CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis

Authors:
Christian J. Dietrich;Christian Rossow;Norbert Pohlmann
Affiliations:
Institute for Internet Security, University of Applied Sciences Gelsenkirchen, Neidenburger Str. 43, 45877 Gelsenkirchen, Germany and Department of Computer Science, Friedrich-Alexander University ...;Institute for Internet Security, University of Applied Sciences Gelsenkirchen, Neidenburger Str. 43, 45877 Gelsenkirchen, Germany and VU University Amsterdam, The Network Institute, The Netherland ...;Institute for Internet Security, University of Applied Sciences Gelsenkirchen, Neidenburger Str. 43, 45877 Gelsenkirchen, Germany
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2013

Citing 9
Cited 2

Rishi: identify bot contaminated hosts by IRC nickname evaluation

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection

SS'08 Proceedings of the 17th conference on Security symposium
FIRE: FInding Rogue nEtworks

ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Botzilla: detecting the "phoning home" of malicious software

Proceedings of the 2010 ACM Symposium on Applied Computing
BotGrep: finding P2P bots with structured graph analysis

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Sandnet: network traffic analysis of malicious software

Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
JACKSTRAWS: picking command and control connections from bot traffic

SEC'11 Proceedings of the 20th USENIX conference on Security
On Botnets That Use DNS for Command and Control

EC2ND '11 Proceedings of the 2011 Seventh European Conference on Computer Network Defense
Large-Scale analysis of malware downloaders

DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Editorial: Editorial for Computer Networks special issue on ''Botnet Activity: Analysis, Detection and Shutdown''

Computer Networks: The International Journal of Computer and Telecommunications Networking
ProVeX: detecting botnets with encrypted command and control channels

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present CoCoSpot, a novel approach to recognize botnet command and control channels solely based on traffic analysis features, namely carrier protocol distinction, message length sequences and encoding differences. Thus, CoCoSpot can deal with obfuscated and encrypted C&C protocols and complements current methods to fingerprint and recognize botnet C&C channels. Using average-linkage hierarchical clustering of labeled C&C flows, we show that for more than 20 recent botnets and over 87,000 C&C flows, CoCoSpot can recognize more than 88% of the C&C flows at a false positive rate below 0.1%.