JACKSTRAWS: Picking command and control connections from bot traffic

Proceedings of the 20th USENIX Security Symposium

Volumn , Issue , 2011, Pages 443-458

  Jacob, Gregoire ^a   Hund, Ralf ^b   Kruegel, Christopher ^a   Holz, Thorsten ^b  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b RUHR UNIVERSITY BOCHUM   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

BOTNET; LEARNING SYSTEMS; NETWORK SECURITY;

BEHAVIOR GRAPHS; COMMAND AND CONTROL; CONTROLLED ENVIRONMENT; DETECTION MODELS; MACHINE LEARNING TECHNIQUES; NETWORK CONNECTION; NETWORK TRAFFIC; TEMPLATE GENERATION;

INTERNET PROTOCOLS;

EID: 84888316706     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (50)

1. S. Adair. Pushdo DDoS'ing or Blending In? http: //www.shadowserver.org/wiki/pmwiki.php/ Calendar/20100129, January 2010.
2. D. Balzarotti, M. Cova, C. Karlberger, E. Kirda, C. Kruegel, and G. Vigna. Efficient Detection of Split Personalities in Malware. In Symp. Network & Distributed System Security (NDSS), 2010.
3. H. Bunke, P. Foggia, C. Guidobaldi, and M. Vento. Graph Clustering Using the Weighted Minimum Common Supergraph. In Graph Based Representations in Pattern Recognition, 2003.
4. M. Christodorescu and S. Jha. Testing Malware Detectors. In ACM Int. Symp. on Software Testing & Analysis (ISSTA), 2004.
5. M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In Meeting of the European Software Engineering Conf. & the SIGSOFT Symp. Foundations of Software Engineering, 2007.
6. D. Conte, P. Foggia, and M. Vento. Challenging complexity of maximum common subgraph detection algorithms: A performance analysis of three algorithms on a wide database of graphs. Journal of Graph Algorithms & Applications, 11(1), 2007.
7. E. Cooke, F. Jahanian, and D. McPherson. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In USENIX Workshop Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2005.
8. D. Dagon, G. Gu, C. Lee, and W. Lee. A Taxonomy of Botnet Structures. In Annual Computer Security Applications Conf. (ACSAC), 2007.
9. A. Dinaburg, P. Royal, M. I. Sharif, and W. Lee. Ether: Malware Analysis Via Hardware Virtualization Extensions. In ACM Conf. Computer & Communications Security (CCS), 2008.
10. P. Fogla and W. Lee. Evading Network Anomaly Detection Systems: Formal Reasoning and Practical Techniques. In ACM Conf. Computer & Communications Security (CCS), 2006.
11. P. Fogla, M. I. Sharif, R. Perdisci, O. Kolesnikov, and W. Lee. Polymorphic Blending Attacks. In Usenix Security Symp., 2006.
12. S. Forrest, S. Hofmeyr, A. Somayaji, and T. A. Longstaff. A Sense of Self for Unix Processes. In IEEE Symp. Security & Privacy, 1996.
13. M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing near-optimal malware specifications from suspicious behaviors. In IEEE Symp. Security & Privacy, 2010.
14. F. C. Freiling, T. Holz, and G. Wicherski. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In European Symp. Research in Computer Security (ESORICS), 2005.
15. J. Goebel and T. Holz. Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation. In USENIX Workshop Hot Topics in Understanding Botnets (HotBots), 2007.
16. G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In USENIX Security Symp., 2008.
17. G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In USENIX Security Symp., 2006.
18. G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In Symp. Network & Distributed System Security (NDSS), 2008.
19. T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. C. Freiling. Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In Usenix Workshop Large-Scale Exploits & Emergent Threats (LEET), 2008.
20. International Secure Systems Lab. Anubis: Analyzing Unknown Binaries. http://anubis.iseclab.org, 2011.
21. G. Jacob, E. Filiol, and H. Debar. Functional polymorphic engines: Formalisation, implementation and use cases. Journal in Computer Virology, 5(3):247-261, 2009.
22. J. P. John, A. Moshchuk, S. D. Gribble, and A. Krishnamurthy. Studying Spamming Botnets Using Botlab. In USENIX Symp. Networked Systems Design & Implementation (NSDI), 2009.
