IEEE Security and Privacy
Transport layer identification of P2P traffic
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Botnet Detection by Monitoring Group Activities in DNS Traffic
CIT '07 Proceedings of the 7th IEEE International Conference on Computer and Information Technology
Effective Flow Filtering for Botnet Search Space Reduction
CATCH '09 Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security
Cross-Layer Peer-to-Peer Traffic Identification and Optimization Based on Active Networking
Active and Programmable Networks
Periodic behavior in botnet command and control channels traffic
GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
Effective and efficient malware detection at the end host
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Genetic-based real-time fast-flux service networks detection
Computer Networks: The International Journal of Computer and Telecommunications Networking
Effective bot host detection based on network failure models
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.00 |
Botnet has become a popular technique for deploying Internet crimes. Although signature-based bot detection techniques are accurate, they could be useless when bot variants are encountered. Therefore, behavior-based detection techniques become attractive due to their ability to detect bot variants and even unknown bots. In this paper, we propose a behavior-based botnet detection system based on fuzzy pattern recognition techniques. We intend to identify bot-relevant domain names and IP addresses by inspecting network traces. If domain names and IP addresses used by botnets can be identified, the information can be further used to prevent protected hosts from becoming one member of a botnet. To work with fuzzy pattern recognition techniques, we design several membership functions based on frequently observed bots' behavior including: (1) generate failed DNS queries; (2) have similar DNS query intervals; (3) generate failed network connections; and (4) have similar payload sizes for network connections. Membership functions can be easily altered, removed, or added to enhance the capability of the proposed system. In addition, to improve the overall system performance, we develop a traffic reduction algorithm to reduce the amount of network traffic required to be inspected by the proposed system. Performance evaluation results based on real traces show that the proposed system can reduce more than 70% input raw packet traces and achieve a high detection rate (about 95%) and a low false positive rates (0-3.08%). Furthermore, the proposed FPRF algorithm is resource-efficient and can identify inactive botnets to indicate potential vulnerable hosts.