Detecting Botnets Using Command and Control Traffic

Botnets pose a significant threat to network-based applications and communications; it is believed that 16--25% of the computers connected to the Internet are members of a botnet. The detection of botnets is essential to prevent further damages. We approach this problem by monitoring the Command and Control (C2) communication traffic, as this reveals the botnet structure before any real harm is caused.We observe that C2 traffic exhibits a repeated pattern behavior. This is due to the nature of the pre-programmed behavior of bots. We explore this behavior and look for periodic components in C2 traffic. We use periodograms to study the periodic behavior, and apply Walker's large sample test to detect whether the traffic has a significant periodic component or not, and, if it does, then it is bot traffic. This test is independent of the structure and communication protocol used in the botnet, and does not require any a priori knowledge of a certain botnet behavior. Since we only look at the aggregate traffic behavior, it is also more scalable than other techniques that examine individual packets or track the communication flows of different hosts.We apply this test to two variants of botnet C2 communication traffic generated by SLINGbot, and show that the traffic in both variants exhibits periodic behavior. We compare the results we get on botnet C2 communication traffic to the ones we get on real traffic that is obtained from a secured enterprise network packet trace.

[1]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[2]  José M. F. Moura,et al.  Periodic Behavior in Botnet Command and Control Channels Traffic , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[3]  J. Wade Davis,et al.  Statistical Pattern Recognition , 2003, Technometrics.

[4]  D. B. Preston Spectral Analysis and Time Series , 1983 .

[5]  Tushar Ranka Taxonomy of Botnet Threats , 2006 .

[6]  W. Timothy Strayer,et al.  SLINGbot: A System for Live Investigation of Next Generation Botnets , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[7]  S. Leigh,et al.  Probability and Random Processes for Electrical Engineering , 1989 .

[8]  Jason Lee,et al.  A first look at modern enterprise traffic , 2005, IMC '05.

[9]  José M. F. Moura,et al.  Network traffic behavior analysis by decomposition into control and data planes , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing.

[10]  Rajesh Krishnan,et al.  Using signal processing to analyze wireless data traffic , 2002, WiSE '02.

[11]  M. Melamed Detection , 2021, SETI: Astronomy as a Contact Sport.

[12]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[13]  A. W. M. van den Enden,et al.  Discrete Time Signal Processing , 1989 .