Automatically Generating Models for Botnet Detection

Wurzinger, P.; Bilge, Leyla; Holz, Thorsten; Goebel, Jan; Kruegel, Christopher; Kirda, Engin

doi:10.1007/978-3-642-04444-1_15

Cited by 98 publications

(66 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Wurzinger et al's [43] approach, which identifies botnets that are under the influence of botmaster (malicious body) using network signatures by examining the response from a compromised host to a received command and by generating detection models. ProVex [44] is also a semantic-based approach which generates signatures to identify botnets that use encrypted command and control (C&C) systems after being given the keys and decryption routine employed by the malware using binary code reuse strategy, and is based on the research proposed by Caballero et al's approach [45].…”

Section: Related Workmentioning

confidence: 99%

Exploring the Effects of Gap-Penalties in Sequence-Alignment Approach to Polymorphic Virus Detection

Naidu¹,

Whalley²,

Narayanan³

2017

JIS

View full text Add to dashboard Cite

Antiviral software systems (AVSs) have problems in identifying polymorphic variants of viruses without explicit signatures for such variants. Alignment-based techniques from bioinformatics may provide a novel way to generate signatures from consensuses found in polymorphic variant code. We demonstrate how multiple sequence alignment supplemented with gap penalties leads to viral code signatures that generalize successfully to previously known polymorphic variants of JS. Cassandra virus and previously unknown polymorphic variants of W32.CTX/W32.Cholera and W32.Kitti viruses. The implications are that future smart AVSs may be able to generate effective signatures automatically from actual viral code by varying gap penalties to cover for both known and unknown polymorphic variants.

show abstract

Section: Related Workmentioning

confidence: 99%

Exploring the Effects of Gap-Penalties in Sequence-Alignment Approach to Polymorphic Virus Detection

Naidu¹,

Whalley²,

Narayanan³

2017

JIS

View full text Add to dashboard Cite

show abstract

“…This work focuses on the network behavior of malware, when they have to communicate with a computer outside the network like C&C communications, and the reason of these exchanges. Previous work that focused on other topics of malware network behavior have already been done about honeypots [3] or the correlation between malicious activity and previous instructions from a C&C server [16] [35]. A kind of communication is represented by the packets needed for a Denial of Service (DoS) attack; it is important to underline that these packets are different from the ones exchanged between a spyware and its master about the sensitive data on the infected machine.…”

Section: Related Workmentioning

confidence: 99%

What's Your Major Threat? On the Differences between the Network Behavior of Targeted and Commodity Malware

Mariconti

Onaolapo

Ross

et al. 2016

2016 11th International Conference on Availability, Reliability and Security (ARES)

View full text Add to dashboard Cite

Abstract-This work uses statistical classification techniques to learn about the different network behavior patterns demonstrated by targeted malware and generic malware. Targeted malware is a recent type of threat, involving bespoke software that has been created to target a specific victim. It is considered a more dangerous threat than generic malware, because a targeted attack can cause more serious damage to the victim. Our work aims to automatically distinguish between the network activity generated by the two types of malware, which then allows samples of malware to be classified as being either targeted or generic. For a network administrator, such knowledge can be important because it assists to understand which threats require particular attention. Because a network administrator usually manages more than an alarm simultaneously, the aim of the work is particularly relevant. We set up a sandbox and infected virtual machines with malware, recording all resulting malware activity on the network. Using the network packets produced by the malware samples, we extract features to classify their behavior. Before performing classification, we carefully analyze the features and the dataset to study all their details and gain a deeper understanding of the malware under study. Our use of statistical classifiers is shown to give excellent results in some cases, where we achieved an accuracy of almost 96% in distinguishing between the two types of malware. We can conclude that the network behaviors of the two types of malicious code are very different.

show abstract

“…They showed that the monitor was able to detect bots behind firewalls or NAT devices, achieving a broader coverage than others that actively crawl the network. Wurzinger et al [22] constructed network intrusion detection signatures to identify botmaster commands by examining bot binaries running in controlled environments. Their main observation is that changes in the network behaviors of a Plotter are indications of it having received commands from the botmaster.…”

Section: Related Workmentioning

confidence: 99%

Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots Apart

Yen

Reiter

2010

2010 IEEE 30th International Conference on Distributed Computing Systems

View full text Add to dashboard Cite

Abstract-Peer-to-peer (P2P) substrates are now widely used for both file-sharing and botnet command-andcontrol. Despite the commonality of their substrates, we show that the different goals and circumstances of these applications give rise to behaviors that can be distinguished in network flow records. Using features related to traffic volume, persistence of network connections, amount of "churn" among peers, and differences between humandriven and machine-driven traffic, we develop a technique for identifying P2P bots (the Plotters) and, in particular, separating them from file-sharing hosts (the Traders). Evaluations performed on traffic recorded at the edge of a university network show that we can achieve, e.g., 87.50% detection of Storm bots with a 0.81% false positive rate. We also demonstrate the significant extent to which Plotter behaviors would need to change to evade our techniques.

show abstract

Automatically Generating Models for Botnet Detection

Cited by 98 publications

References 13 publications

Exploring the Effects of Gap-Penalties in Sequence-Alignment Approach to Polymorphic Virus Detection

Exploring the Effects of Gap-Penalties in Sequence-Alignment Approach to Polymorphic Virus Detection

What's Your Major Threat? On the Differences between the Network Behavior of Targeted and Commodity Malware

Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots Apart

Contact Info

Product

Resources

About