Effective bot host detection based on network failure models

Authors:
Chun-Ying Huang
Affiliations:
Department of Computer Science and Engineering, National Taiwan Ocean University, 2 Pei-Ning Road, Keelung 20224, Taiwan
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2013

Citing 11
Cited 1

Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Botnet Detection by Monitoring Group Activities in DNS Traffic

CIT '07 Proceedings of the 7th IEEE International Conference on Computer and Information Technology
BotHunter: detecting malware infection through IDS-driven dialog correlation

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
The Activity Analysis of Malicious HTTP-Based Botnets Using Degree of Periodic Repeatability

SECTECH '08 Proceedings of the 2008 International Conference on Security Technology
BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection

SS'08 Proceedings of the 17th conference on Security symposium
Measurement and classification of humans and bots in internet chat

SS'08 Proceedings of the 17th conference on Security symposium
The WEKA data mining software: an update

ACM SIGKDD Explorations Newsletter
Exploiting Temporal Persistence to Detect Covert Botnet Channels

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Active Botnet Probing to Identify Obscure Command and Control Channels

ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
A fuzzy pattern-based filtering algorithm for botnet detection

Computer Networks: The International Journal of Computer and Telecommunications Networking
Identifying botnets by capturing group activities in DNS traffic

Computer Networks: The International Journal of Computer and Telecommunications Networking

Editorial: Editorial for Computer Networks special issue on ''Botnet Activity: Analysis, Detection and Shutdown''

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

Botnet is one of the most notorious threats to Internet users. Attackers intrude into a large group of computers, install remote-controllable software, and then ask the compromised computers to launch large-scale Internet attacks, including sending spam and DDoS attacks. From the perspective of network administrators, it is important to identify bots in local networks. Bots residing in a local network could increase the difficulty to manage the network. Compared with bots outside of a local network, inside bots can easily bypass access controls applied to outsiders and access resources restricted to local users. In this paper, we propose an effective solution to detect bot hosts within a monitored local network. Based on our observations, a bot often has a differentiable failure pattern because of the botnet-distributed design and implementation. Hence, by monitoring failures generated by a single host for a short period, it is possible to determine whether the host is a bot or not by using a well-trained model. The proposed solution does not rely on aggregated network information, and therefore, works independent of network size. Our experiments show that the failure patterns among normal traffic, peer-to-peer traffic, and botnet traffic can be classified accurately. In addition to the ability to detect bot variants, the classification model can be retrained systematically to improve the detection ability for new bots. The evaluation results show that the proposed solution can detect bot hosts with more than 99% accuracy, whereas the false positive rate is lower than 0.5%.