Discovering and analyzing deviant communities: Methods and experiments

Botnets continue to threaten the security landscape of computer networks worldwide. This is due in part to the time lag present between discovery of botnet traffic and identification of actionable intelligence derived from the traffic analysis. In this article we present a novel method to fill such a gap by segmenting botnet traffic into communities and identifying the category of each community member. This information can be used to identify attack members (bot nodes), command and control members (Command and Control nodes), botnet controller members (botmaster nodes), and victim members (victim nodes). All of which can be used immediately in forensics or in defense of future attacks. The true novelty of our approach is the segmentation of the malicious network data into relational communities and not just spatially based clusters. The relational nature of the communities allows us to discover the community roles without a deep analysis of the entire network. We discuss the feasibility and practicality of our method through experiments with real-world botnet traffic. Our experimental results show a high detection rate with a low false positive rate, which gives encouragement that our approach can be a valuable addition to a defense in depth strategy.

[1]  Stephen B. Seidman,et al.  Network structure and minimum degree , 1983 .

[2]  Felix C. Freiling,et al.  Sandnet: network traffic analysis of malicious software , 2011, BADGERS '11.

[3]  S. Borgatti,et al.  LS sets, lambda sets and other cohesive subsets , 1990 .

[4]  Ziming Zhao,et al.  Examining Social Dynamics for Countering Botnet Attacks , 2011, 2011 IEEE Global Telecommunications Conference - GLOBECOM 2011.

[5]  Chiara Orsini,et al.  k-clique Communities in the Internet AS-level Topology Graph , 2011, 2011 31st International Conference on Distributed Computing Systems Workshops.

[6]  T. Vicsek,et al.  Uncovering the overlapping community structure of complex networks in nature and society , 2005, Nature.

[7]  Danny Bradbury Fighting botnets with sinkholes , 2012, Netw. Secur..

[8]  David Dittrich,et al.  So You Want to Take Over a Botnet , 2012, LEET.

[9]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[10]  Gail-Joon Ahn,et al.  MasterBlaster: Identifying Influential Players in Botnet Transactions , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference.

[11]  Elmar Gerhards-Padilla,et al.  Malware and Botnet Analysis Methodology , 2012, ERCIM News.

[12]  Dawn Xiaodong Song,et al.  Inference and analysis of formal models of botnet command and control protocols , 2010, CCS '10.

[13]  Illés J. Farkas,et al.  CFinder: locating cliques and overlapping modules in biological networks , 2006, Bioinform..

[14]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.