Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Botnet Detection by Monitoring Group Activities in DNS Traffic
CIT '07 Proceedings of the 7th IEEE International Conference on Computer and Information Technology
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
The Activity Analysis of Malicious HTTP-Based Botnets Using Degree of Periodic Repeatability
SECTECH '08 Proceedings of the 2008 International Conference on Security Technology
SS'08 Proceedings of the 17th conference on Security symposium
Measurement and classification of humans and bots in internet chat
SS'08 Proceedings of the 17th conference on Security symposium
The WEKA data mining software: an update
ACM SIGKDD Explorations Newsletter
Exploiting Temporal Persistence to Detect Covert Botnet Channels
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Active Botnet Probing to Identify Obscure Command and Control Channels
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
A fuzzy pattern-based filtering algorithm for botnet detection
Computer Networks: The International Journal of Computer and Telecommunications Networking
Identifying botnets by capturing group activities in DNS traffic
Computer Networks: The International Journal of Computer and Telecommunications Networking
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.00 |
Botnet is one of the most notorious threats to Internet users. Attackers intrude into a large group of computers, install remote-controllable software, and then ask the compromised computers to launch large-scale Internet attacks, including sending spam and DDoS attacks. From the perspective of network administrators, it is important to identify bots in local networks. Bots residing in a local network could increase the difficulty to manage the network. Compared with bots outside of a local network, inside bots can easily bypass access controls applied to outsiders and access resources restricted to local users. In this paper, we propose an effective solution to detect bot hosts within a monitored local network. Based on our observations, a bot often has a differentiable failure pattern because of the botnet-distributed design and implementation. Hence, by monitoring failures generated by a single host for a short period, it is possible to determine whether the host is a bot or not by using a well-trained model. The proposed solution does not rely on aggregated network information, and therefore, works independent of network size. Our experiments show that the failure patterns among normal traffic, peer-to-peer traffic, and botnet traffic can be classified accurately. In addition to the ability to detect bot variants, the classification model can be retrained systematically to improve the detection ability for new bots. The evaluation results show that the proposed solution can detect bot hosts with more than 99% accuracy, whereas the false positive rate is lower than 0.5%.