Botnet identification via universal anomaly detection

The problem of identifying and detecting Botnets Command and Control (C&C) channels is considered. A Botnet is a logical network of compromised machines (Bots) which are remotely controlled by an attacker (Botmaster) using a C&C infrastructure in order to perform malicious activities. Accordingly, a key objective is to identify and block the C&C before any real harm is caused. We propose an anomaly detection algorithm and apply it to timing data, which can be collected without deep inspection, from open as well as encrypted flows. The suggested algorithm utilizes the Lempel Ziv universal compression algorithm in order to optimally give a probability assignment for normal traffic (during learning), then estimate the likelihood of new sequences (during operation) and classify them accordingly. Furthermore, the algorithm is generic and can be applied to any sequence of events, not necessarily traffic-related. We evaluate the detection algorithm on real-world network traces, showing how a universal, low complexity C&C identifi- cation system can be built, with high detection rates for a given false-alarm probability.

[1]  Christopher Krügel,et al.  BotFinder: finding bots in network traffic without deep packet inspection , 2012, CoNEXT '12.

[2]  Radu State,et al.  BotCloud: Detecting botnets using MapReduce , 2011, 2011 IEEE International Workshop on Information Forensics and Security.

[3]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.

[4]  2014 IEEE International Workshop on Information Forensics and Security, WIFS 2014, Atlanta, GA, USA, December 3-5, 2014 , 2014, WIFS.

[5]  Carlo Sansone,et al.  Anomaly-Based Detection of IRC Botnets by Means of One-Class Support Vector Classifiers , 2009, ICIAP.

[6]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[7]  Ran El-Yaniv,et al.  On Prediction Using Variable Order Markov Models , 2004, J. Artif. Intell. Res..

[8]  Guofei Gu,et al.  A Large-Scale Empirical Study of Conficker , 2012, IEEE Transactions on Information Forensics and Security.

[9]  Ali A. Ghorbani,et al.  BotCop: An Online Botnet Traffic Classifier , 2009, 2009 Seventh Annual Communication Networks and Services Research Conference.

[10]  Aun Haider,et al.  Classification of malicious network streams using honeynets , 2012, 2012 IEEE Global Communications Conference (GLOBECOM).

[11]  Luca Salgarelli,et al.  Support Vector Machines for TCP traffic classification , 2009, Comput. Networks.

[12]  Chao Chen,et al.  On the Characteristics of the Worm Infection Family Tree , 2012, IEEE Transactions on Information Forensics and Security.

[13]  Su Chang,et al.  P2P botnet detection using behavior clustering & statistical tests , 2009, AISec '09.

[14]  Jae-Seo Lee,et al.  Detecting P2P Botnets Using a Multi-phased Flow Model , 2009, 2009 Third International Conference on Digital Society.

[15]  R. Villamarin-Salomon,et al.  Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[16]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[17]  José M. F. Moura,et al.  Detecting Botnets Using Command and Control Traffic , 2009, 2009 Eighth IEEE International Symposium on Network Computing and Applications.

[18]  Neri Merhav,et al.  Universal prediction of individual sequences , 1992, IEEE Trans. Inf. Theory.

[19]  W. Timothy Strayer,et al.  Botnet Detection Based on Network Behavior , 2008, Botnet Detection.

[20]  Ran El-Yaniv,et al.  Towards Behaviometric Security Systems: Learning to Identify a Typist , 2003, PKDD.

[21]  Mehmet Celenk,et al.  Predictive Network Anomaly Detection and Visualization , 2010, IEEE Transactions on Information Forensics and Security.

[22]  Abraham Lempel,et al.  Compression of individual sequences via variable-rate coding , 1978, IEEE Trans. Inf. Theory.

[23]  Henk J. Sips,et al.  Towards Detection of Botnet Communication through Social Media by Monitoring User Activity , 2011, ICISS.

[24]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.