research-article

Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis

Authors:

Davide Balzarotti,

William Robertson,

Engin Kirda, and

Christopher KruegelAuthors Info & Claims

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

December 2012

Pages 129 - 138

https://doi.org/10.1145/2420950.2420969

Published: 03 December 2012 Publication History

Abstract

Botnets continue to be a significant problem on the Internet. Accordingly, a great deal of research has focused on methods for detecting and mitigating the effects of botnets. Two of the primary factors preventing the development of effective large-scale, wide-area botnet detection systems are seemingly contradictory. On the one hand, technical and administrative restrictions result in a general unavailability of raw network data that would facilitate botnet detection on a large scale. On the other hand, were this data available, real-time processing at that scale would be a formidable challenge. In contrast to raw network data, NetFlow data is widely available. However, NetFlow data imposes several challenges for performing accurate botnet detection.

In this paper, we present Disclosure, a large-scale, wide-area botnet detection system that incorporates a combination of novel techniques to overcome the challenges imposed by the use of NetFlow data. In particular, we identify several groups of features that allow Disclosure to reliably distinguish C&C channels from benign traffic using NetFlow records (i.e., flow sizes, client access patterns, and temporal behavior). To reduce Disclosure's false positive rate, we incorporate a number of external reputation scores into our system's detection procedure. Finally, we provide an extensive evaluation of Disclosure over two large, real-world networks. Our evaluation demonstrates that Disclosure is able to perform real-time detection of botnet C&C channels over datasets on the order of billions of flows per day.

References

[1]

Alexa Web Information Company. http://www.alexa.com/topsites/, 2009.

[2]

EXPOSURE: Exposing Malicious Domains. http://exposure.iseclab.org/, 2011.

[3]

FIRE: FInding RoguE Networks. http://www.maliciousnetworks.org/, 2011.

[4]

Google Safe Browsing. http://www.google.com/safebrowsing/diagnostic?site=AS:as_number, 2011.

[5]

L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. Exposure: Finding malicious domains using passive dns analysis. In 18th Annual Network and Distributed System Security Symposium (NDSS'11), 2011.

[6]

J. Binkley and S. Singh. An Algorithm for Anomaly-based Botnet Detection. In Usenix Steps to Reduce Unwanted Traffic on the Internet (SRUTI), 2006.

Digital Library

[7]

G. E. P. Box, G. M. Jenkins, and G. Reinsel. Time Series Analysis: Forecasting and Control. In 3rd eddition Upper Saddle River, NJ: Prentice-Hall, 1994.

Digital Library

[8]

D. Brauckhoff, X. Dimitropoulos, A. Wagner, and K. Salamatian. Anomaly extraction in backbone networks using association rules. In ACM Internet Measurement Conference (IMC'09), 2009.

Digital Library

[9]

D. Brauckhoff, B. Tellenbach, A. Wagner, M. May, and A. Lakhina. Impact of packet sampling on anomaly detection metrics. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, IMC '06, 2006.

Digital Library

[10]

B. Claise. Cisco systems netflow services export version 9, 2004.

[11]

E. Cooke, F. Jahanian, and D. McPherson. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In 1st Workshop on Steps to Reducing Unwanted Traffic on the Internet, pages 39--44, 2005.

Digital Library

[12]

N. Cristianini and J. Shawe-Taylor. An introduction to support vector machines and other kernel-based learning methods. In Cambridge University Press, 2000.

Digital Library

[13]

G. Dewaele, K. Fukuda, P. Borgnat, P. Abry, and K. Cho. Extracting hidden anomalies using sketch and non gaussian multiresolution statistical detection procedures. In Proceedings of the 2007 workshop on Large scale attack defense (LSAD'07), 2007.

Digital Library

[14]

J. Francois, S. Wang, R. State, and T. Engel. Bottrack: Tracking botnets using netflow and pagerank. In IFIP Networking 2011, 2011.

Digital Library

[15]

F. Freiling, T. Holz, and G. Wicherski. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In 10th European Symposium On Research In Computer Security, 2005.

Digital Library

[16]

J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by IRC nickname evaluation. In Workshop on Hot Topics in Understanding Botnets, 2007.

Digital Library

[17]

G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In Usenix Security Symposium, 2008.

