BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection
Botnet
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date /
Editor/Conference
Link https://www.damballa.com/downloads/a pubs/Usenix08.pdf (Archive copy)
Author
Type Conference paper"Conference paper" is not in the list (Blogpost, White paper, Scientific paper, Press article, Conference paper or presentation, Threat entry, Press release, Tech report) of allowed values for the "Type" property.

Abstract

Botnets are now the key platform for many Internet

attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. Most of the current botnet detection approaches work only on specific botnet command and control (C&C) protocols (e.g., IRC) and structures (e.g., centralized), and can become ineffective as botnets change their C&C techniques. In this paper, we present a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C&C server names/addresses). We start from the definition and essential properties of botnets. We define a botnet as a coordinated group of malware instances that are controlled via C&C communication channels. The essential properties of a botnet are that the bots communicate with some C&C servers/peers, perform malicious activities, and do so in a similar or correlated way. Accordingly, our detection framework clusters similar communication traffic and similar malicious traffic, and performs cross cluster correlation to identify the hosts that share both similar communication patterns and similar malicious activity patterns. These hosts are thus bots in the monitored network. We have implemented our BotMiner prototype system and evaluated it using many real network traces. The results show that it can detect real-world botnets (IRC-based, HTTP-based, and P2P botnets including Nugache and Storm worm), and has a very low false positive rate

Bibtex

 @misc{emptyBFR1348,
   editor = {},
   author = {},
   title = {BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection},
   date = {06},
   month = Apr,
   year = {},
   howpublished = {\url{https://www.damballa.com/downloads/a_pubs/Usenix08.pdf}},
 }