Statistical Characterization of the Botnets C&C Traffic

Abstract Botnets are used for various purposes, most of them related to illegitimate activity, being also the sources of massive exploit activity as they recruit new vulnerable systems to expand their reach. Due to their volume, diverse capabilities and robustness, botnets pose a significant and growing threat to enterprise networks and to the Internet itself. Detecting botnets is a hard task and traditional network security systems are unable to successfully complete it. In fact, botnets are evolving and can be quite flexible: the protocols used for Command and Control (CC study of the botnet control, particularly the activity of its CC study of the botnet behavior, namely its possible scanning activities, Denial of Service (DoS) attacks, spamming or phishing activities, among other possibilities. This work will mainly use the last two approaches to characterize (i) the traffic generated by each bot when communicating with the C&C server(s) and (ii) identify and analyze the main patterns of the botnet generated traffic.

[1]  Heejo Lee,et al.  Botnet Detection by Monitoring Group Activities in DNS Traffic , 2007, 7th IEEE International Conference on Computer and Information Technology (CIT 2007).

[2]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[3]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[4]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[5]  Kevin W. Hamlen,et al.  Flow-based identification of botnet traffic by mining multiple log files , 2008, 2008 First International Conference on Distributed Framework and Applications.

[6]  Felix C. Freiling,et al.  The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.

[7]  W. Timothy Strayer,et al.  Botnet Detection Based on Network Behavior , 2008, Botnet Detection.

[8]  W. Timothy Strayer,et al.  Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .

[9]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[10]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[11]  Zhuoqing Morley Mao,et al.  Characterizing Dark DNS Behavior , 2007, DIMVA.

[12]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[13]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[14]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[15]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.