Digital Library

[18]

G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In 16th Usenix Security Symposium, 2007.

Digital Library

[19]

G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In 15th Annual Network and Distributed System Security Symposium (NDSS), 2008.

[20]

J. John, A. Moshchuk, S. Gribble, and A. Krishnamurthy. Studying Spamming Botnets Using Botlab. In 6th Usenix Symposium on Networked Systems Design and Implementation (NSDI), 2009.

Digital Library

[21]

A. Karasaridis, B. Rexroad, and D. Hoeflin. Wide-scale Botnet Detection and Characterization. In Usenix Workshop on Hot Topics in Understanding Botnets, 2007.

Digital Library

[22]

D. E. Knuth. Seminumerical algorithms. In The Art of Computer Programming, Volume 2, Addison Wesley, 1969.

Digital Library

[23]

A. Liaw and M. Wiener. Classification and regression by randomforest. In R News, volume 2/3, page 18, 2002.

[24]

C. Livadas, R. Walsh, D. Lapsley, and W. T. Strayer. Using machine learning techniques to identify botnet traffic. In the 2nd IEEE LCN Workshop on Network Security (WoNS'2006), 2006.

[25]

J. Mai, C.-N. Chuah, A. Sridharan, T. Ye, and H. Zang. Is sampled data sufficient for anomaly detection? In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, IMC '06, 2006.

Digital Library

[26]

J. Quinlan. C4.5: Programs for machine learning. In Morgan Kaufmann Publishers, 1993.

Digital Library

[27]

M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A Multi-faceted Approach to Understanding the Botnet Phenomenon. In Internet Measurement Conference (IMC), 2006.

Digital Library

[28]

A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In SIGCOMM Comput. Commun., 2006.

Digital Library

[29]

M. Reiter and T. Yen. Traffic aggregation for malware detection. In DIMVA, 2008.

Digital Library

[30]

A. Sperotto, R. Sadre, and A. Pras. Anomaly characterization in flow-based traffic time series. In Proceedings of the 8th IEEE international workshop on IP Operations and Management, IPOM '08, pages 15--27, 2008.

Digital Library

[31]

B. Stone-Gross, C. Kruegel, K. Almeroth, A. Moser, and E. Kirda. Fire: Finding rogue networks. In 2009 Annual Computer Security Applications Conference (ACSAC'09), 2009.

Digital Library

[32]

W. Strayer, R. Walsh, C. Livadas, and D. Lapsley. Detecting Botnets with Tight Command and Control. In 31st IEEE Conference on Local Computer Networks (LCN), 2006.

[33]

S. Theodoridis and K. Koutroumbas. Pattern Recognition. Academic Press, 2009.

Digital Library

[34]

A. Wagner and B. Plattner. Entropy based worm and anomaly detection in fast ip networks. In SIG SIDAR Graduierten-Workshop uber Reaktive Sicherheit (SPRING'06), 2006.

[35]

P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, and E. Kirda. Automatically generating models for botnet detection. In ESORICS 2009: 14th European Symposium on Research in Computer Security, 2009.

Digital Library

Cited By

Chen RDai TZhang YZhu YLiu XZhao E(2024)GBDT-IL: Incremental Learning of Gradient Boosting Decision Trees to Detect Botnets in Internet of ThingsSensors10.3390/s2407208324:7(2083)Online publication date: 25-Mar-2024
https://doi.org/10.3390/s24072083
Vugrin EHanson SCruz JGlatter CTarman TPinar A(2024)Experimental Validation of a Command and Control Traffic Detection ModelIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.326613921:3(1084-1097)Online publication date: May-2024
https://doi.org/10.1109/TDSC.2023.3266139
Hu ZHasegawa HYamaguchi YShimada H(2024)Enhancing Detection of Malicious Traffic Through FPGA-Based Frequency Transformation and Machine LearningIEEE Access10.1109/ACCESS.2023.334823412(2648-2659)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3348234
Show More Cited By

Index Terms

Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis

Recommendations

Drive-by Disclosure: A Large-Scale Detector of Drive-by Downloads Based on Latent Behavior Prediction
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01

