DISCLOSURE: detecting botnet command and control servers through large-scale NetFlow analysis
(Publication) Google search: [1]
DISCLOSURE: detecting botnet command and control servers through large-scale NetFlow analysis | |
---|---|
Botnet | |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / 2012-12 |
Editor/Conference | ACSAC |
Link | http://www.iseclab.org/papers/disclosure.pdf (Archive copy) |
Author | Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, Christopher Kruegel |
Type |
Abstract
“ Botnets continue to be a significant problem on the Internet. Accordingly, a great deal of research has focused on methods for detecting and mitigating the effects of botnets. Two of the primary factors preventing the development of effective large-scale, wide-area botnet detection systems are seemingly contradictory.
On the one hand, technical and administrative restrictions result in a general unavailability of raw network data that would facilitate botnet detection on a large scale. On the other hand, were this data available, real-time processing at that scale would be a formidable challenge. In contrast to raw network data, NetFlow data is widely available. However, NetFlow data imposes several challenges for performing accurate botnet detection. In this paper, we present Disclosure, a large-scale, wide-area botnet detection system that incorporates a combination of novel techniques to overcome the challenges imposed by the use of NetFlow data. In particular, we identify several groups of features that allow Disclosure to reliably distinguish C&C channels from benign traffic using NetFlow records (i.e., flow sizes, client access patterns, and temporal behavior). To reduce Disclosure's false positive rate, we incorporate a number of external reputation scores into our system's detection procedure. Finally, we provide an extensive evaluation of Disclosure over two large, real-world networks. Our evaluation demonstrates that Disclosure is able to perform real-time detection of botnet C&C channels over datasets on the order of billions of flows per day.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1192, editor = {ACSAC}, author = {Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, Christopher Kruegel}, title = {DISCLOSURE: detecting botnet command and control servers through large-scale NetFlow analysis}, date = {01}, month = Dec, year = {2012}, howpublished = {\url{http://www.iseclab.org/papers/disclosure.pdf}}, }