• Corpus ID: 6370088

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection

@inproceedings{Gu2008BotMinerCA,
  title={BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection},
  author={Guofei Gu and Roberto Perdisci and Junjie Zhang and Wenke Lee},
  booktitle={USENIX Security Symposium},
  year={2008}
}
Botnets are now the key platform for many Internet attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. [] Key Method These hosts are thus bots in the monitored network. We have implemented our BotMiner prototype system and evaluated it using many real network traces. The results show that it can detect real-world botnets (IRC-based, HTTP-based, and P2P botnets including Nugache and Storm worm), and has a very low false positive rate.

Figures and Tables from this paper

Botnet Detection by Monitoring Similar Communication Patterns
TLDR
This paper provides taxonomy of Botnets C&C channels and evaluates well-known protocols which are being used in each of them and proposed a new general detection framework which currently focuses on P2P based and IRC based Botnets.
An anomaly-based botnet detection approach for identifying stealthy botnets
TLDR
This paper proposes a fully anomaly-based approach that requires no a priori knowledge of bot signatures, botnet C&C protocols, and C &C server addresses and shows that the approach has high detection accuracy and low false positive.
A Proposed Framework for P 2 P Botnet Detection
TLDR
This paper proposes a new detection framework which focuses on P2P based botnets, and defines a botnet as a group of bots that will perform similar communication and malicious activity patterns within the same botnet.
A taxonomy of Botnet detection techniques
TLDR
This survey classifies Botnet detection techniques into two approaches which are based on setting up honeynets and another approach which is based on Intrusion Detection System ( IDS) which has been categorized into signature-based and anomaly-based detection techniques.
Botnet Detection using NetFlow and Clustering
TLDR
A novel approach for botnet detection using data records of NetFlow protocol and clustering technique is shown and a tree like graph is built that encodes the relationships among the bots.
BotOnus: AnOnline UnsupervisedMethod for Botnet Detection
TLDR
This paper proposes an online unsupervised method, called BotOnus, for botnet detection that does not require a priori knowledge of botnets, and demonstrates the effectiveness of the method to detect various botnets including HTTP-, IRC-, and P2P-based botnets using a testbed network.
BotOnus: an online unsupervised method for Botnet detection
TLDR
This paper proposes an online unsupervised method, called BotOnus, for botnet detection that does not require a priori knowledge of botnets, and shows that it can successfully detect various botnets with an average detection rate of 94:33% and an average false alarm rate of 3:74%.
Automatic discovery of botnet communities on large-scale communication networks
TLDR
This paper proposes a new hierarchical framework to automatically discover botnets on a large-scale WiFi ISP network, in which the network traffic is first classified into different application communities by using payload signatures and a novel cross-association clustering algorithm, and then on each obtained application community, the temporal-frequent characteristics of flows are analyzed.
CABD : A Content Agnostic Botnet Detection System
TLDR
CABD should work independent of the underlying botnet structure, be able to detect infected hosts without the correlation of network events between two or more hosts, and, as “content agnostic” implies, perform detection in spite of encryption.
Detection of Botnet Command and Control Traffic in Enterprise Networks
TLDR
The ability of all three approaches to detect botnet C&C traffic differently from existing techniques allows for implementation in intrusion detection systems of enterprise networks alongside existing anomaly-based and signature based detection approaches, to improve diversity.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 50 REFERENCES
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
TLDR
This paper proposes an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowledge of signatures or C &C server addresses, and shows that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.
Characterizing the IRC-based Botnet Phenomenon
TLDR
Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term measurements, including amongst others, botnet lifetime, botnets discovery trends and distributions, command and control channel distributions,Botnet size and end-host distributions.
The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets
TLDR
This paper outlines the origins and structure of bots and botnets and uses data from the operator community, the Internet Motion Sensor project, and a honeypot experiment to illustrate the botnet problem today and describes a system to detect botnets that utilize advanced command and control systems by correlating secondary detection data from multiple sources.
Wide-Scale Botnet Detection and Characterization
TLDR
The approach presented here differs from previous attempts to detect botnets by employing scalable non-intrusive algorithms that analyze vast amounts of summary traffic data collected on selected network links.
Revealing Botnet Membership Using DNSBL Counter-Intelligence
TLDR
It is found that bots are performing reconnaissance on behalf of other bots, and counterintelligence techniques that may be useful for early bot detection are suggested.
Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
TLDR
This paper presents an approach to (distributed) DoS attack prevention that is based on the observation that coordinated automated activity by many hosts needs a mechanism to remotely control them and shows that this method can be realized in the Internet by describing how it infiltrated and tracked IRC-based botnets.
Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation
TLDR
A simple, yet effective method to detect bot-infected machines within a given network that relies on detection of the communication channel between bot and Command & Control server (C&C server).
Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm
TLDR
In a case study, the Storm Worm botnet is examined in detail, the most wide-spread P2P botnet currently propagating in the wild, and two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet are presented.
Traffic Aggregation for Malware Detection
TLDR
This paper describes a system called Ti¾?md (pronounced "tamed") with which an enterprise can identify candidate groups of infected computers within its network by finding new communication "aggregates" involving multiple internal hosts, i.e., communication flows that share common characteristics.
A multifaceted approach to understanding the botnet phenomenon
TLDR
This paper attempts to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure, which shows that botnets represent a major contributor to unwanted Internet traffic and provides deep insights that may facilitate further research to curtail this phenomenon.
...
1
2
3
4
5
...