Drive-by downloads continue to be the basis for many kinds of large-scale web attacks. The detection of Drive-by downloads and heap spraying attacks has been receiving serious research attention. The appearance of complex obfuscation patterns make the ...
Read More
Drive-by Disclosure: A Large-Scale Detector of Drive-by Downloads Based on Latent Behavior Prediction
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01

Drive-by downloads continue to be the basis for many kinds of large-scale web attacks. The detection of Drive-by downloads and heap spraying attacks has been receiving serious research attention. The appearance of complex obfuscation patterns make the ...
Read More
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

December 2012

464 pages

ISBN:9781450313124

DOI:10.1145/2420950

Conference Chair:
Robert H'obbes' Zakon
Zakon Group LLC

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

ACSAC '12

Sponsor:

ACSA

ACSAC '12: Annual Computer Security Applications Conference

December 3 - 7, 2012

Florida, Orlando, USA

Acceptance Rates

ACSAC '12 Paper Acceptance Rate 44 of 231 submissions, 19%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

174
Total Citations
View Citations
1,652
Total Downloads

Downloads (Last 12 months)65
Downloads (Last 6 weeks)7

Other Metrics

View Author Metrics

Citations

Cited By

Chen RDai TZhang YZhu YLiu XZhao E(2024)GBDT-IL: Incremental Learning of Gradient Boosting Decision Trees to Detect Botnets in Internet of ThingsSensors10.3390/s2407208324:7(2083)Online publication date: 25-Mar-2024
https://doi.org/10.3390/s24072083
Vugrin EHanson SCruz JGlatter CTarman TPinar A(2024)Experimental Validation of a Command and Control Traffic Detection ModelIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.326613921:3(1084-1097)Online publication date: May-2024
https://doi.org/10.1109/TDSC.2023.3266139
Hu ZHasegawa HYamaguchi YShimada H(2024)Enhancing Detection of Malicious Traffic Through FPGA-Based Frequency Transformation and Machine LearningIEEE Access10.1109/ACCESS.2023.334823412(2648-2659)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3348234
Song JChoi SKim JPark KPark CKim JKim I(2024)A study of the relationship of malware detection mechanisms using Artificial IntelligenceICT Express10.1016/j.icte.2024.03.00510:3(632-649)Online publication date: Jun-2024
https://doi.org/10.1016/j.icte.2024.03.005
Smyrlis MFloros EBasdekis IPrelipcean DSotiropoulos ADebar HZarras ASpanoudakis G(2024)RAMA: a risk assessment solution for healthcare organizationsInternational Journal of Information Security10.1007/s10207-024-00820-423:3(1821-1838)Online publication date: 1-Mar-2024
https://doi.org/10.1007/s10207-024-00820-4
Kumar JRanganathan G(2023)Malware Attack Detection in Large Scale Networks using the Ensemble Deep Restricted Boltzmann MachineEngineering, Technology & Applied Science Research10.48084/etasr.620413:5(11773-11778)Online publication date: 13-Oct-2023
https://doi.org/10.48084/etasr.6204
Ganesan SShanmugaraj GIndumathi A(2023)A Survey of Data Mining and Machine Learning-Based Intrusion Detection System for Cyber SecurityRisk Detection and Cyber Security for the Success of Contemporary Computing10.4018/978-1-6684-9317-5.ch004(52-74)Online publication date: 9-Nov-2023
https://doi.org/10.4018/978-1-6684-9317-5.ch004
Lai CYao YChen YLiang XCai TShi Y(2023)Detection of IoT Botnet Based on Convolutional Neural Network and Linear Support Vector MachineProceedings of the 2023 13th International Conference on Communication and Network Security10.1145/3638782.3638816(222-226)Online publication date: 6-Dec-2023
https://dl.acm.org/doi/10.1145/3638782.3638816
Jain VAlam SKrishnamurthy SFaloutsos M(2023)C2Store: C2 Server Profiles at Your FingertipsProceedings of the ACM on Networking10.1145/36291321:CoNEXT3(1-21)Online publication date: 28-Nov-2023
https://dl.acm.org/doi/10.1145/3629132
Zhang YDong HNottingham ABuchanan MBrown DSun Y(2023)Global Analysis with Aggregation-based Beaconing Detection across Large Campus NetworksProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627126(565-579)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627126
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents