BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
This is another paper that we found when going through other stuff “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic”, which can be found here:
http://www.cs.purdue.edu/homes/bertino/426Fall2009/17_botsniffer_detecting_botnet.pdf
Abstract from the paper:
Botnets are now recognized as one of the most serious security threats. In contrast to previous malware, botnets have the characteristic of a command and control (C&C) channel. Botnets also often use existing common protocols, e.g., IRC, HTTP, and in protocol-conforming manners. This makes the detection of botnet C&C a challenging problem. In this paper, we propose an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowl- edge of signatures or C&C server addresses. This detection approach can identify both the C&C servers and infected hosts in the network. Our approach is based on the observation that, because of the pre-programmed activities related to C&C, bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity. For example, they engage in coordinated communication, propagation, and attack and fraudulent activities. Our prototype system, BotSniffer, can capture this spatial-temporal correlation in network traffic and utilize statistical algorithms to detect botnets with theoretical bounds on the false positive and false negative rates. We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.
The following are the authors for this paper:
Guofei Gu, Junjie Zhang, and Wenke Lee
School of Computer Science, College of Computing
Georgia Institute of Technology
Atlanta, GA 30332
{guofei, jjzhang, wenke}@cc.gatech.edu
Thank you for choosing botnet analytics!
Dave Kennedy
A paper hosted at Purdue but written by people at Georgia Tech should raise some questions. In this case, a Google Scholar search would reveal this was presented at NDSS on 2008-02-12.