEE Workshop on Secure Network Protocols.

[21]  Heejo Lee,et al.  BotGAD: detecting botnets by capturing group activities in network traffic , 2009, COMSWARE '09.