Detection of Covert Botnet Command and Control Channels by Causal Analysis of Traffic Flows

The Command and Control communication of a botnet is evolving into sophisticated covert communication. Techniques as encryption, steganography, and recently the use of social network websites as a proxy, impede conventional detection of botnet communication. In this paper we propose detection of covert communication by passive host-external analysis of causal relationships between traffic flows and prior traffic or user activity. Identifying the direct causes of traffic flows, allows for real-time bot detection with a low exposure to malware, and offline forensic analysis of traffic. The proposed causal analysis of traffic is experimentally evaluated by a self-developed tool called CITRIC with various types of real Command and Control traffic.

[1]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[2]  Hari Balakrishnan,et al.  Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks , 2009, NSDI.

[3]  Hiroshi Esaki,et al.  Traffic causality graphs: Profiling network applications through temporal and spatial causality of flows , 2011, 2011 23rd International Teletraffic Congress (ITC).

[4]  George Varghese,et al.  Network monitoring using traffic dispersion graphs (tdgs) , 2007, IMC '07.

[5]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[6]  Henk J. Sips,et al.  Towards Detection of Botnet Communication through Social Media by Monitoring User Activity , 2011, ICISS.

[7]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[8]  Naren Ramakrishnan,et al.  User Intention-Based Traffic Dependence Analysis for Anomaly Detection , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[9]  Randy H. Katz,et al.  Design and implementation of an extrusion-based break-in detector for personal computers , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[10]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[11]  Tom Fawcett,et al.  ROC Graphs: Notes and Practical Considerations for Data Mining Researchers , 2003 .

[12]  Nikita Borisov,et al.  Stegobot: A Covert Social Network Botnet , 2011, Information Hiding.

[13]  Christian Rossow,et al.  Empirical research of IP blacklists , 2008, ISSE.

[14]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[15]  Brian Trammell,et al.  Bidirectional Flow Export Using IP Flow Information Export (IPFIX) , 2008, RFC.