论文信息 - Enhancing Network Based Bot Detection with Contextual Information

Enhancing Network Based Bot Detection with Contextual Information

In this paper, we propose a bot detection method that enhances traffic analysis of Network based IDS (NIDS) by using process contextual information obtained from monitored machines. Existing NIDS classifies hosts suspected of doing both of the Command and Control (C&C) communication and infection activities as bots. However, this approach cannot conduct finer-grained analysis than IP address level, and which leads to false positives and negatives. To address this problem, this proposed method enables NIDS to achieve process-grained detection by feeding the contextual information of the processes that perform network activities. Through experiments using a prototype implementation on Xen and a bot sample, we demonstrate that the proposed method enables to detect bots appropriately.

[1] Jerry R. Hobbs,et al. An algebraic approach to IP traceback , 2002, TSEC.

[2] Vinod Yegneswaran,et al. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[3] Matt Bishop,et al. Virtual Machine Introspection: Observation or Interference? , 2008, IEEE Security & Privacy.

[4] Guofei Gu,et al. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[5] Wenke Lee,et al. Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[6] Wenke Lee,et al. Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[7] Guofei Gu,et al. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[8] Richard J. Lipton,et al. A Taxonomy of Botnets , 2006 .

[9] Michael K. Reiter,et al. Traffic Aggregation for Malware Detection , 2008, DIMVA.