Abstract
The complexity of modern cyber attacks urges for the definition of detection and classification techniques more sophisticated than those based on the well known signature detection approach. As a matter of fact, attackers try to deploy armies of controlled bots by infecting vulnerable hosts. Such bots are characterized by complex executable command sets, and take part in cooperative and coordinated attacks. Therefore, an effective detection technique should rely on a suitable model of both the envisaged networking scenario and the attacks targeting it.
We will address the problem of detecting botnets, by describing a behavioral model, for a specific class of network users, and a set of features that can be used in order to identify botnet-related activities. Tests performed by using an anomaly-based detection scheme on a set of real network traffic traces confirmed the effectiveness of the proposed approach.
This work has been partially supported by the European Community’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 216585 (INTERSECTION Project).
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. SIGCOMM Comput. Commun. Rev. 36(4), 291–302 (2006)
Barford, P., Yegneswaran, V.: An inside look at botnets. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Special Workshop on Malware Detection. Advances in Information Security, vol. 27. Springer, Heidelberg (2007)
Puri, R.: Bots and botnets: An overview. Technical report, SANS institute (2003)
Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: NDSS, The Internet Society (2006)
Strayer, W.T., Walsh, R., Livadas, C., Lapsley, D.: Detecting botnets with tight command and control. In: Proceedings 2006 31st IEEE Conference on Local Computer Networks, November 2006, pp. 195–202 (2006)
Akiyama, M., Kawamoto, T., Shimamura, M., Yokoyama, T., Kadobayashi, Y., Yamaguchi, S.: A proposal of metrics for botnet detection based on its cooperative behavior. In: SAINT-W 2007: Proceedings of the 2007 International Symposium on Applications and the Internet Workshops, Washington, DC, USA, p. 82. IEEE Computer Society, Los Alamitos (2007)
Binkley, J.R., Singh, S.: An algorithm for anomaly-based botnet detection. In: SRUTI 2006: Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, Berkeley, CA, USA, p. 7. USENIX Association (2006)
Cooke, E., Jahanian, F., Mcpherson, D.: The zombie roundup: Understanding, detecting, and disrupting botnets, June 2005, pp. 39–44 (2005)
Livadas, C., Walsh, R., Lapsley, D., Strayer, W.: Using machine learning technliques to identify botnet traffic. In:31st IEEE Conference on Local Computer Networks, pp. 967–974 (November 2006)
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Almeida, J.M., Almeida, V.A.F., Barford, P. (eds.) Internet Measurement Conference, pp. 41–52. ACM, New York (2006)
Ramachandran, A., Feamster, N., Dagon, D.: Revealing botnet membership using dnsbl counter-intelligence. In: SRUTI 2006: Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, Berkeley, CA, USA, p. 8. USENIX Association (2006)
Giacinto, G., Perdisci, R., Del Rio, M., Roli, F.: Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Information Fusion 9(1), 69–82 (2008)
Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by irc nickname evaluation. In: HotBots 2007: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, Berkeley, CA, USA, p. 8. USENIX Association (2007)
Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions, and reversals. Soviet Physics Doklady 10(8), 707–710 (1966)
Mazzariello, C.: Irc traffic analysis for botnet detection. In: Fourth International Conference on Information Assurance and Security, IAS 2008, September 2008, pp. 318–323 (2008)
Schlkopf, B., Platt, J.C., Shawe-Taylor, J., Smola, A.J., Williamson, R.C.: Estimating the support of a high-dimensional distribution. Neural Computation 13(7), 1443–1471 (2001)
Vapnik, V.: Statistical Learning Theory. Wiley, Chichester (1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mazzariello, C., Sansone, C. (2009). Anomaly-Based Detection of IRC Botnets by Means of One-Class Support Vector Classifiers. In: Foggia, P., Sansone, C., Vento, M. (eds) Image Analysis and Processing – ICIAP 2009. ICIAP 2009. Lecture Notes in Computer Science, vol 5716. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04146-4_94
Download citation
DOI: https://doi.org/10.1007/978-3-642-04146-4_94
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04145-7
Online ISBN: 978-3-642-04146-4
eBook Packages: Computer ScienceComputer Science (R0)