research-article

Boosting the scalability of botnet detection using adaptive traffic sampling

Authors:

Roberto Perdisci,

Nick FeamsterAuthors Info & Claims

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

Pages 124 - 134

https://doi.org/10.1145/1966913.1966930

Published: 22 March 2011 Publication History

Abstract

Botnets pose a serious threat to the health of the Internet. Most current network-based botnet detection systems require deep packet inspection (DPI) to detect bots. Because DPI is a computational costly process, such detection systems cannot handle large volumes of traffic typical of large enterprise and ISP networks. In this paper we propose a system that aims to efficiently and effectively identify a small number of suspicious hosts that are likely bots. Their traffic can then be forwarded to DPI-based botnet detection systems for fine-grained inspection and accurate botnet detection. By using a novel adaptive packet sampling algorithm and a scalable spatial-temporal flow correlation approach, our system is able to substantially reduce the volume of network traffic that goes through DPI, thereby boosting the scalability of existing botnet detection systems. We implemented a proof-of-concept version of our system, and evaluated it using real-world legitimate and botnet-related network traces. Our experimental results are very promising and suggest that our approach can enable the deployment of botnet-detection systems in large, high-speed networks.

References

[1]

A. Kumar and J. Xu. Sketch guided sampling -- using on-line estimates of flow size for adaptive data collection. In Proc. IEEE Infocom, 2006.

[2]

A. Ramachandran, S. Seetharaman, and N. Feamster. Fast monitoring of traffic subpopulations. In Proc. ACM IMC, 2008.

Digital Library

[3]

R. K. B. Yang and D. A. McGrew. Divide and concatenate: An architectural level optimization technique for universal hash functions. In Proc. of the Design Automation Conference, 2004.

Digital Library

[4]

J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection. In Proc. USENIX SRUTI, 2006.

Digital Library

[5]

G. Gu, J. Zhang, and W. Lee. Botsniffer: Detecting botnet command and control channels in network traffic. In Proc. NDSS, 2008.

[6]

G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. and Lee. Bothunter: Detecting malware infection through IDS-driven dialog correlation. In Proc. USENIX Security, 2007.

Digital Library

[7]

G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proc. USENIX Security, 2008.

Digital Library

[8]

J. Goebel and T. Holz. Rishi: identify bot contaminated hosts by irc nickname evaluation. In Proc. USENIX HotBots, 2007.

Digital Library

[9]

C. Hu, S. Wang, J. Tian, B. Liu, Y. Cheng, and Y. Chen. Accurate and efficient traffic monitoring using adaptive non-linear sampling method. In Proc. IEEE Infocom, 2008.

[10]

Infosecurity. Storm deadnet reanimates as waledac botnet. http://infosecurity.us/?p=6262, 2009.

[11]

B. Kang, E. C. Tin, and C. P. Lee. Towards complete node enumeration in a peer-to-peer botnet. In Proc. ACM AISACCS, 2009.

Digital Library

[12]

A. Karasaridis, B. Rexroad, and D. Hoeflin. Wide-scale botnet detection and characterization. In Proc. USENIX HotBots, 2007.

Digital Library

[13]

C. P. Lee. FRAMEWORK FOR BOTNET EMULATION AND ANALYSIS. PhD thesis, Georgia Institute of Technology, Atlanta, GA, Nov. 2008.

Digital Library

[14]

C. Livadas, R. Walsh, D. Lapsley, and W. T. Strayer. Using machine learning techniques to identify botnet traffic. In Proc. IEEE WoNS, 2006.

[15]

A. Ramachandran, N. Feamster, and D. Dagon. Revealing botnet membership using DNSBL counter-intelligence. In Proc. USENIX SRUTI, 2006.

Digital Library

[16]

B. Stone-Gross, A. Moser, C. Kruegel, E. Kirda, and K. Almeroth. Fire: Finding rogue networks. In Proc. ACSAC, 2009.

Digital Library

[17]

W. T. Strayer, R. Walsh, C. Livadas, and D. Lapsley. Detecting botnets with tight command and control. In Proc. IEEE LCN, 2006.

[18]

T.-F. Yen and M. K. Reiter. Are your hosts trading or plotting? telling p2p file-sharing and bots apart. In ICDCS, 2010.

Digital Library

[19]

L. P. Wenjia Fang. Inter-as traffic patterns and their implications. In IEEE Global Internet Symposium, 1999.

[20]

X. Hu, M. Knysz and K. Shin. Rb-seeker: Auto-detection of redirection botnets. In Proc. NDSS, 2009.

[21]

Y. Zhang, S. Singh, S. Sen, N. Duffield and C. Lund. Online identification of hierarchical heavy hitters: Algorithms, evaluation, and applications. In Proc. ACM IMC, 2004.

Digital Library

[22]

Y. Zhao and Y. Xie and F. Yu and Q. Ke and Y. Yu. Botgraph: Large scale spamming botnet detection. In Proc. USENIX NSDI, 2009.

Digital Library

[23]

T.-F. Yen and M. K. Reiter. Traffic aggregation for malware detection. In Proc. DIMVA, 2008.

Digital Library

[24]

T. Zhang, R. Ramakrishnan, and M. Livny. Birch: An efficient data clustering method for very large databases. In Proc. ACM SIGMOD. ACM Press, 1996.

Digital Library

Cited By

Om Kumar CSathia Bhama P(2019)Detecting and confronting flash attacks from IoT botnetsThe Journal of Supercomputing10.1007/s11227-019-03005-2Online publication date: 14-Oct-2019
https://doi.org/10.1007/s11227-019-03005-2
NGUYEN SNGUYEN VNGUYEN GKIM JKIM K(2018)Source-Side Detection of DRDoS Attack Request with Traffic-Aware Adaptive ThresholdIEICE Transactions on Information and Systems10.1587/transinf.2018EDL8020E101.D:6(1686-1690)Online publication date: 1-Jun-2018
https://doi.org/10.1587/transinf.2018EDL8020
Acarali DRajarajan M(2018)Botnet-Based Attacks and Defence MechanismsVersatile Cybersecurity10.1007/978-3-319-97643-3_6(169-199)Online publication date: 18-Oct-2018
https://doi.org/10.1007/978-3-319-97643-3_6
Show More Cited By

Index Terms

Boosting the scalability of botnet detection using adaptive traffic sampling
1. Security and privacy
  1. Network security

Recommendations

Your botnet is my botnet: analysis of a botnet takeover
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is ...
Hardening Botnet by a Rational Botmaster
Information Security and Cryptology

Botnet has gained the most prevalence in today's cyber-attacks, resulting in significant threats to our network assets and organization's property. A botnet is composed of a group of bots and controlled by a botmaster, serving as a powerful tool to ...
A fuzzy pattern-based filtering algorithm for botnet detection

Botnet has become a popular technique for deploying Internet crimes. Although signature-based bot detection techniques are accurate, they could be useless when bot variants are encountered. Therefore, behavior-based detection techniques become ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

March 2011

527 pages

ISBN:9781450305648

DOI:10.1145/1966913

General Chairs:
Bruce Cheung
The University of Hong Kong, China
,
Lucas Chi Kwong Hui
The University of Hong Kong, China
,
Program Chairs:
Ravi Sandhu
University of Texas, San Antonio
,
Duncan S. Wong
City University of Hong Kong, China

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 March 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ASIA CCS '11

Sponsor:

SIGSAC

ASIA CCS '11: 6th ACM Symposium on Information, Compuer and Communications Security

March 22 - 24, 2011

Hong Kong, China

Acceptance Rates

ASIACCS '11 Paper Acceptance Rate 35 of 217 submissions, 16%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
768
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)1

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Om Kumar CSathia Bhama P(2019)Detecting and confronting flash attacks from IoT botnetsThe Journal of Supercomputing10.1007/s11227-019-03005-2Online publication date: 14-Oct-2019
https://doi.org/10.1007/s11227-019-03005-2
NGUYEN SNGUYEN VNGUYEN GKIM JKIM K(2018)Source-Side Detection of DRDoS Attack Request with Traffic-Aware Adaptive ThresholdIEICE Transactions on Information and Systems10.1587/transinf.2018EDL8020E101.D:6(1686-1690)Online publication date: 1-Jun-2018
https://doi.org/10.1587/transinf.2018EDL8020
Acarali DRajarajan M(2018)Botnet-Based Attacks and Defence MechanismsVersatile Cybersecurity10.1007/978-3-319-97643-3_6(169-199)Online publication date: 18-Oct-2018
https://doi.org/10.1007/978-3-319-97643-3_6
Venkatesan SAlbanese MChiang CSapello AChadha R(2018)DeBot: A novel network‐based mechanism to detect exfiltration by architectural stealthy botnetsSECURITY AND PRIVACY10.1002/spy2.511:6Online publication date: 5-Dec-2018
https://doi.org/10.1002/spy2.51
Zhuang DChang J(2017)PeerHunter: Detecting peer-to-peer botnets through community behavior analysis2017 IEEE Conference on Dependable and Secure Computing10.1109/DESEC.2017.8073832(493-500)Online publication date: Aug-2017
https://doi.org/10.1109/DESEC.2017.8073832
Silva JCarvalho PLima S(2017)A Modular Traffic Sampling ArchitectureJournal of Network and Systems Management10.1007/s10922-017-9404-525:3(643-668)Online publication date: 1-Jul-2017
https://dl.acm.org/doi/10.1007/s10922-017-9404-5
He JYang YWang XTan Z(2017)Adaptive traffic sampling for P2P botnet detectionInternational Journal of Network Management10.1002/nem.199227:5Online publication date: 4-Aug-2017
https://doi.org/10.1002/nem.1992
Silva JCarvalho PLima S(2016)Inside packet sampling techniques: exploring modularity to enhance network measurementsInternational Journal of Communication Systems10.1002/dac.313530:6Online publication date: 29-Mar-2016
https://doi.org/10.1002/dac.3135
Yan QZheng YJiang TLou WHou Y(2015)PeerClean: Unveiling peer-to-peer botnets through dynamic group behavior analysis2015 IEEE Conference on Computer Communications (INFOCOM)10.1109/INFOCOM.2015.7218396(316-324)Online publication date: Apr-2015
https://doi.org/10.1109/INFOCOM.2015.7218396
Nechaev BGurtov A(2014)Internet Botnets: A Survey of Detection TechniquesCase Studies in Secure Computing10.1201/b17352-21(405-424)Online publication date: 12-Aug-2014
https://doi.org/10.1201/b17352-21
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents