More Web Proxy on the site http://driver.im/

research-article

Automatic discovery of botnet communities on large-scale communication networks

Authors:

Mahbod Tavallaee,

Ali A. GhorbaniAuthors Info & Claims

ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

Pages 1 - 10

https://doi.org/10.1145/1533057.1533062

Published: 10 March 2009 Publication History

Abstract

Botnets are networks of compromised computers infected with malicious code that can be controlled remotely under a common command and control (C&C) channel. Recognized as one the most serious security threats on current Internet infrastructure, advanced botnets are hidden not only in existing well known network applications (e.g. IRC, HTTP, or Peer-to-Peer) but also in some unknown or novel (creative) applications, which makes the botnet detection a challenging problem. Most current attempts for detecting botnets are to examine traffic content for bot signatures on selected network links or by setting up honeypots. In this paper, we propose a new hierarchical framework to automatically discover botnets on a large-scale WiFi ISP network, in which we first classify the network traffic into different application communities by using payload signatures and a novel cross-association clustering algorithm, and then on each obtained application community, we analyze the temporal-frequent characteristics of flows that lead to the differentiation of malicious channels created by bots from normal traffic generated by human beings. We evaluate our approach with about 100 million flows collected over three consecutive days on a large-scale WiFi ISP network and results show the proposed approach successfully detects two types of botnet application flows (i.e. Blackenergy HTTP bot and Kaiten IRC bot) from about 100 million flows with a high detection rate and an acceptable low false alarm rate.

References

[1]

http://www.symantec.com/business/theme.jsp?themeid=threa treport, Symantec Internet Security Threat Report, Volume XIII: April, 2008

[2]

P. Barford and V. Yegneswaran, "An inside look at Botnets," Special Workshop on Malware Detection, Advances in Information Security, Springer Verlag, ISBN: 0-387-32720-7, 2006.

[3]

Sinit, available on and assessed in December 2008 http://www.secureworks.com/research/threats/sinit/

[4]

Phatbot, available on and assessed in December 2008 http://www.secureworks.com/research/threats/phatbot/

[5]

Nugache, available on and assessed in December 2008 http://www.securityfocus.com/news/11390/

[6]

http://www.secureworks.com/research/blog/index.php/2007/09/12/analysis-of-storm-worm-ddos-traffic/

[7]

E. Athanasopoulos, A. Makridakis, S. Antonatos, D. Antoniades, S. Ioannidis, K. Anagnostakis, and E. Markatos, "Antisocial networks: turning a social network into a Botnet," In Proceedings of the 11^th Information Security Conference, Taipei, Taiwan, 2008.

Digital Library

[8]

M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A multifaceted approach to understanding the botnet phenomenon," In Proceedings of the 6^th ACM SIGCOMM Conference on Internet measurement, pp. 41--52, 2006.

Digital Library

[9]

P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling, "The nepenthes platform: an efficient approach to collect malware," In Proceedings of Recent Advances in Intrusion Detection, LNCS 4219, Springer-Verlag, 2006, pp. 165--184, Hamburg, 2006.

Digital Library

[10]

V. Yegneswaran, P. Barford, and V. Paxson, "Using honeynets for internet situational awareness," In Proceedings of the 4^th Workshop on Hot Topics in Networks, College Park, MD, 2005.

[11]

Z. H. Li, A. Goyal, and Y. Chen, "Honeynet-based botnet scan traffic analysis," Botnet Detection: Countering the Largest Security Threat, in Series: Advances in Information Security, Vol. 36, W. K. Lee, C. Wang, D. Dagon, (Eds.), Springer, ISBN: 978-0-387-68766-7, 2008.

[12]

F. Freiling, T. Holz, and G. Wicherski. "Botnet tracking: exploring a root-cause methodology to prevent Denial of Service attacks. In Proceedings of 10^th European Symposium on Research in Computer Security (ESORICS'05), 2005.

Digital Library

[13]

T. Holz, M. Steiner, F. Dahl, E. Biersack and F. Freiling, "Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm", In Proceedings of the 1^st Usenix Workshop on Large-Scale Exploits and Emergent Threats, San Francisco, California, 2008.

Digital Library

[14]

T. Strayer, R. Walsh, C. Livadas, D. Lapsley, "Detecting botnets with tight command and control," Proceedings 2006 31^st IEEE Conference on Local Computer Networks, pp. 195--202, 2006.

[15]

T. Strayer, D. Lapsley, R. Walsh, and C. Livadas, "Botnet detection based on network behavior," Botnet Detection: Countering the Largest Security Threat, in Series: Advances in Information Security, Vol. 36, W. K. Lee, C. Wang, D. Dagon, (Eds.), Springer, 2008.

[16]

C. Livadas, R. Walsh, D. Lapsley, T. Strayer, "Using machine learning techniques to identify botnet traffic," In Proceedings 2006 31^st IEEE Conference on Local Computer Networks, pp. 967--974, Nov. 2006.

[17]

J. Goebel and T. Holz, "Rishi: Identify bot contaminated hosts by irc nickname evaluation," In Proceedings of USENIX HotBots'07, 2007.

Digital Library

[18]

A. Karasaridis, B. Rexroad, and D. Hoeflin, "Wide-scale botnet detection and characterization," In Proceedings of the 1^st Conference on 1^st Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, 2007.

Digital Library

[19]

J. R. Binkley and S. Singh, "An algorithm for anomaly-based botnet detection," USENIX SRUTI: 2^nd Workshop on Steps to Reducing Unwanted Traffic on the Internet, 2006.

Digital Library

[20]

G. F. Gu, J. J. Zhang, and W. K. Lee, "BotSniffer: detecting botnet command and control channels in network traffic," In Proceedings of the 15^th Annual Network and Distributed System Security Symposium, San Diego, CA, February 2008.

[21]

G. F. Gu, R. Perdisci, J. J. Zhang, and W. K. Lee. "BotMiner: clustering analysis of network traffic for protocol- and structure-independent Botnet detection," In Proceedings of the 17^th USENIX Security Symposium (Security'08), San Jose, CA, 2008.

Digital Library

[22]

A. W. Moore and K. Papagiannaki, "Toward the accurate identification of network applications," In Proceedings of 6^th International Workshop on Passive and Active Network Measurement, pp. 41--54, Boston, MA, 2005.

Digital Library

[23]

N. Williams, S. Zander and G. Armitage, "A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification," ACM SIGCOMM Computer Communication Review, Vol. 36, Issue 5, pp. 5--16, 2006.

Digital Library

[24]

A. McGregor, M. Hall, P. Lorier, and J. Brunskill, "Flow clustering using machine learning techniques," Proceedings of 5^th International Workshop on Passive and Active Network Measurement, pp. 205--214, Antibes Juan-les-Pins, France, 2004.

[25]

S. Zander, T. Nguyen, G. Armitage, "Automated traffic classification and application identification using machine learning," In Proceedings of the IEEE Conference on Local Computer Networks. 30^th Anniversary, pp. 250--257, 2005.

Digital Library

[26]

L. Bernaille, R. Teixeira, K. Salamatian, "Early application identification," In Proceedings of ACM International Conference On Emerging Networking Experiments And Technologies (CONEXT 06), Lisboa, Portugal, 2006.

Digital Library

[27]

A. Moore, D. Zuev, "Internet traffic classification using Bayesian analysis techniques," ACM SIGMETRICS Performance Evaluation Review, Vol. 30, Issue 1, pp. 50--60, 2005.

Digital Library

[28]

M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli, "Traffic classification through simple statistical fingerprinting," ACM SIGCOMM Computer Communication Review, Vol. 37, Issue 1, 5--16, 2007.

Digital Library

[29]

M. Roughan, S. Sen, O. Spatscheck, and N. G. Duffield, "Class of service mapping for QoS: a statistical signature based approach to IP traffic classification," In Proceedings of the 4^th ACM SIGCOMM Conference on Internet Measurement, Taormina, Sicily, Italy, October 25--27, 2004.

Digital Library

[30]

H. Dahmouni, H., S. Vaton, D. Rosse, "A Markovian signature-based approach to IP traffic classification", In Proceedings of the 3^rd Annual ACM Workshop on Mining Network Data, San Diego, California, USA, pp. 29--34, 2007.

Digital Library

[31]

C. Park, Y. Won, M. Kim and J. Hong, "Towards automated application signature generation for traffic identification," In Proceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS 2008), Salvador, Brazil, 160--167, 2008.

[32]

T. Karagiannis, K. Papagiannaki, and M. Faloutsos, "BLINC: multilevel traffic classification in the dark," In Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 229--240, Philadelphia, Pennsylvania, 2005.

Digital Library

[33]

L. Bernaille, R. Teixeira, I. Akodkenou, A. Soule, and K. Salamatian, "Traffic classification on the fly," ACM SIGCOMM Computer Communication Review, Vol. 36, Issue 2, pp. 23--26, 2006.

Digital Library

[34]

Fred-eZone WiFi ISP, available on and assessed in December 2008 http://www.fred-ezone.ca/

[35]

D. Chakrabarti, S. Papadimitriou, D. Modha, and C. Faloutsos, "Fully automatic cross-associations," In Proceedings of the 10^th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 79--88, Seattle, Washington, 2004.

Digital Library

[36]

K.Wang and S. Stolfo. "Anomalous payload-based network intrusion detection," In Proceedings of the 7^th International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, France, 2004.

[37]

K. Wang and S. Stolfo, "Anomalous payload-based worm detection and signature generation," In Proceedings of the 8^th International Symposium on Recent Advances in Intrusion Detection (RAID), Seattle, WA, 2005.

Digital Library

[38]

G. F. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. K. Lee, "BotHunter: detecting malware infection through IDS-Driven dialog correlation," Proceedings of the 16^th USENIX Security Symposium, Boston, MA, 2007.

Digital Library

[39]

M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, and S. Yamaguchi, "A proposal of metrics for botnet detection based on its cooperative behavior," In Proceedings of the 2007 International Symposium on Applications and the Internet Workshops, pp. 82--85, 2007.

Digital Library

[40]

E. Eskin, "Anomaly detection over noisy data using learned probability distributions," In Proceedings of 17^th International Conference on Machine Learning, pp. 255--262, Palo Alto, 2000.

Digital Library

[41]

Kaiten, available on and assessed in December 2008 http://packetstormsecurity.org/distributed/indexsize.html

[42]

BlackEnergy, available on and assessed in December 2008 http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf

[43]

L. Salgarelli, F. Gringoli, and T. Karagiannis, "Comparing traffic classifiers", ACM SIGCOMM Computer Communication Review, Volume 37, Issue 3, pp. 65--68, 2008.

Digital Library

[44]

P. Wang, S. Sparks, and C. Zou "An advanced hybrid peer-to-peer botnet," In Proceedings of the 1^st conference on 1^st Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, 2007.

Digital Library

[45]

C. Zou and R. Cunningham, "Honeypot-aware advanced botnet construction and maintenance," In Proceedings of International Conference on Dependable Systems and Networks, 2006.

Digital Library

[46]

German Honeynet Project, assessed in Dec 2008 http://pi1.informatik.uni-mannheim.de/index.php? pagecontent=site/Research.menu/Honeynet.page

Cited By

Kabla AThamrin AAnbar MManickam SKaruppayah S(2024)Peer-to-peer botnets: exploring behavioural characteristics and machine/deep learning-based detectionEURASIP Journal on Information Security10.1186/s13635-024-00169-02024:1Online publication date: 27-May-2024
https://doi.org/10.1186/s13635-024-00169-0
Alghenaim MBakar NAbdul Rahim FVanduhe VAlkawsi G(2023)Phishing Attack Types and Mitigation: A SurveyData Science and Emerging Technologies10.1007/978-981-99-0741-0_10(131-153)Online publication date: 1-Apr-2023
https://doi.org/10.1007/978-981-99-0741-0_10
Thanh Vu SStege MEl-Habr PBang JDragoni N(2021)A Survey on Botnets: Incentives, Evolution, Detection and Current TrendsFuture Internet10.3390/fi1308019813:8(198)Online publication date: 31-Jul-2021
https://doi.org/10.3390/fi13080198
Show More Cited By

Index Terms

Automatic discovery of botnet communities on large-scale communication networks
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks

