BotFinder: Finding bots in network traffic without deep packet inspection

CoNEXT 2012 - Proceedings of the 2012 ACM Conference on Emerging Networking Experiments and Technologies

Volumn , Issue , 2012, Pages 349-360

  Tegeler, Florian ^a   Fu, Xiaoming ^a   Vigna, Giovanni ^b   Kruegel, Christopher ^b  

^a UNIVERSITY OF GÖTTINGEN   (Germany)

^b UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Malware detection; NetFlow analysis; Security

Indexed keywords

BOT DETECTIONS; COMMAND-AND-CONTROL; CONTENT ANALYSIS; CONTROLLED ENVIRONMENT; DATA SETS; DEEP PACKET INSPECTION; DISTRIBUTED DENIAL OF SERVICE ATTACK; FALSE POSITIVE; HIGH DETECTION RATE; KEY FEATURE; MALWARE DETECTION; NETFLOWS; NETWORK TRAFFIC; ROOT CAUSE; SECURITY; SECURITY PROBLEMS; SIGNATURE-MATCHING;

COMPUTER CRIME; EXPERIMENTS; INTERNET SERVICE PROVIDERS; NETWORK SECURITY;

PACKET NETWORKS;

EID: 84871993648     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2413176.2413217     Document Type: Conference Paper

References (37)

1. U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, Behavior-Based Malware Clustering. In NDSS, 2009.
2. U. Bayer, C. Kruegel, and E. Kirda. Anubis: Analyzing Unknown Binaries. In http://anubis.iseclab.org/, 2008.
3. J. R. Binkley. An algorithm for anomaly-based botnet detection. In SRUTI, 2006.
4. F. Chang, W. Qiu, R. H. Zamar, R. Lazarus, and X. Wang. clues: An R Package for Nonparametric Clustering Based on Local Shrinking. Journal of Statistical Software, 33(4):1-16, 2 2010.
5. B. Claise. Cisco systems netflow services export version 9. RFC 3954, IETF, Oct. 2004.
6. E. Cooke, F. Jahanian, and D. McPherson. The Zombie roundup: understanding, detecting, and disrupting botnets. In SRUTI, 2005.
7. B. Coskun, S. Dietrich, and N. Memon. Friends of An Enemy: Identifying Local Members of Peer-to-Peer Botnets Using Mutual Contacts. In ACSAC, 2010.
8. A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In ACM CCS, 2008.
9. P. Fogla and W. Lee. Evading network anomaly detection systems: formal reasoning and practical techniques. In ACM CCS, 2006.
10. P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, and W. Lee. Polymorphic blending attacks. In USENIX Security, 2006.
11. J. Franklin, V. Paxson, A. Perrig, and S. Savage. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. In ACM CCS, 2007.
12. J. François, S. Wang, R. State, and T. Engel. Bottrack: Tracking botnets using netflow and pagerank. In IFIP Networking. 2011.
13. F. Freiling, T. Holz, and G. Wicherski. Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. In ESORICS, 2005.
14. F. Giroire, J. Chandrashekar, N. Taft, E. M. Schooler, and D. Papagiannaki. Exploiting Temporal Persistence to Detect Covert Botnet Channels. In RAID, 2009.
15. J. Goebel and T. Holz. Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation. In USENIX HotBots, 2007.
16. G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection. In USENIX Security, 2008.
17. G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In USENIX Security, 2007.
18. G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In NDSS, 2008.
19. P. Gutmann. The Commercial Malware Industry. In Proceedings of the DEFCON conference, 2007.
20. J. A. Hartigan and M. A. Wong. A k-means clustering algorithm. JSTOR: Applied Statistics, 28(1), 1979.
21. G. Jacob, R. Hund, C. Kruegel, and T. Holz. Jackstraws: Picking Command and Control Connections from Bot Traffic. USENIX Security, 2011.
22. L. Kaufman and P. Rousseeuw. Finding Groups in Data An Introduction to Cluster Analysis. Wiley Interscience, New York, 1990.
23. S. Kundu. Gravitational clustering: a new approach based on the spatial distribution of the points. Pattern Recognition, 32(7):1149-1160, 1999.
24. S. Nagaraja, P. Mittal, C.-Y. Hong, M. Caesar, and N. Borisov. Botgrep: finding p2p bots with structured graph analysis. In USENIX Security, 2010.
25. V. Paxson. Bro: a System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23-24):2435-2463, 1999.
26. R. Perdisci, D. Dagon, P. Fogla, and M. Sharif. Misleading worm signature generators using deliberate noise injection. In IEEE S&P, 2006.
27. R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In USENIX NSDI, 2010.
28. R Development Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria, 2010.
29. M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A Multifaceted Approach to Understanding the Botnet Phenomenon. In ACM IMC, 2006.
30. D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A New Approach to Computer Security via Binary Analysis. In ICISS. 2008.
31. E. Stinson and J. C. Mitchell. Towards systematic evaluation of the evadability of bot/botnet detection methods. In USENIX WOOT, 2008.
32. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your Botnet is My Botnet: Analysis of a Botnet Takeover. In ACM CCS, 2009.
33. W. T. Strayer, R. Walsh, C. Livadas, and D. Lapsley. Detecting botnets with tight command and control. In Proceedings of the 31st IEEE Conference on Local Computer Networks, pages 195-202, 2006.
34. X. Wang, W. Qiu, and R. H. Zamar. Clues: A non-parametric clustering method based on local shrinking. Computational Statistics and Data Analysis, 52(1):286-298, 2007.
35. C. Willems, T. Holz, and F. Freiling. Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE S&P, 2007.
36. P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, and E. Kirda. Automatically Generating Models for Botnet Detection. In ESORICS, 2009.
37. T.-F. Yen and M. K. Reiter. Traffic Aggregation for Malware Detection. In DIMVA, 2008.