Active botnet probing to identify obscure command and control channels

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2009, Pages 241-253

  Gu, Guofei ^a   Yegneswaran, Vinod ^b   Porras, Phillip ^b   Stoll, Jennifer ^c   Lee, Wenke ^c  

^a TEXAS A AND M UNIVERSITY   (United States)

^b SRI INTERNATIONAL   (United States)

^c GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ACTIVE METHOD; ACTIVE TECHNIQUES; ALGORITHMIC FRAMEWORK; ANOMALY DETECTION; BEHAVIOR-BASED; BOTNETS; COMMAND AND CONTROL; FALSE POSITIVE RATES; FEASIBILITY STUDIES; HUMAN-HUMAN COMMUNICATION; HYPOTHESIS TESTING; MALWARES; NETWORK MIDDLEBOX; PROBING TECHNIQUES; PROTOTYPE SYSTEM; REAL-WORLD; RESEARCH COMMUNITIES; USER STUDY;

COMPUTER CRIME;

EID: 77950820631     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ACSAC.2009.30     Document Type: Conference Paper

References (36)

1. Hi-performance protocol identification engine. http://hippie.oofle.com/.
2. Shadowserver. http://shadowserver.org.
3. P. Barford and V. Yegneswaran. An inside look at botnets. Special Workshop on Malware Detection.
4. J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection. In Proceedings of USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2006.
5. M. Collins, T. Shimeall, S. Faber, J. Janies, R. Weaver, M. D. Shon, and J. Kadane. Using uncleanliness to predict future botnet addresses. In Proceedings of the 2007 Internet MeasurementConference (IMC'07), 2007.
6. Cyber-TA. Multi-perspective malware analysis. http://www.cyber-ta.org/ releases/malware-analysis/public/.
7. F. Freiling, T. Holz, and G. Wicherski. Botnet tracking: Exploring a root-cause methodology to prevent denial of service attacks. In Proceedings of ESORICS, 2005.
8. S. Gianvecchio, M. Xie, Z. Wu, and H. Wang. Measurement and classification of humans and bots in internet chat. In Proceedings of the 17th USENIX Security Symposium (Security' 08), 2008.
9. F. Giroire, J. Chandrashekar, N. Taft, E. Schooler, and K. Papagiannaki. Exploiting temporal persistence to detect covert botnet channels. In 12th International Symposium on Recent Advances in Intrusion Detection (RAID'09), 2009.
10. J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by IRC nickname evaluation. In USENIX Workshop on Hot Topics in Understanding Botnets (HotBots'07), 2007.
11. J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon. Peer-to-peer botnets: Overview and case study. In USENIX Workshop on Hot Topics in Understanding Botnets (HotBots'07), 2007.
12. G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the 17th USENIX Security Symposium (Security'08), 2008.
13. G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. Bothunter: Detecting malware infection through IDS-driven dialog correlation. In 16th USENIX Security Symposium (Security'07), 2007.
14. G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.
15. M. Handley, V. Paxson, and C. Kreibich. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of the 10th Conference on USENIX Security Symposium, Berkeley, CA, USA, 2001. USENIX Association.
16. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In IEEE Symposium on Security and Privacy 2004, Oakland, CA, May 2004.
17. A. Karasaridis, B. Rexroad, and D. Hoeflin. Wide-scale botnet detection and characterization. In USENIX Hotbots'07, 2007.
18. E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The click modular router. ACM Transactions on Computer Systems, 18(3):263-297, 2000.
19. R. Lemos. Bot software looks to improve peerage. http: //www.securityfocus.com/news/11390.
20. C. Livadas, R. Walsh, D. Lapsley, and W. T. Strayer. Using machine learning techniques to identify botnet traffic. In 2nd IEEE LCN Workshop on Network Security (WoNS'2006), 2006.
21. V. Paxson. BRO: A System for Detecting Network Intruders in Real Time. In Proceedings of the 7th USENIX Security Symposium, 1998.
22. P. Porras, H. Saidi, and V. Yegneswaran. A foray into conficker's logic and rendezvous points. In 2nd Usenix Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009.
23. M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multi-faceted approach to understanding the botnet phenomenon. In Proceedings of ACM SIGCOMM/USENIX Internet Measurement Conference, Brazil, October 2006.
24. A. Ramachandran, N. Framster, and D. Dagon. Revealing botnet membership using DNSBL counter-intelligence. In 2nd USENIX Steps to Reducing Unwanted Traffic on the Internet (SRUTI), 2006.
25. M. Roesch. Snort - lightweight intrusion detection for networks. In Proceedings of USENIX LISA'99, 1999.
26. SecureWorks. Bobax trojan analysis. http://www.secureworks.com/research/ threats/bobax/.
27. W. T. Strayer, R. Walsh, C. Livadas, and D. Lapsley. Detecting botnets with tight command and control. In 31st IEEE Conference on Local Computer Networks (LCN'06), 2006.
28. A. Turing. Computing machinery and intelligence. In Mind Vol.59, 1950.
29. L. von Ahn, M. Blum, N. Hopper, and J. Langford. CAPTCHA: Using hard AI problems for security. In Proceedings of Eurocrypt, pages 294-311, 2003.
30. A. Wald. Sequential Analysis. Dover Publications, 2004.
31. D. Watson, M. Smart, G. R. Malan, and F. Jahanian. Protocol scrubbing: Network security through transparent flow modification. IEEE/ACM Trans. Networking, 12(2):261-273, 2004.
32. P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, and E. Kirda. Automatically generating models for botnet detection. In 14th European Symposium on Research in Computer Security (ESORICS'09), 2009.
33. V. Yegneswaran, C. Alfeld, P. Barford, and J.-Y. Cai. Camouflaging honeynets. In Proceedings of IEEE Global Internet Symposium, 2007.
34. T.-F. Yen and M. K. Reiter. Traffic aggregation for malware detection. In Proceedings of the Fifth GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'08), 2008.
35. Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, and E. Gillum. Botgraph: large scale spamming botnet detection. In NSDI'09: Proceedings of the 6th USENIX symposium on Networked systems design and implementation, pages 321-334, Berkeley, CA, USA, 2009. USENIX Association.
36. J. Zhuge, X. Han, J. Guo, W. Zou, T. Holz, and Y. Zhou. Characterizing the IRC-based botnet phenomenon. China Honeynet Technical Report, 2007.