research-article

Detecting botnet by anomalous traffic

Authors:

Hsiao-Chung LinAuthors Info & Claims

Journal of Information Security and Applications, Volume 21, Issue C

Pages 42 - 51

https://doi.org/10.1016/j.jisa.2014.05.002

Published: 01 April 2015 Publication History

Abstract

Botnets can cause significant security threat and huge loss to organizations, and are difficult to discover their existence. Therefore they have become one of the most severe threats on the Internet. The core component of botnets is their command and control channel. Botnets often use IRC (Internet Relay Chat) as a communication channel through which the botmaster can control the bots to launch attacks or propagate more infections. In this paper, anomaly score based botnet detection is proposed to identify the botnet activities by using the similarity measurement and the periodic characteristics of botnets. To improve the detection rate, the proposed system employs two-level correlation relating the set of hosts with same anomaly behaviors. The proposed method can differentiate the malicious network traffic generated by infected hosts (bots) from that by normal IRC clients, even in a network with only a very small number of bots. The experiment results show that, regardless the size of the botnet in a network, the proposed approach efficiently detects abnormal IRC traffic and identifies botnet activities.

References

[1]

M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, S. Yamaguchi, A proposal of metrics for botnet detection based on its cooperative behavior, in: Proceedings of the 2007 International Symposium on Applications and the Internet Workshops, 2007.

Digital Library

[2]

Auzzie, Creating an IRC bot in PHP, January, 22, 2009. http://www.dreamincode.net/forums/topic/82278-creating-an-irc-bot-in-php/

[3]

P. Barford, V. Yegneswaran, An inside look at botnets, in: Special Workshop on Malware Detection, Advances in Information Security, 2006.

[4]

Bashscripts.org, IRC bot ping/pong, April 10, 2011.

[5]

J.R. Binkley, S. Singh, An algorithm for anomaly-based botnet detection, in: USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet, 2006, pp. 43-48.

[6]

H. Choi, H. Lee, H. Lee, H. Kim, Botnet detection by monitoring group activities in DNS traffic, in: 7th IEEE International Conference on Computer and Information Technology, 2007.

Digital Library

[7]

H. Choi, H. Lee, H. Kim, BotGAD: detecting botnets by capturing group activities in network traffic, in: Proceedings of the Fourth International ICST Conference on Communication System Software and Middleware, 2009.

[8]

E. Cooke, F. Jahanian, D. McPherson, The zombie roundup: understanding, detecting, and disrupting botnets, in: Proceedings of the Steps to Reducing Unwanted Traffic on the Internet, 2005, pp. 39-44.

[9]

Dell' SonicWALL' Threat Research Team, Dell network security threat report 2013, 2013.

[10]

F.C. Freiling, T. Holz, G. Wicherski, Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks, Lect Notes Comput Sci, 3679 (2005) 319-335.

Digital Library

[11]

M. Freily, A. Shahrestani, S. Ramadass, A survey of botnet and botnet detection, in: The International Conference on Emerging Security Information, Systems and Technologies, 2009, pp. 268-273.

[12]

G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. Lee, BotHunter: detecting malware infection through IDS-driven dialog correlation, in: SS'07, Proceedings of 16th USENIX Security Symposium, 2007, pp. 167-182.

[13]

G. Gu, J. Zhang, W. Lee, BotSniffer: detecting botnet command and control channels in network traffic, in: Proceedings of the 15th Annual Network and Distributed System Security Symposium, 2008.

[14]

G. Gu, P. Perdisci, J. Zhang, W. Lee, BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection, in: Proceedings of the 17th USENIX Security Symposium, 2008.

Digital Library

[15]

HKCERT, Hong Kong security watch report (Q4 2013), 2013.

[16]

IRC Logs Archive. IRC Logs, http://www.irclog.org.

[17]

A. Karasaridis, B. Rexroad, D. Hoeflin, Wide-scale botnet detection and characterization, in: HotBots'07 First Workshop on Hot Topics in Understanding Botnets, 2007.

Digital Library

[18]

J. Leonard, Shouhuai Xu, R. Sandhu, A framework for understanding botnets, in: International Conference on Availability, Reliability and Security, 2009, pp. 917-922.

[19]

C. Livadas, B. Walsh, D. Lapsley, W.T. Strayer, Using machine learning techniques to identify botnet traffic, in: Proceedings 2006 31st IEEE Conference on Local Computer Networks, 2006, pp. 967-974.

[20]

W. Lu, M. Tavallaee, A.A. Ghorbani, Clustering botnet communication traffic based on n-gram feature selection, Comput Commun, 34 (2011) 502-514.

Digital Library

[21]

M.M. Masud, T. Al-khateeb, L. Khan, B. Thuraisingham, K.W. Hamlen, Flow-based identification of botnet traffic by mining multiple log files, in: First International Conference on Distributed Framework and Applications, 2008, pp. 200-206.

[22]

McAfee Labs, McAfee threats report: first quarter 2012, 2012. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2012.pdf

[23]

M.A. Rajab, J. Zarfoss, F. Monrose, A. Terzis, A multifaceted approach to understanding the botnet phenomenon, in: Internet Measurement Conference 2006, 2006.

[24]

A. Ramachandran, N. Feamster, D. Dagon, Revealing botnet membership using DNSBL counter-intelligence, in: Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet, vol. 2, 2006, pp. 8-13.

