Loading...

An anomaly-based botnet detection approach for identifying stealthy botnets

Arshad, S ; Sharif University of Technology

610 Viewed
  1. Type of Document: Article
  2. DOI: 10.1109/ICCAIE.2011.6162198
  3. Abstract:
  4. Botnets (networks of compromised computers) are often used for malicious activities such as spam, click fraud, identity theft, phishing, and distributed denial of service (DDoS) attacks. Most of previous researches have introduced fully or partially signature-based botnet detection approaches. In this paper, we propose a fully anomaly-based approach that requires no a priori knowledge of bot signatures, botnet C&C protocols, and C&C server addresses. We start from inherent characteristics of botnets. Bots connect to the C&C channel and execute the received commands. Bots belonging to the same botnet receive the same commands that causes them having similar netflows characteristics and performing same attacks. Our method clusters bots with similar netflows and attacks in different time windows and perform correlation to identify bot infected hosts. We have developed a prototype system and evaluated it with real-world traces including normal traffic and several real-world botnet traces. The results show that our approach has high detection accuracy and low false positive
  5. Keywords:
  6. Anomaly-based Detection ; Botnet ; Clustering ; Netflow ; Botnets ; Click fraud ; Clustering ; Detection accuracy ; Detection approach ; Different time windows ; Distributed denial of service attack ; False positive ; Identity theft ; Inherent characteristics ; Malicious activities ; NetFlows ; Phishing ; Priori knowledge ; Prototype system ; Server address ; Computer crime ; Crime ; Network security ; Industrial electronics
  7. Source: ICCAIE 2011 - 2011 IEEE Conference on Computer Applications and Industrial Electronics ; 2011 , Pages 564-569 ; 9781457720581 (ISBN)
  8. URL: http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6162198