Rishi: identify bot contaminated hosts by IRC nickname evaluation
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
SS'08 Proceedings of the 17th conference on Security symposium
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Botzilla: detecting the "phoning home" of malicious software
Proceedings of the 2010 ACM Symposium on Applied Computing
BotGrep: finding P2P bots with structured graph analysis
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Sandnet: network traffic analysis of malicious software
Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
JACKSTRAWS: picking command and control connections from bot traffic
SEC'11 Proceedings of the 20th USENIX conference on Security
On Botnets That Use DNS for Command and Control
EC2ND '11 Proceedings of the 2011 Seventh European Conference on Computer Network Defense
Large-Scale analysis of malware downloaders
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Computer Networks: The International Journal of Computer and Telecommunications Networking
ProVeX: detecting botnets with encrypted command and control channels
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Hi-index | 0.00 |
We present CoCoSpot, a novel approach to recognize botnet command and control channels solely based on traffic analysis features, namely carrier protocol distinction, message length sequences and encoding differences. Thus, CoCoSpot can deal with obfuscated and encrypted C&C protocols and complements current methods to fingerprint and recognize botnet C&C channels. Using average-linkage hierarchical clustering of labeled C&C flows, we show that for more than 20 recent botnets and over 87,000 C&C flows, CoCoSpot can recognize more than 88% of the C&C flows at a false positive rate below 0.1%.