[25]

M. Shake, C++ irc bot ping-pong help, August 28, 2007. http://www.rohitab.com/discuss/topic/26730-c-irc-bot-ping-pong-help/

[26]

Stack Overflow, Java irc bot ping poing, May 22, 2012. http://stackoverflow.com/questions/10710071/java-irc-bot-ping-pong

[27]

E. Stinson, J.C. Mitchell, Characterizing bots' remote control behavior, Lect Notes Comput Sci, 4579 (2007) 89-108.

[28]

W.T. Strayer, B. Walsh, C. Livadas, D. Lapsley, Detecting botnets with tight command and control, in: 31st IEEE Conference on Local Computer Networks, 2006, pp. 195-202.

[29]

W.T. Strayer, D. Lapsely, R. Walsh, C. Livadas, Botnet detection based on network behavior, 2008.

[30]

TACERT, . http://cert.tanet.edu.tw

[31]

Taichung City Government Education Bureau, Taichung education network center, anomalous traffic and incident report, 2013. http://163.17.40.10/net/netflow

[32]

Trend Micro, The trend micro 2008 annual threat roundup and 2009 forecast, 2009.

[33]

Trustwave, 2013 Trustwave global security report, 2013. https://www2.trustwave.com/2013GSR.html

[34]

TWISC@NCKU. Testbed@TWISC, http://testbed.ncku.edu.tw.

[35]

R. Villamarín-Salomón, J.C. Brustoloni, Identifying botnets using anomaly detection techniques applied to DNS traffic, in: 5th IEEE Consumer Communications and Networking Conference, 2008, pp. 476-481.

[36]

R. Villamarín-Salomón, J.C. Brustoloni, Bayesian bot detection based on DNS traffic similarity, in: Proceedings of the 2009 ACM Symposium on Applied Computing, 2009, pp. 2035-2041.

[37]

R.A. Wagner, M.J. Fischer, The string-to-string correction problem, J ACM, 21 (1974) 168-173.

Digital Library

[38]

T.F. Yen, M.K. Reiter, Traffic aggregation for malware detection, Lect Notes Comput Sci, 5137 (2008) 207-227.

[39]

D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. Ghorbani, Botnet detection based on traffic behavior analysis and flow intervals, Computer Security, 39 (2013) 2-16.

Digital Library

Cited By

Shojarazavi TBarati HBarati A(2022)A wrapper method based on a modified two-step league championship algorithm for detecting botnets in IoT environmentsComputing10.1007/s00607-022-01070-9104:8(1753-1774)Online publication date: 1-Aug-2022
https://dl.acm.org/doi/10.1007/s00607-022-01070-9
Gandhi HMehra MRibeiro V(2021)BOND: Efficient and Frugal DL Model Co-design for Botnet detection on IoT GatewaysProceedings of the First International Conference on AI-ML Systems10.1145/3486001.3486237(1-7)Online publication date: 21-Oct-2021
https://dl.acm.org/doi/10.1145/3486001.3486237
Nazari MDahmardeh ZAliabady S(2021)A Novel Approach of Botnets Detection Based on Analyzing Dynamical Network Traffic BehaviorSN Computer Science10.1007/s42979-021-00634-42:4Online publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1007/s42979-021-00634-4
Show More Cited By

Index Terms

Detecting botnet by anomalous traffic

Index terms have been assigned to the content through auto-classification.

Recommendations

Detecting botnet using traffic behaviour analysis and extraction of effective flow features

Botnets is one of the most serious attacks that cause irreversible damage to systems and networks, and it is important to detect and prevent botnets as attacks using them are constantly occurring. In the paper, the botnet detection method proposed so far ...
A Survey of Botnet and Botnet Detection
SECURWARE '09: Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies

Among the various forms of malware, botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical ...
Clustering botnet communication traffic based on n-gram feature selection

Recognized as one the most serious security threats on current Internet infrastructure, botnets can not only be implemented by existing well known applications, e.g. IRC, HTTP, or Peer-to-Peer, but also can be constructed by unknown or creative ...

Comments

Information & Contributors

Information

Published In

cover image Journal of Information Security and Applications

Journal of Information Security and Applications Volume 21, Issue C

April 2015

63 pages

ISSN:2214-2126

Issue’s Table of Contents

Copyright © Elsevier Ltd.

Publisher

Elsevier Science Inc.

United States

Publication History

Published: 01 April 2015

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Shojarazavi TBarati HBarati A(2022)A wrapper method based on a modified two-step league championship algorithm for detecting botnets in IoT environmentsComputing10.1007/s00607-022-01070-9104:8(1753-1774)Online publication date: 1-Aug-2022
https://dl.acm.org/doi/10.1007/s00607-022-01070-9
Gandhi HMehra MRibeiro V(2021)BOND: Efficient and Frugal DL Model Co-design for Botnet detection on IoT GatewaysProceedings of the First International Conference on AI-ML Systems10.1145/3486001.3486237(1-7)Online publication date: 21-Oct-2021
https://dl.acm.org/doi/10.1145/3486001.3486237
Nazari MDahmardeh ZAliabady S(2021)A Novel Approach of Botnets Detection Based on Analyzing Dynamical Network Traffic BehaviorSN Computer Science10.1007/s42979-021-00634-42:4Online publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1007/s42979-021-00634-4
Moodi MGhazvini MMoodi HGhavami B(2020)A smart adaptive particle swarm optimization–support vector machine: android botnet detection applicationThe Journal of Supercomputing10.1007/s11227-020-03233-x76:12(9854-9881)Online publication date: 4-Mar-2020
https://dl.acm.org/doi/10.1007/s11227-020-03233-x
Gabryel MDamaševičius RPrzybyszewski K(2018)Application of the Bag-of-Words Algorithm in Classification the Quality of Sales LeadsArtificial Intelligence and Soft Computing10.1007/978-3-319-91253-0_57(615-622)Online publication date: 3-Jun-2018
https://dl.acm.org/doi/10.1007/978-3-319-91253-0_57

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents