Detection of abrupt changes: theory and application
Detection of abrupt changes: theory and application
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Learning nonstationary models of normal network traffic for detecting novel attacks
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Change-Point Monitoring for the Detection of DoS Attacks
IEEE Transactions on Dependable and Secure Computing
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Open source clustering software
Bioinformatics
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Understanding the network-level behavior of spammers
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
The Zombie roundup: understanding, detecting, and disrupting botnets
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
An algorithm for anomaly-based botnet detection
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Peer-to-peer botnets: overview and case study
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Wide-scale botnet detection and characterization
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Rishi: identify bot contaminated hosts by IRC nickname evaluation
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Spamscatter: characterizing internet scam hosting infrastructure
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Catching instant messaging worms with change-point detection techniques
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Towards systematic evaluation of the evadability of bot/botnet detection methods
WOOT'08 Proceedings of the 2nd conference on USENIX Workshop on offensive technologies
SS'08 Proceedings of the 17th conference on Security symposium
Studying spamming botnets using Botlab
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Automated classification and analysis of internet malware
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
The nepenthes platform: an efficient approach to collect malware
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Take a deep breath: a stealthy, resilient and cost-effective botnet using skype
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
On using mashups for composing network management applications
IEEE Communications Magazine
Challenges in experimenting with botnet detection systems
CSET'11 Proceedings of the 4th conference on Cyber security experimentation and test
BOTMAGNIFIER: locating spambots on the internet
SEC'11 Proceedings of the 20th USENIX conference on Security
JACKSTRAWS: picking command and control connections from bot traffic
SEC'11 Proceedings of the 20th USENIX conference on Security
Detection and classification of different botnet C&C channels
ATC'11 Proceedings of the 8th international conference on Autonomic and trusted computing
Detecting malware's failover C&C strategies with squeeze
Proceedings of the 27th Annual Computer Security Applications Conference
BotFinder: finding bots in network traffic without deep packet inspection
Proceedings of the 8th international conference on Emerging networking experiments and technologies
Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis
Proceedings of the 28th Annual Computer Security Applications Conference
Computer Networks: The International Journal of Computer and Telecommunications Networking
Survey and taxonomy of botnet research through life-cycle
ACM Computing Surveys (CSUR)
ExecScent: mining for new C&C domains in live networks with adaptive control protocol templates
SEC'13 Proceedings of the 22nd USENIX conference on Security
| Hi-index | 0.00 |
A botnet is a network of compromised hosts that is under the control of a single, malicious entity, often called the botmaster. We present a system that aims to detect bots, independent of any prior information about the command and control channels or propagation vectors, and without requiring multiple infections for correlation. Our system relies on detection models that target the characteristic fact that every bot receives commands from the botmaster to which it responds in a specific way. These detection models are generated automatically from network traffic traces recorded from actual bot instances. We have implemented the proposed approach and demonstrate that it can extract effective detection models for a variety of different bot families. These models are precise in describing the activity of bots and raise very few false positives.