Detection and classification of different botnet C&C channels
(Publication) Google search: [1]
| Detection and classification of different botnet C&C channels | |
|---|---|
| |
| Botnet | Ircbot, Agobot, Rustock, Storm, Bobax, Waledac, UDP Storm |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | IRC, HTTP, P2P |
| Date | 2009 / |
| Editor/Conference | Lehigh University. Bethlehem |
| Link | http://www.cse.lehigh.edu/~gtan/paper/ATC2011.pdf (Archive copy) |
| Author | Gregory Fedynyshyn, Mooi Choo Chuah, Gang Tan |
| Type | |
Abstract
“ Unlike other types of malware, botnets are characterized by their command and control (C&C) channels, through which a central authority, the botmaster, may use the infected computer to carry out malicious activities. Given the damage botnets are capable of causing, detection and mitigation of botnet threats are imperative. In this paper, we present a post-based method for detecting and differentiating different types of botnet infections based on their C&C styles, e.g., IRCbased, HTTP-based, or peer-to-peer (P2P) based. Our ability to detect and classify botnet C&C channels shows that there is an inherent similarity in C&C structures for different types of bots and that the network characteristics of botnet C&C traffic is inherently different from legitimate network traffic. The best performance of our detection system has an overall accuracy of 0.929 and a false positive rate of 0.078.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2009BFR841,
editor = {Lehigh University. Bethlehem},
author = {Gregory Fedynyshyn, Mooi Choo Chuah, Gang Tan},
title = {Detection and classification of different botnet C&C channels},
date = {25},
month = Apr,
year = {2009},
howpublished = {\url{http://www.cse.lehigh.edu/~gtan/paper/ATC2011.pdf}},
}