Recommendations

Clustering botnet communication traffic based on n-gram feature selection

Recognized as one the most serious security threats on current Internet infrastructure, botnets can not only be implemented by existing well known applications, e.g. IRC, HTTP, or Peer-to-Peer, but also can be constructed by unknown or creative ...
A survey of botnet detection based on DNS

Botnet is a thorny and a grave problem of today's Internet, resulting in economic damage for organizations and individuals. Botnet is a group of compromised hosts running malicious software program for malicious purposes, known as bots. It is also worth ...
Detecting botnet by anomalous traffic

Botnets can cause significant security threat and huge loss to organizations, and are difficult to discover their existence. Therefore they have become one of the most severe threats on the Internet. The core component of botnets is their command and ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

March 2009

408 pages

ISBN:9781605583945

DOI:10.1145/1533057

General Chairs:
Wanqing Li
University of Wollongong, Australia
,
Willy Susilo
University of Wollongong, Australia
,
Udaya Tupakula
Macquarie University, Australia
,
Program Chairs:
Rei Safavi-Naini
University of Calgary, Canada
,
Vijay Varadharajan
Macquarie University, Australia

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 March 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

Asia CCS 09

Sponsor:

SIGSAC

Asia CCS 09: Asia CCS 2009 ACM Symposium on Information, Computer and Communications Security

March 10 - 12, 2009

Sydney, Australia

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

38
Total Citations
View Citations
1,945
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)1

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kabla AThamrin AAnbar MManickam SKaruppayah S(2024)Peer-to-peer botnets: exploring behavioural characteristics and machine/deep learning-based detectionEURASIP Journal on Information Security10.1186/s13635-024-00169-02024:1Online publication date: 27-May-2024
https://doi.org/10.1186/s13635-024-00169-0
Alghenaim MBakar NAbdul Rahim FVanduhe VAlkawsi G(2023)Phishing Attack Types and Mitigation: A SurveyData Science and Emerging Technologies10.1007/978-981-99-0741-0_10(131-153)Online publication date: 1-Apr-2023
https://doi.org/10.1007/978-981-99-0741-0_10
Thanh Vu SStege MEl-Habr PBang JDragoni N(2021)A Survey on Botnets: Incentives, Evolution, Detection and Current TrendsFuture Internet10.3390/fi1308019813:8(198)Online publication date: 31-Jul-2021
https://doi.org/10.3390/fi13080198
Jeng TChen YChen CHuang C(2020)MD-MinerPSecurity and Communication Networks10.1155/2020/88415442020Online publication date: 29-Oct-2020
https://dl.acm.org/doi/10.1155/2020/8841544
Zhao BIkram MAsghar HKaafar MChaabane AThilakarathna KGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)A Decade of Mal-Activity ReportingProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329834(193-205)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329834
Esmaeili SShahriari H(2019)PodBot: A New Botnet Detection Method by Host and Network-Based Analysis2019 27th Iranian Conference on Electrical Engineering (ICEE)10.1109/IranianCEE.2019.8786432(1900-1904)Online publication date: Apr-2019
https://doi.org/10.1109/IranianCEE.2019.8786432
Tuan TLong HSon LKumar RPriyadarshini ISon N(2019)Performance evaluation of Botnet DDoS attack detection using machine learningEvolutionary Intelligence10.1007/s12065-019-00310-wOnline publication date: 20-Nov-2019
https://doi.org/10.1007/s12065-019-00310-w
Tran MNguyen MNguyen T(2018)An Application for Monitoring and Analysis of HTTP CommunicationsJournal of Communications10.12720/jcm.13.8.456-462(456-462)Online publication date: 2018
https://doi.org/10.12720/jcm.13.8.456-462
Hafeez IDing AAntikainen MTarkoma S(2018)Real-Time IoT Device Activity Detection in Edge NetworksNetwork and System Security10.1007/978-3-030-02744-5_17(221-236)Online publication date: 18-Dec-2018
https://doi.org/10.1007/978-3-030-02744-5_17
Tajalizadehkhoob SGañán CNoroozian AEeten MKarri RSinanoglu OSadeghi AYi X(2017)The Role of Hosting Providers in Fighting Command and Control Infrastructure of Financial MalwareProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3053023(575-586)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3053023
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents