Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis

  • Authors:
  • Leyla Bilge;Davide Balzarotti;William Robertson;Engin Kirda;Christopher Kruegel

  • Affiliations:
  • Symantec Research Labs;Eurecom;Northeastern University;Northeastern University;UC Santa Barbara

  • Venue:
  • Proceedings of the 28th Annual Computer Security Applications Conference
  • Year:
  • 2012

Quantified Score

Hi-index 0.00

Visualization

Abstract

Botnets continue to be a significant problem on the Internet. Accordingly, a great deal of research has focused on methods for detecting and mitigating the effects of botnets. Two of the primary factors preventing the development of effective large-scale, wide-area botnet detection systems are seemingly contradictory. On the one hand, technical and administrative restrictions result in a general unavailability of raw network data that would facilitate botnet detection on a large scale. On the other hand, were this data available, real-time processing at that scale would be a formidable challenge. In contrast to raw network data, NetFlow data is widely available. However, NetFlow data imposes several challenges for performing accurate botnet detection. In this paper, we present Disclosure, a large-scale, wide-area botnet detection system that incorporates a combination of novel techniques to overcome the challenges imposed by the use of NetFlow data. In particular, we identify several groups of features that allow Disclosure to reliably distinguish C&C channels from benign traffic using NetFlow records (i.e., flow sizes, client access patterns, and temporal behavior). To reduce Disclosure's false positive rate, we incorporate a number of external reputation scores into our system's detection procedure. Finally, we provide an extensive evaluation of Disclosure over two large, real-world networks. Our evaluation demonstrates that Disclosure is able to perform real-time detection of botnet C&C channels over datasets on the order of billions of flows per day.