23. A. Kalafut, A. Acharya, and M. Gupta. A Study of Malware in Peer-to-Peer Networks. In ACM SIGCOMM Conf. Internet Measurement, 2006.
24. G. Karypis. CLUTO - A Clustering Toolkit. Technical Report 02-017, University of Minnesota, 2003.
25. H.-A. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In USENIX Security Symp., 2004.
26. C. Kolbitsch, P. Milani Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and Efficient Malware Detection at the End Host. In USENIX Security Symp., 2009.
27. C. Kreibich and J. Crowcroft. Honeycomb: Creating Intrusion Detection Signatures Using Honeypots. ACM SIGCOMM Computer Communication Review, 34(1), 2004.
28. W. Lee, S. J. Stolfo, and K. W. Mok. A Data Mining Framework for Building Intrusion Detection Models. In IEEE Symp. Security & Privacy, 1999.
29. Z. Li, M. Sanghi, Y. Chen, M.-Y. Kao, and B. Chavez. Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience. In IEEE Symp. Security & Privacy, 2006.
30. A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Malware Analysis. In IEEE Symp. Security & Privacy, 2007.
31. J. Newsom, B. Karp, and D. Song. Polygraph: Automatically Generating Signatures for Polymorphic Worms. In IEEE Symp. Security & Privacy, 2005.
32. S. Peisert, M. Bishop, S. Karin, and K. Marzullo. Analysis of Computer Intrusions Using Sequences of Function Calls. IEEE Trans. Dependable Secur. Comput., 4(2), 2007.
33. R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. I. Sharif. Misleading worm signature generators using deliberate noise injection. In IEEE Symp. Security & Privacy, 2006.
34. R. Perdisci, W. Lee, and N. Feamster. Behavioral Clustering of HTTP-based Malware and Signature Generation Using Malicious Network Traces. In USENIX Symp. Networked Systems Design & Implementation (NSDI), 2010.
35. P. Porras, H. Saïdi, and V. Yegneswaran. A Foray into Confickers Logic and Rendezvous Points. In Usenix Workshop Large-Scale Exploits & Emergent Threats (LEET), 2009.
36. N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All Your iFRAMEs Point to Us. In USENIX Security Symp., 2008.
37. M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A Multifaceted Approach to Understanding the Botnet Phenomenon. In Internet Measurement Conference (IMC), 2006.
38. E. J. Schwartz, T. Avgerinos, and D. Brumley. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In IEEE Symp. Security & Privacy, 2010.
39. S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting. In USENIX Symp. Operating Systems Design & Implementation (OSDI), 2004.
40. D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A New Approach to Computer Security via Binary Analysis. In Int. Conf. Information Systems Security (ICISS), 2008.
41. E. Stinson and J. C. Mitchell. Characterizing Bots' Remote Control Behavior. In Conf. Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2007.
42. B. Stone-Gross, A. Moser, C. Kruegel, and E. Kirda. FIRE: FInding Rogue nEtworks. In Annual Computer Security Applications Conf. (ACSAC), 2009.
43. P. Szor. The Art of Computer Virus Research and Defense. Addison Wesley, 2005.
44. C. Willems, T. Holz, and F. Freiling. CWSandbox: Towards Automated Dynamic Binary Analysis. IEEE Security & Privacy, 5(2), 2007.
45. P. Wurzinger, L. Bilge, T. Holz, J. Göbel, C. Kruegel, and E. Kirda. Automatically generating models for botnet detection. In European Symp. Research in Computer Security (ESORICS), 2009.
46. X. Yan, H. Cheng, J. Han, and P. S. Yu. Mining Significant Graph Patterns by Leap Search. In ACM SIGMOD Int. Conf. Management of Data, 2008.
47. X. Yan and J. Han. gSpan: Graph-Based Substructure Pattern Mining. In Int. Conf. Data Mining (ICDM), 2002.
48. X. Yan and J. Han. CloseGraph: Mining closed frequent graph patterns. In ACM SIGKDD Int. Conf. Knowledge Discovery & Data Mining (KDD), 2003.
49. T.-F. Yen and M. K. Reiter. Traffic Aggregation for Malware Detection. In Conf. Detection of Intrusions and Malware, & Vulnerability Assessment (DIMVA), 2008.
50. Y. Zhao and G. Karypis. Evaluation of hierarchical clustering algorithms for document datasets. In ACM Conf. Information & Knowledge Management (CIKM), 2002.