Catching modern botnets using active integrated evidential reasoning

Botnets are now recognized as one of the major security threats to start various security attacks (e.g., spamming, DDoS). Although substantial research has been done towards botnet detection, it is becoming much more difficult today, especially for highly polymorphic, intelligent and stealthy modern botnets. Traditional botnet detection (e.g., signature, anomaly or flow based) approaches cannot effectively detect modern botnets. In this paper, we propose a novel active integrated evidential reasoning approach called SeeBot to detect modern botnets. SeeBot can seamlessly and incrementally combine host and network level evidences and incorporate active actions into passive evidential reasoning process to improve the efficiency and accuracy of botnet detection. Our experiments show that both performance and accuracy of botnet detection can be greatly improved by the active evidential reasoning, especially when the evidence is weak, hidden or lost.

[1]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[2]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[3]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[4]  Michael K. Reiter,et al.  Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots Apart , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[5]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[6]  Guofei Gu,et al.  Cross-Analysis of Botnet Victims: New Insights and Implications , 2011, RAID.

[7]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[8]  M. Mitzenmacher Graption : Automated Detection of P 2 P Applications using Traffic Dispersion Graphs ( TDGs ) , 2008 .

[9]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[10]  Ryan Cunningham,et al.  Honeypot-Aware Advanced Botnet Construction and Maintenance , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[11]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[12]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[13]  Felix C. Freiling,et al.  The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.

[14]  Xinming Ou,et al.  An Empirical Approach to Modeling Uncertainty in Intrusion Analysis , 2009, 2009 Annual Computer Security Applications Conference.

[15]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[16]  Nick Feamster,et al.  Revealing Botnet Membership Using DNSBL Counter-Intelligence , 2006, SRUTI.

[17]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[18]  Shouhuai Xu,et al.  Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures , 2010, ACNS.

[19]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[20]  W. Timothy Strayer,et al.  Detecting Botnets with Tight Command and Control , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[21]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[22]  Xiapu Luo,et al.  Detecting stealthy P2P botnets using statistical traffic fingerprints , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[23]  Joseph B. Kadane,et al.  Using uncleanliness to predict future botnet addresses , 2007, IMC '07.

[24]  Ehab Al-Shaer,et al.  Efficient fault diagnosis using incremental alarm correlation and active investigation for internet and overlay networks , 2008, IEEE Transactions on Network and Service Management.

[25]  Kang G. Shin,et al.  Detection of botnets using combined host- and network-level information , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[26]  Ralph Arnote,et al.  Hong Kong (China) , 1996, OECD/G20 Base Erosion and Profit Shifting Project.

[27]  W. Timothy Strayer,et al.  Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .