Automatic discovery of botnet communities on large-scale communication networks

Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09

Volumn , Issue , 2009, Pages 1-10

  Lu, Wei ^a   Tavallaee, Mahbod ^a   Ghorbani, Ali A ^a  

^a UNIVERSITY OF NEW BRUNSWICK   (Canada)

Author keywords

Botnet detection; Machine learning; Traffic classification

Indexed keywords

AUTOMATIC DISCOVERY; BOTNETS; COMMAND AND CONTROL; COMMUNICATION NETWORKS; CROSS-ASSOCIATION; FALSE ALARM RATE; HIGH DETECTION RATE; HONEYPOTS; HUMAN BEING; INTERNET INFRASTRUCTURE; MACHINE-LEARNING; MALICIOUS CODES; NETWORK APPLICATIONS; NETWORK LINKS; NETWORK TRAFFIC; ON CURRENTS; PEER TO PEER; SECURITY THREATS; TRAFFIC CLASSIFICATION;

CLUSTERING ALGORITHMS; COMPUTER CONTROL SYSTEMS; HTTP; INTERNET SERVICE PROVIDERS; LEARNING SYSTEMS; NETWORK SECURITY; RELAY CONTROL SYSTEMS; TELECOMMUNICATION NETWORKS; TELECOMMUNICATION TRAFFIC; WI-FI;

PEER TO PEER NETWORKS;

EID: 77952376102     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1533057.1533062     Document Type: Conference Paper

References (46)

1. http://www.symantec.com/business/theme.jsp?themeid=threa treport, Symantec Internet Security Threat Report, Volume XIII: April, 2008
2. P. Barford and V. Yegneswaran, "An inside look at Botnets, " Special Workshop on Malware Detection, Advances in Information Security, Springer Verlag, ISBN: 0-387-32720-7, 2006.
3. Sinit, available on and assessed in December 2008 http://www.secureworks. com/research/threats/sinit
4. Phatbot, available on and assessed in December 2008 http://www. secureworks.com/research/threats/phatbot
5. Nugache, available on and assessed in December 2008 http://www. securityfocus.com/news/11390
6. http://www.secureworks.com/research/blog/index.php/2007/09/12/ analysis-of-storm-worm-ddos-traffic
7. th Information Security Conference, Taipei, Taiwan, 2008.
8. th ACM SIGCOMM Conference on Internet measurement, pp. 41-52, 2006.
9. P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling, "The nepenthes platform: an efficient approach to collect malware, " In Proceedings of Recent Advances in Intrusion Detection, LNCS 4219, Springer-Verlag, 2006, pp. 165-184, Hamburg, 2006.
10. th Workshop on Hot Topics in Networks, College Park, MD, 2005.
11. Z. H. Li, A. Goyal, and Y. Chen, "Honeynet-based botnet scan traffic analysis, " Botnet Detection: Countering the Largest Security Threat, in Series: Advances in Information Security, Vol. 36, W. K. Lee, C. Wang, D. Dagon, (Eds.), Springer, ISBN: 978-0-387-68766-7, 2008.
12. th European Symposium on Research in Computer Security (ESORICS'05), 2005.
13. st Usenix Workshop on Large-Scale Exploits and Emergent Threats, San Francisco, California, 2008.
14. st IEEE Conference on Local Computer Networks, pp. 195-202, 2006.
15. T. Strayer, D. Lapsley, R. Walsh, and C. Livadas, "Botnet detection based on network behavior, " Botnet Detection: Countering the Largest Security Threat, in Series: Advances in Information Security, Vol. 36, W. K. Lee, C. Wang, D. Dagon, (Eds.), Springer, 2008.
16. st IEEE Conference on Local Computer Networks, pp. 967-974, Nov. 2006.
17. J. Goebel and T. Holz, "Rishi: Identify bot contaminated hosts by irc nickname evaluation, " In Proceedings of USENIX HotBots'07, 2007.
18. st Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, 2007.
19. nd Workshop on Steps to Reducing Unwanted Traffic on the Internet, 2006.
20. th Annual Network and Distributed System Security Symposium, San Diego, CA, February 2008.
21. th USENIX Security Symposium (Security'08), San Jose, CA, 2008.
22. th International Workshop on Passive and Active Network Measurement, pp. 41-54, Boston, MA, 2005.
23. N. Williams, S. Zander and G. Armitage, "A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification, " ACM SIGCOMM Computer Communication Review, Vol. 36, Issue 5, pp. 5-16, 2006.
24. th International Workshop on Passive and Active Network Measurement, pp. 205-214, Antibes Juan-les-Pins, France, 2004.
25. th Anniversary, pp. 250-257, 2005.
26. L. Bernaille, R. Teixeira, K. Salamatian, "Early application identification, " In Proceedings of ACM International Conference On Emerging Networking Experiments And Technologies (CONEXT 06), Lisboa, Portugal, 2006.
27. A. Moore, D. Zuev, "Internet traffic classification using Bayesian analysis techniques, " ACM SIGMETRICS Performance Evaluation Review, Vol. 30, Issue 1, pp. 50-60, 2005.
28. M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli, "Traffic classification through simple statistical fingerprinting, " ACM SIGCOMM Computer Communication Review, Vol. 37, Issue 1, 5-16, 2007.
29. th ACM SIGCOMM Conference on Internet Measurement, Taormina, Sicily, Italy, October 25-27, 2004.
30. rd Annual ACM Workshop on Mining Network Data, San Diego, California, USA, pp. 29-34, 2007.
31. C. Park, Y. Won, M. Kim and J. Hong, "Towards automated application signature generation for traffic identification, " In Proceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS 2008), Salvador, Brazil, 160-167, 2008.
32. T. Karagiannis, K. Papagiannaki, and M. Faloutsos, "BLINC: multilevel traffic classification in the dark, " In Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 229-240, Philadelphia, Pennsylvania, 2005.
33. L. Bernaille, R. Teixeira, I. Akodkenou, A. Soule, and K. Salamatian, "Traffic classification on the fly, " ACM SIGCOMM Computer Communication Review, Vol. 36, Issue 2, pp. 23-26, 2006.
34. Fred-eZone WiFi ISP, available on and assessed in December 2008 http://www.fred-ezone.ca
35. th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 79-88, Seattle, Washington, 2004.
36. th International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, France, 2004.
37. th International Symposium on Recent Advances in Intrusion Detection (RAID), Seattle, WA, 2005.
38. th USENIX Security Symposium, Boston, MA, 2007.
39. M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, and S. Yamaguchi, "A proposal of metrics for botnet detection based on its cooperative behavior, " In Proceedings of the 2007 International Symposium on Applications and the Internet Workshops, pp. 82-85, 2007.
40. th International Conference on Machine Learning, pp. 255-262, Palo Alto, 2000.
41. Kaiten, available on and assessed in December 2008 http:// packetstormsecurity.org/distributed/indexsize.html
42. BlackEnergy, available on and assessed in December 2008 http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+ Bot+Analysispdf
43. L. Salgarelli, F. Gringoli, and T. Karagiannis, "Comparing traffic classifiers", ACM SIGCOMM Computer Communication Review, Volume 37, Issue 3, pp. 65-68, 2008.
44. st Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, 2007.
45. C. Zou and R. Cunningham, "Honeypot-aware advanced botnet construction and maintenance, " In Proceedings of International Conference on Dependable Systems and Networks, 2006.
46. German Honeynet Project, assessed in Dec. 2008 http://pi1.informatik.uni- mannheim.de/index.php? pagecontent=site/Research.menu/Honeynet.page