DISCLOSURE: detecting botnet command and control servers through large-scale NetFlow analysis

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

DISCLOSURE: detecting botnet command and control servers through large-scale NetFlow analysis
Botnet
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 2012-12
Editor/Conference ACSAC
Link http://www.iseclab.org/papers/disclosure.pdf (Archive copy)
Author Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, Christopher Kruegel
Type

Abstract

Botnets continue to be a significant problem on the Internet. Accordingly, a great deal of research has focused on methods for detecting and mitigating the effects of botnets. Two of the primary factors preventing the development of effective large-scale, wide-area botnet detection systems are seemingly contradictory.

On the one hand, technical and administrative restrictions result in a general unavailability of raw network data that would facilitate botnet detection on a large scale. On the other hand, were this data available, real-time processing at that scale would be a formidable challenge. In contrast to raw network data, NetFlow data is widely available. However, NetFlow data imposes several challenges for performing accurate botnet detection. In this paper, we present Disclosure, a large-scale, wide-area botnet detection system that incorporates a combination of novel techniques to overcome the challenges imposed by the use of NetFlow data. In particular, we identify several groups of features that allow Disclosure to reliably distinguish C&C channels from benign traffic using NetFlow records (i.e., flow sizes, client access patterns, and temporal behavior). To reduce Disclosure's false positive rate, we incorporate a number of external reputation scores into our system's detection procedure. Finally, we provide an extensive evaluation of Disclosure over two large, real-world networks. Our evaluation demonstrates that Disclosure is able to perform real-time detection of botnet C&C channels over datasets on the order of billions of flows per day.

Bibtex

 @misc{Bilge2012BFR1192,
   editor = {ACSAC},
   author = {Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, Christopher Kruegel},
   title = {DISCLOSURE: detecting botnet command and control servers through large-scale NetFlow analysis},
   date = {01},
   month = Dec,
   year = {2012},
   howpublished = {\url{http://www.iseclab.org/papers/disclosure.pdf}},
 }