BotGrab: A negative reputation system for botnet detection

Abstract Botnets continue to be used by attackers to perform various malicious activities on the Internet. Over the past years, many botnet detection techniques have been proposed; however, most of them cannot detect botnets in an early stage of their lifecycle, or they often depend on a specific command and control protocol. In this paper, we propose BotGrab, a general botnet detection system that considers both malicious activities and the history of coordinated group activities in the network to identify bot-infected hosts. BotGrab tracks suspected hosts participating in some coordinated group activities and calculates a negative reputation score for each of them based on the history of their participation in these activities. A suspected host will be identified as being bot-infected if it has a high negative reputation score or performs some malicious activities while having a low negative reputation score. We demonstrate the effectiveness of BotGrab to detect various botnets including HTTP-, IRC-, and P2P-based botnets using a testbed network consisting of some bot-infected hosts.

[1]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[2]  Giorgos Zacharia,et al.  Trust management through reputation mechanisms , 2000, Appl. Artif. Intell..

[3]  Ali A. Ghorbani,et al.  Clustering botnet communication traffic based on n-gram feature selection , 2011, Comput. Commun..

[4]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[5]  Yi Zhu,et al.  Click Fraud , 2009, Mark. Sci..

[6]  Wu Liu,et al.  Understanding the Construction Mechanism of Botnets , 2009, 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing.

[7]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.

[8]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[9]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..

[10]  Félix Gómez Mármol,et al.  Security threats scenarios in trust and reputation models for distributed systems , 2009, Comput. Secur..

[11]  Yuguang Fang,et al.  A Fine-Grained Reputation System for Reliable Service Selection in Peer-to-Peer Networks , 2007, IEEE Transactions on Parallel and Distributed Systems.

[12]  Zhiwen Zhao,et al.  Modeling and evaluating of typical advanced peer-to-peer botnet , 2014, Perform. Evaluation.

[13]  Matthew V. Mahoney,et al.  Network traffic anomaly detection based on packet bytes , 2003, SAC '03.

[14]  Heejo Lee,et al.  Identifying botnets by capturing group activities in DNS traffic , 2012, Comput. Networks.

[15]  Leyla Bilge,et al.  Automatically Generating Models for Botnet Detection , 2009, ESORICS.

[16]  Jordi Sabater-Mir,et al.  REGRET: reputation in gregarious societies , 2001, AGENTS '01.

[17]  Zhaoxin Zhang,et al.  A Novel Approach to Detect IRC-Based Botnets , 2009, 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing.

[18]  Ge Yu,et al.  Data-Adaptive Clustering Analysis for Online Botnet Detection , 2010, 2010 Third International Joint Conference on Computational Science and Optimization.

[19]  Félix Gómez Mármol,et al.  Towards pre-standardization of trust and reputation models for distributed and heterogeneous systems , 2010, Comput. Stand. Interfaces.

[20]  Akbar Ghaffarpour Rahbar,et al.  PowerTrust: A Robust and Scalable Reputation System for Trusted Peer-to-Peer Computing , 2007, IEEE Transactions on Parallel and Distributed Systems.

[21]  Leandros Tassiulas,et al.  Reputation-Based Resource Allocation in P2P Systems of Rational Users , 2010, IEEE Transactions on Parallel and Distributed Systems.

[22]  Philip K. Chan,et al.  PHAD: packet header anomaly detection for identifying hostile network traffic , 2001 .

[23]  Ian Castle,et al.  The Automatic Discovery, Identification and Measurement of Botnets , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[24]  John C. Mitchell,et al.  Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods , 2008, WOOT.

[25]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.