Identifying and modeling botnet C&amp;C behaviors

García, Sebastián Rubio; Uhlíř, Vojtěch; Řehák, Martin

doi:10.1145/2602945.2602949

Cited by 17 publications

(11 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Their work is concerned in the time-based behavioral characteristics. In article [8] the identification of the User Datagram Protocol (UDP), Transmission Control Protocol (TCP) and HTTP C&C channels and its analysis is presented. The second article [9], from which we were inspired, provides a comprehensive view of the comparison of the ways and possibilities to botnet detection.…”

Section: Related Workmentioning

confidence: 99%

Botnet C&C Traffic and Flow Lifespans Using Survival Analysis

Oujezský

Horváth

Skorpil

2017

IJATES

View full text Add to dashboard Cite

Abstract-This paper addresses the issue of detecting unwanted traffic in data networks, namely the detection of botnet networks. In this paper, we focused on a time behavioral analysis, more specifically said -lifespans of a simulated botnet network traffic, collected and discovered from NetFlow messages, and also of real botnet communication of a malware.As a method we chose survival analysis and for rigorous testing of differences Mantel-Cox test. Lifespans of those referred traffics are discovered and calculated by lifelines using Python language.Based on our research we have figured out a possibility to distinguish the individual lifespans of C&C communications that are identical to each other by using survival projection curves, although it occurred in a different time course.

show abstract

Section: Related Workmentioning

confidence: 99%

Botnet C&C Traffic and Flow Lifespans Using Survival Analysis

Oujezský

Horváth

Skorpil

2017

IJATES

View full text Add to dashboard Cite

show abstract

“…When the server receives the request, it replies with a HTTP Response packet like in figure 2 that includes Message Body. Analyzing several HTTP packets from different software, for instance web browsers and chatting software tools that are usually installed in computers by endusers, reveal some worthwhile information for detecting botnets network traffic packets and flows [25].…”

Section: A Http Protocolmentioning

confidence: 99%

“…The reason behind this structure is that even in the highly controlled networks HTTP protocol is allowed to be used. Another famous botnet that uses HTTP protocol as the main carrier protocol is Zeus [25]. The Zeus bot has been developed to steal banking credentials and other personal data.As illustrated in figure 8, the bot initiates its HTTP transaction by using POST method to communicate with C&C server.…”

Section: B Http Characteristics In Botnetsmentioning

confidence: 99%

Botnet evolution: Network traffic indicators

Rostami¹,

Eslahi

Shanmugam³

et al. 2014

2014 International Symposium on Biometrics and Security Technologies (ISBAST)

View full text Add to dashboard Cite

In recent years, the HTTP has become dominant protocol among other protocols for the Internet services as it provides a set of rules to manage the data exchange between servers and browsers. On the other hand, this standard protocol has been widely used in the latest generation of botnets to establish their command and control channel and hide their malicious activities among normal Web traffic. Therefore, analyzing HTTP traffic has become a common method in current HTTP-based botnet detection studies. Since the HTTP botnets are a new phenomenon,they have not been fully explored yet. Therefore, in this paper we present an overview of the features and parameters that have been used in existing studies to detect HTTP botnets along with their shortcomings. We also propose a number of HTTP protocol characteristics that can be used for further botnet analysis and detection.

show abstract

“…Furthermore, dynamic ports and runtime protocol changes enable botnets to bypass signature-based firewalls and intrusion detection systems (IDS). For robust detection systems, several flow-based botnet detection approaches [7], [8], [9], [10] were recently proposed, working without packet payload information. Differently than flow-based detection, other recently proposed botnet detection approaches consist in characterizing and analyzing relationships between hosts in the network, with techniques commonly referred to as graph-based anomaly detection [11], [12], [13].…”

Section: Introductionmentioning

confidence: 99%

Botnet Fingerprinting: A Frequency Distributions Scheme for Lightweight Bot Detection

Blaise

Bouet

Conan

et al. 2020

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Efficient bot detection is a crucial security matter and widely explored in the past years. Recent approaches supplant flow-based detection techniques and exploit graphbased features, incurring however in scalability issues, with high time and space complexity. Bots exhibit specific communication patterns: they use particular protocols, contact specific domains, hence can be identified by analyzing their communication with the outside. A way we follow to simplify the communication graph and avoid scalability issues is looking at frequency distributions of protocol attributes capturing the specificity of botnets behaviour. We propose a bot detection technique named BotFP, for BotFin-gerPrinting, which acts by (i) characterizing hosts behaviour with attribute frequency distribution signatures, (ii) learning benign hosts and bots behaviours through either clustering or supervised Machine Learning (ML), and (iii) classifying new hosts either as bots or benign ones, using distances to labelled clusters or relying on a ML algorithm. We validate BotFP on the CTU-13 dataset, which contains 13 scenarios of bot infections, connecting to a Command-and-Control (C&C) channel and launching malicious actions such as port scanning or Denial-of-Service (DDoS) attacks. Compared to state-of-the-art techniques, we show that BotFP is more lightweight, can handle large amounts of data, and shows better accuracy.

show abstract

Identifying and modeling botnet C&C behaviors

Cited by 17 publications

References 11 publications

Botnet C&C Traffic and Flow Lifespans Using Survival Analysis

Botnet C&C Traffic and Flow Lifespans Using Survival Analysis

Botnet evolution: Network traffic indicators

Botnet Fingerprinting: A Frequency Distributions Scheme for Lightweight Bot Detection

Contact Info

Product

Resources

About