Detection of botnets before activation: an enhanced honeypot system for intentional infection and behavioral observation of malware

Authors:
Young Hoon Moon;Eunjin Kim;Suh Mahn Hur;Huy Kang Kim
Affiliations:
Center for Information Security Technologies (CIST), Graduate School of Information Security, Korea University, Seoul, South Korea;Kyonggi University, Suwon, Gyunggi-doSouth Korea;Solution Operation Team, Saint Security Co, Ltd., Seoul, South Korea;Center for Information Security Technologies (CIST), Graduate School of Information Security, Korea University, Seoul, South Korea
Venue:
Security and Communication Networks
Year:
2012

Citing 10
Cited 0

A multifaceted approach to understanding the botnet phenomenon

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The Zombie roundup: understanding, detecting, and disrupting botnets

SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
An algorithm for anomaly-based botnet detection

SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
A virtual honeypot framework

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Botnet Detection by Monitoring Group Activities in DNS Traffic

CIT '07 Proceedings of the 7th IEEE International Conference on Computer and Information Technology
Bot Detection Based on Traffic Analysis

IPC '07 Proceedings of the The 2007 International Conference on Intelligent Pervasive Computing
Spamming botnets: signatures and characteristics

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
A Survey of Botnet and Botnet Detection

SECURWARE '09 Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies
A Systematic Study on Peer-to-Peer Botnets

ICCCN '09 Proceedings of the 2009 Proceedings of 18th International Conference on Computer Communications and Networks
Botnet: classification, attacks, detection, tracing, and preventive measures

ICICIC '09 Proceedings of the 2009 Fourth International Conference on Innovative Computing, Information and Control

Quantified Score

Hi-index	0.00

Visualization

Abstract

As botnets have become the primary means for cyber attacks, how to detect botnets becomes an important issue for researchers and practitioners. In this study, we introduce a system that is designed to detect botnets prior to their activation. Pre-detection of botnets becomes available with our enhanced honeypot system that allows us to intentionally infect virtual machines in honeynets. For empirical testing, we applied our system to a major Internet service provider in Korea. After running our proposed system for 12 months, it was found that nearly 40% of blacklisted botnets were pre-detected by our system before their attacks begin. We expect that our system can be used to detect command-and-control servers and to screen them out during their propagation stage before they make harmful attacks. Copyright © 2012 John Wiley & Sons, Ltd.