• Publications
  • Influence
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection
TLDR
This paper presents a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C &C server names/addresses).
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
TLDR
This paper proposes an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowledge of signatures or C &C server addresses, and shows that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.
Detecting stealthy P2P botnets using statistical traffic fingerprints
TLDR
This paper proposes a novel botnet detection system that is able to identify stealthy P2P botnets, even when malicious activities may not be observable, and can achieve high detection accuracy with a low false positive rate.
Building a Scalable System for Stealthy P2P-Botnet Detection
TLDR
This paper proposes a novel scalable botnet detection system capable of detecting stealthy P2P botnets and derives statistical fingerprints to profile P2p traffic and further distinguish between P1P botnet traffic and legitimate P2B traffic.
Intention and Origination: An Inside Look at Large-Scale Bot Queries
TLDR
This work performs a large-scale quantitative analysis on bot queries received by the Bing search engine over month-long periods, and shows that 33% of bot queries are searching for vulnerabilities, followed by 11% harvesting user account information.
Exposing invisible timing-based traffic watermarks with BACKLIT
TLDR
It is shown for the first time that even the most sophisticated timing-based watermarking schemes are not invisible by proposing a new detection system called BACKLIT, which can detect watermarked network flows with high accuracy and few false positives.
ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads
TLDR
A new method to determine malware distribution network (MDNs) from the secondary URLs and redirect chains recorded by a high-interaction client honeypot is provided and a novel drive-by download detection method is proposed, which allows additional malicious webpages to be identified which launched but failed to execute a successful drive- by download attack.
Net-cohort: detecting and managing VM ensembles in virtualized data centers
TLDR
Net-Cohort can dynamically identify ensembles to manipulate entire services/applications rather than individual VMs, and to support VM placement engines in co-locating communicating VMs in order to reduce the consumption of bi-section bandwidth.
Exploiting the Vulnerability of Flow Table Overflow in Software-Defined Network: Attack Model, Evaluation, and Defense
TLDR
A novel inference attack targeting at SDN/OpenFlow network, which is motivated by the limited flow table capacities of SDN /OpenFlow switches and the following measurable network performance decrease resulting from frequent interactions between data and control plane when the flow table is full is proposed.
An Inference Attack Model for Flow Table Capacity and Usage: Exploiting the Vulnerability of Flow Table Overflow in Software-Defined Network
TLDR
A novel inference attack targeting at SDN/OpenFlow network, which is motivated by the limited flow table capacities of SDN /OpenFlow switches and the following measurable network performance decrease resulting from frequent interactions between data plane and control plane when the flow table is full is proposed.
...
1
2
3
4
5
...