Submitted by: Submitted by damnsonok
Views: 10
Words: 12712
Pages: 51
Category: Science and Technology
Date Submitted: 03/02/2016 01:45 PM
BotMiner: Clustering Analysis of Network Traffic for
Protocol- and Structure-Independent Botnet Detection
Guofei Gu† , Roberto Perdisci‡ , Junjie Zhang† , and Wenke Lee†
†
College of Computing, Georgia Institute of Technology
‡
Damballa, Inc. Atlanta, GA 30308, USA
{guofei,jjzhang,wenke}@cc.gatech.edu, perdisci@damballa.com
Abstract
Botnets are now the key platform for many Internet
attacks, such as spam, distributed denial-of-service
(DDoS), identity theft, and phishing. Most of the current
botnet detection approaches work only on specific
botnet command and control (C&C) protocols (e.g.,
IRC) and structures (e.g., centralized), and can become
ineffective as botnets change their C&C techniques. In
this paper, we present a general detection framework that
is independent of botnet C&C protocol and structure,
and requires no a priori knowledge of botnets (such as
captured bot binaries and hence the botnet signatures,
and C&C server names/addresses). We start from the
definition and essential properties of botnets. We define
a botnet as a coordinated group of malware instances
that are controlled via C&C communication channels.
The essential properties of a botnet are that the bots
communicate with some C&C servers/peers, perform
malicious activities, and do so in a similar or correlated
way. Accordingly, our detection framework clusters
similar communication traffic and similar malicious
traffic, and performs cross cluster correlation to identify
the hosts that share both similar communication patterns
and similar malicious activity patterns. These hosts
are thus bots in the monitored network. We have
implemented our BotMiner prototype system and
evaluated it using many real network traces. The results
show that it can detect real-world botnets (IRC-based,
HTTP-based, and P2P botnets including Nugache and
Storm worm), and has a very low false positive rate.
1 Introduction
Botnets are becoming one of the most serious threats to...