E. Khoshhalpour; H. R. Shahriari
Abstract
Nowadays, botnets are considered as essential tools for planning serious cyber attacks. Botnets are used to perform various malicious activities such as DDoS attacks and sending spam emails. Different approaches are presented to detect botnets; however most of them may be ineffective when ...
Read More
Nowadays, botnets are considered as essential tools for planning serious cyber attacks. Botnets are used to perform various malicious activities such as DDoS attacks and sending spam emails. Different approaches are presented to detect botnets; however most of them may be ineffective when there are only a few infected hosts in monitored network, as they rely on similarity in bots activities to detect the botnet. In this paper, we present a host-based method that can detect individual bot-infected hosts. This approach is based on botnet life-cycle, which includes common symptoms of almost all types of botnet despite their differences. We analyze network activities of each process running on the host and propose some heuristics to distinguish behavioral patterns of bot process from legitimate ones based on statistical features of packet sequences and evaluating an overall security risk for it. To show the effectiveness of the approach, a tool named BotRevealer has been implemented and evaluated using real botnets and several popular applications. The results show that in spite of diversity of botnets, BotRevealer can effectively detect the bot process among other active processes.
M. Yahyazadeh; M. Abadi
Abstract
Botnets are recognized as one of the most dangerous threats to the Internet infrastructure. They are used for malicious activities such as launching distributed denial of service attacks, sending spam, and leaking personal information. Existing botnet detection methods produce a number of good ideas, ...
Read More
Botnets are recognized as one of the most dangerous threats to the Internet infrastructure. They are used for malicious activities such as launching distributed denial of service attacks, sending spam, and leaking personal information. Existing botnet detection methods produce a number of good ideas, but they are far from complete yet, since most of them cannot detect botnets in an early stage of their lifecycle; moreover, they depend on a particular command and control (C&C) protocol. In this paper, we address these issues and propose an online unsupervised method, called BotOnus, for botnet detection that does not require a priori knowledge of botnets. It extracts a set of flow feature vectors from the network traffic at the end of each time period, and then groups them to some flow clusters by a novel online fixed-width clustering algorithm. Flow clusters that have at least two members, and their intra-cluster similarity is above a similarity threshold, are identified as suspicious botnet clusters, and all hosts in such clusters are identified as bot infected. We demonstrate the effectiveness of BotOnus to detect various botnets including HTTP-, IRC-, and P2P-based botnets using a testbed network. The results of experiments show that it can successfully detect various botnets with an average detection rate of 94.33% and an average false alarm rate of 3.74%.