Detection of Covert Botnet Command and Control Channels by Causal Analysis of Traffic Flows

Burghouwt, Pieter; Spruit, Marcel; Sips, Henk

doi:10.1007/978-3-319-03584-0_10

Cited by 12 publications

(10 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As a consequence, traffic that is unique to a workstation becomes more pronounced in the visualization. Zhang et al (2012) and Burghouwt et al (2013) both organize HTTP requests in a graph and correlate the graph with user actions in order to detect requests issued by malware. While their approaches rely on recording user actions such as mouse clicks and keystrokes, Hviz operates on network traffic only.…”

Section: Related Workmentioning

confidence: 99%

Hviz: HTTP(S) traffic aggregation and visualization for network forensics

Gugelmann

Gasser

Ager

et al. 2015

Digital Investigation

View full text Add to dashboard Cite

a b s t r a c t HTTP and HTTPS traffic recorded at the perimeter of an organization is an exhaustive data source for the forensic investigation of security incidents. However, due to the nested nature of today's Web page structures, it is a huge manual effort to tell apart benign traffic caused by regular user browsing from malicious traffic that relates to malware or insider threats. We present Hviz, an interactive visualization approach to represent the event timeline of HTTP and HTTPS activities of a workstation in a comprehensible manner. Hviz facilitates incident investigation by structuring, aggregating, and correlating HTTP events between workstations in order to reduce the number of events that are exposed to an investigator while preserving the big picture. We have implemented a prototype system and have used it to evaluate its utility using synthetic and real-world HTTP traces from a campus network. Our results show that Hviz is able to significantly reduce the number of user browsing events that need to be exposed to an investigator by distilling the structural properties of HTTP traffic, thus simplifying the examination of malicious activities that arise from malware traffic or insider threats.

show abstract

Section: Related Workmentioning

confidence: 99%

Hviz: HTTP(S) traffic aggregation and visualization for network forensics

Gugelmann

Gasser

Ager

et al. 2015

Digital Investigation

View full text Add to dashboard Cite

show abstract

“…Let d l i .< d l t i , d l n i > be the drop‐off position of a c i ( a c i ⊆ A C ( L P )), where d l t i and d l n i are the latitude and the longitude of d l i , respectively. To obtain the gathered traces of a c i , the concept of neighborhood domain is employed. Definition The neighborhood domain within radius r of a c i is defined by N D r ( a c i )={ a c j | D i s ( d l i , d l j )≤ r , a c j ⊆ A C ( L P )}, where D i s ( d l i , d l j ) is calculated by

italic Dis (d l_{i}, d l_{j}) = \sqrt{{(dl t_{i} - dl t_{j})}^{2} + {(dl n_{i} - dl n_{j})}^{2}} .

…”

Section: Traffic Hotline Discovery From Big Taxi Gps Datamentioning

confidence: 99%

“…Let d l i : < dlt i ; d ln i > be the drop-off position of ac i (ac i Â AC.L P /), where d lt i and d ln i are the latitude and the longitude of d l i , respectively. To obtain the gathered traces of ac i , the concept of neighborhood domain [16] is employed.…”

Section: Algorithm 2 Alighting Collection Acquisitionmentioning

confidence: 99%

A traffic hotline discovery method over cloud of things using big taxi GPS data

Dou

Zhang

et al. 2016

Softw Pract Exp

View full text Add to dashboard Cite

Summary Traffic hotline discovery is necessary for rational and scientific urban transportation planning in the new living quarters and economic zones. Cloud of Things (CoT) is a newly emerging concept, involving with two advanced technologies, that is, Cloud Computing and Internet of Things (IoT). CoT provides promising opportunities for traffic hotline discovery. However, it is still a challenge to discover the traffic hotlines over CoT. In view of this challenge, a hotline discovery method over CoT by using big taxi GPS data is proposed in this paper. Specifically, a traffic hotline discovery principle is presented to provide a reference standard for the generalized traffic spots that need planning, and a corresponding hotline discovery method is proposed for traffic hotspot identification and hotline selection. To improve the scalability and efficiency of the proposed method in “Big Data” environment, the SAP HANA cloud is applied to implement the proposed method under two application scenarios. Finally, the experimental results demonstrate that the proposed method is both effective and efficient. Software—Practice and Experience. Copyright © 2016 John Wiley & Sons, Ltd.

show abstract

“…Burghouwt et al use causal relationships between flows to detect botnet C&C traffic [4]. Instead of the destination, detection is based on the direct cause of a flow.…”

Section: Related Workmentioning

confidence: 99%

Detection of Botnet Command and Control Traffic by the Identification of Untrusted Destinations

Burghouwt

Spruit

Sips

2015

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

Self Cite

View full text Add to dashboard Cite

We present a novel anomaly-based detection approach capable of detecting botnet Command and Control traffic in an enterprise network by estimating the trustworthiness of the traffic destinations. A traffic flow is classified as anomalous if its destination identifier does not origin from: human input, prior traffic from a trusted destination, or a defined set of legitimate applications. This allows for real-time detection of diverse types of Command and Control traffic. The detection approach and its accuracy are evaluated by experiments in a controlled environment.

show abstract

Detection of Covert Botnet Command and Control Channels by Causal Analysis of Traffic Flows

Cited by 12 publications

References 8 publications

Hviz: HTTP(S) traffic aggregation and visualization for network forensics

Hviz: HTTP(S) traffic aggregation and visualization for network forensics

A traffic hotline discovery method over cloud of things using big taxi GPS data

Detection of Botnet Command and Control Traffic by the Identification of Untrusted Destinations

Contact Info

Product

Resources

About