Extracting probable command and control signatures for detecting botnets

Botnets, which are networks of compromised machines under the control of a single malicious entity, are a serious threat to online security. The fact that botnets, by definition, receive their commands from a single entity can be leveraged to fight them. To this end, one requires techniques that can detect command and control (C&C) traffic, as well as the servers that host C&C services. Given the knowledge of a C&C server's IP address, one can use this information to detect all hosts that attempt to contact such a server, and subsequently disinfect, disable, or block the infected machines. This information can also be used by law enforcement to take down the C&C server. In this paper, we present a new botnet C&C signature extraction approach that can be used to find C&C communication in traffic generated by executing malware samples in a dynamic analysis system. This approach works in two steps. First, we extract all frequent strings seen in the network traffic. Second, we use a function that assigns a score to each string. This score represents the likelihood that the string is indicative of C&C traffic. This function allows us to rank strings and focus our attention on those that likely represent good C&C signatures. We apply our technique to almost 2.6 million network connections produced by running more than 1.4 million malware samples. Using our technique, we were able to automatically extract a set of signatures that are able to identify C&C traffic. Furthermore, we compared our signatures with those used by existing tools, such as Snort and BotHunter.

[1]  Roberto Uribeetxeberria,et al.  A data mining approach for analysis of worm activity through automatic signature generation , 2008, AISec '08.

[2]  Oren Etzioni,et al.  Web document clustering: a feasibility demonstration , 1998, SIGIR '98.

[3]  Yao Zhao,et al.  BotGraph: Large Scale Spamming Botnet Detection , 2009, NSDI.

[4]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[5]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[6]  James Bailey,et al.  Mining minimal distinguishing subsequence patterns with gap constraints , 2005, Fifth IEEE International Conference on Data Mining (ICDM'05).

[7]  Satoshi Kondo,et al.  Botnet Traffic Detection Techniques by C&C Session Classification Using SVM , 2007, IWSEC.

[8]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[9]  Mattia Monga,et al.  LISABETH: automated content-based signature generator for zero-day polymorphic worms , 2008, SESS '08.

[10]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.

[11]  Thomas G. Dietterich What is machine learning? , 2020, Archives of Disease in Childhood.

[12]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[13]  W. Timothy Strayer,et al.  Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .

[14]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[15]  W. Timothy Strayer,et al.  Detecting Botnets with Tight Command and Control , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[16]  Leyla Bilge,et al.  Automatically Generating Models for Botnet Detection , 2009, ESORICS.

[17]  Jianping Pan,et al.  WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation , 2007, IEEE Transactions on Dependable and Secure Computing.

[18]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[19]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[20]  R. Gray Entropy and Information Theory , 1990, Springer New York.

[21]  Nasir D. Memon,et al.  Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts , 2010, ACSAC '10.

[22]  William W. Cohen Fast Effective Rule Induction , 1995, ICML.

[23]  Vinod Yegneswaran,et al.  Active Botnet Probing to Identify Obscure Command and Control Channels , 2009, 2009 Annual Computer Security Applications Conference.

[24]  Esko Ukkonen,et al.  On-line construction of suffix trees , 1995, Algorithmica.

[25]  Farnam Jahanian,et al.  A Survey of Botnet Technology and Defenses , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[26]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[27]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[28]  Leyla Bilge,et al.  Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis , 2012, ACSAC '12.