On the detection and identification of botnets

Abstract

We develop and discuss automated and self-adaptive systems for detecting and classifying botnets based on machine learning techniques and integration of human expertise. The proposed concept is purely passive and is based on analyzing information collected at three levels: (i) the payload of single packets received, (ii) observed access patterns to the darknet at the level of network traffic, and (iii) observed contents of TCP/IP traffic at the protocol level. We illustrate experiments based on real-life data collected with a darknet set up for this purpose to show the potential of the proposed concept for (i) and (ii). In (iii) we use a small spamtrap as darknets cannot capture TCP/IP traffic data, so this experiment is not a purely passive approach, but traffic moving through a network could be analyzed in a similar way to obtain a purely passive system for this step as well.

DOI: 10.1016/j.cose.2009.07.007

Extracted Key Phrases

4 Figures and Tables

Cite this paper

@article{Seewald2010OnTD, title={On the detection and identification of botnets}, author={Alexander K. Seewald and Wilfried N. Gansterer}, journal={Computers & Security}, year={2010}, volume={29}, pages={45-58} }