X-means: Extending K-means with Efficient Estimation of the Number of Clusters
ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
Revealing botnet membership using DNSBL counter-intelligence
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Botnet Detection by Monitoring Group Activities in DNS Traffic
CIT '07 Proceedings of the 7th IEEE International Conference on Computer and Information Technology
Peer-to-peer botnets: overview and case study
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Wide-scale botnet detection and characterization
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
A case study of the rustock rootkit and spam bot
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Characterizing botnets from email spam records
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Behind phishing: an examination of phisher modi operandi
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Traffic Aggregation for Malware Detection
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
BotTracer: Execution-Based Bot-Like Malware Detection
ISC '08 Proceedings of the 11th international conference on Information Security
Towards systematic evaluation of the evadability of bot/botnet detection methods
WOOT'08 Proceedings of the 2nd conference on USENIX Workshop on offensive technologies
SS'08 Proceedings of the 17th conference on Security symposium
Bayesian bot detection based on DNS traffic similarity
Proceedings of the 2009 ACM symposium on Applied Computing
BotCop: An Online Botnet Traffic Classifier
CNSR '09 Proceedings of the 2009 Seventh Annual Communication Networks and Services Research Conference
Beyond blacklists: learning to detect malicious web sites from suspicious URLs
Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining
Studying spamming botnets using Botlab
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
BotGraph: large scale spamming botnet detection
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Online Botnet Detection by Continuous Similarity Monitoring
IEEC '09 Proceedings of the 2009 International Symposium on Information Engineering and Electronic Commerce
A Survey of Botnet and Botnet Detection
SECURWARE '09 Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies
BotGAD: detecting botnets by capturing group activities in network traffic
Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE
Efficient detection of bots in subscribers computers
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Data-Adaptive Clustering Analysis for Online Botnet Detection
CSO '10 Proceedings of the 2010 Third International Joint Conference on Computational Science and Optimization - Volume 01
A foray into Conficker's logic and rendezvous points
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Extending black domain name list by using co-occurrence relation between DNS queries
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Detecting spammers with SNARE: spatio-temporal network-level automatic reputation engine
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Building a dynamic reputation system for DNS
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Clustering botnet communication traffic based on n-gram feature selection
Computer Communications
Fluxing botnet command and control channels with URL shortening services
Computer Communications
Effective bot host detection based on network failure models
Computer Networks: The International Journal of Computer and Telecommunications Networking
HTTP botnet detection using hidden semi-Markov model with SNMP MIB variables
International Journal of Electronic Security and Digital Forensics
| Hi-index | 0.00 |
Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, existing approaches can be overwhelmed by the large amount of data needed to be analyzed. In this paper, we propose a light-weight mechanism to detect botnets using their fundamental characteristics, i.e., group activity. The proposed mechanism, referred to as BotGAD (botnet group activity detector) needs a small amount of data from DNS traffic to detect botnet, not all network traffic content or known signatures. BotGAD can detect botnets from a large-scale network in real-time even though the botnet performs encrypted communications. Moreover, BotGAD can detect botnets that adopt recent evasion techniques. We evaluate BotGAD using multiple DNS traces collected from different sources including a campus network and large ISP networks. The evaluation shows that BotGAD can automatically detect botnets while providing real-time monitoring in large scale networks.