Tao Wang,Shun-Zheng Yu

DOI: https://doi.org/10.1109/ISPA.2009.74

2009-01-01

Abstract:Botnets with the centralized architecture provide a simple, low-latency, anonymous and efficient real-time communication platform for the botnet controllers. To our knowledge, most of the latest detected large-scale botnets are based on the centralized structure with HTTP or customized protocols. Therefore, centralized botnets detection helps greatly improve control of unwanted traffic. The main contribution of this study is the development of a common detection mechanism aiming at the centralized botnets. In this work we investigate the intrinsic characteristics based on the distributed yet bursting property of the centralized botnets. Our study shows that there exist great similarity and synchronization among the behaviors and the command and control (C&C) traffic of the bots, because the bots are controlled to operate according to the programmed schedule. Firstly we can determine if the groups of flows are suspectable by performing evaluation on the payload similarity and sequence correlation. Further, we will monitor and keep tracking with the collective and simultaneous behaviors of the suspicious groups of hosts. As is shown by conducting experiments, the proposed method can detect and hold back the centralized botnets effectively before they seriously influence the normal operation on the wide-scale network.

Jinquan Zeng,Weiwen Tang,Caiming Liu,Jianbin Hu,Lingxi Peng

DOI: https://doi.org/10.1007/978-3-642-34038-3_79

2012-01-01

Abstract:Botnet is an attack network composed of hundreds of millions of compromised computers. Botnet is emerging as the most serious threat against cyber-security and is used to launch Distributed Denial of Service (DDoS) attacks, malware dissemination, phishing, remote control, click fraud, and etc. Although botnet has posed serious security threat on Internet, the research of detecting and preventing botnet is still in its infancy. One effective technique for botnet detection is to identify botnet C&C traffic. In this paper, we present a case study of the IRC-based botnet C&C communication and then present a novel method to detect botnet C&C communications. We develop quantitative ways to assess the C&C communications between the bot and the C&C server; furthermore, we also illustrate the correlation methods within the same botnet's C&C communications to decrease the false positive rate.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Lu Weizhou,Yu Shunzheng

DOI: https://doi.org/10.3969/j.issn.1000-0801.2007.12.016

2007-01-01

Abstract:A botnet is a network of compromised machines that can be remotely controlled to perform illegitimate network activities. In this paper, we introduce the structure of botnets, and focus on the command and control channel, which is important for detecting botnets. We then make a review and discussion on current schemes on detecting botnets.

Weiming Li,Songlin Xie,Jie Luo,Xiaodong Zhu

DOI: https://doi.org/10.2991/icsem.2013.100

2013-01-01

Abstract:How to detect Botnet has become a very important problem in security network. The existent detection methods based on network traffic and host behaviors can’t handle the emergency Botnets. In this paper we present an optimized method to analyze the similarity and time period of Botnets behaviors. In the end, our method gets an effective result. Our method uses the IDS-like architecture, which develops six specific components to detect six important Botnets abnormal behaviors. And it builds correlation rules to calculate match score. Through the experiments described in the paper, we can see that our method can not only detect already known Botnets precisely, but also detect unknown Botnets to some extent. The experiments prove that our method is effective and it has some advantages compared with other methods. At last, the paper proposes the future direction and the points that need to be improved.

Li Sheng,Liu Zhiming,He Jin,Deng Gaoming,Huang Wen

DOI: https://doi.org/10.1109/IMCCC.2012.36

2012-01-01

Abstract:Bonnet is extremely harmful to computer network security which could cause many network attacks(like spam, DDoS, phishing etc). In this paper, we design a distributed Bonnet detecting approach based on network traffic analysis. A botnet detection framework is proposed, which composed of two sections: Data Collection and Filter, Bonnet Detection and Identify. The first section is deployed in distributed hosts in order to capture network traffic data, filter data and classify data. The second section is deployed in centralized place which collectes all data from distributed hosts and detected the botnet using data amalgamation algorithms and characteristic identified algorithms. The detecting approach works efficiently and can detect botnet in the experiment environment.

Wei Wang,Yaoyao Shang,Yongzhong He,Yidong Li,Jiqiang Liu

DOI: https://doi.org/10.1016/j.ins.2019.09.024

IF: 8.1

2020-02-01

Information Sciences

Abstract:The Botnets have become one of the most serious threats to cyber infrastructure. Most existing work on detecting botnets is based on flow-based traffic analysis by mining their communication patterns. There also exists related work based on anomaly detection in communication graphs. As bots have continuously evolved and become increasingly sophisticated, only using flow-based traffic analysis or graph-based analysis for the detection would result in false negatives or false positives, or can even be evaded. In this work, we propose BotMark, an automated model that detects botnets with hybrid analysis of flow-based and graph-based network traffic behaviors. We extract 15 statistical flow-based traffic features as well as 3 graph-based features in building the detection model. For flow-based detection, we consider the similarity and stability of C-flow as measurements in the detection. In particular, we employ k-means to measure the similarity of C-flows and assign similarity scores, and calculate stability score of C-flows through the distribution of packet length within a C-flow. The graph-based detection is based on the observation that the neighborhoods of anomalous nodes significantly differ from those of normal nodes in communication graphs. In particular, we use least-square technique and Local Outlier Factor (LOF) to calculate anomaly scores that measure the differences of their neighborhoods. Our models use the scores to mark bots. BotMark performs automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors by ensemble of the detection results based on similarity scores, stability scores and anomaly scores. We collect a very large size of network traffic by simulating 5 newly propagated botnets, including Mirai, Black energy, Zeus, Athena and Ares in a real computing environment. Extensive experimental results demonstrate the effectiveness of BotMark. It achieves 99.94% in terms of detection accuracy, outperforming any individual detector with flow-based detection or graph-based detection.

computer science, information systems

HE Yu-kun,LI Qiang,JI Yue-de,GUO Dong

DOI: https://doi.org/10.7694/jdxblxb20130428

2013-01-01

Abstract:We presented the structures and characteristics of Botnet communication graphs in several common protocols.We compared and analyzed their functions and mechanisms and then summarized some recent researches of Botnet detection methods based on traffic graph.We further made a comparative analysis of their application environments,experimental data and results,the advantages and disadvantages of the methods.In the end,we proposed some possible improvements for Botnet detection.

Ruidong Chen,Weina Niu,Xiaosong Zhang,Zhongliu Zhuo,Fengmao Lv

DOI: https://doi.org/10.1155/2017/4934082

IF: 1.43

2017-01-01

Mathematical Problems in Engineering

Abstract:A botnet is one of the most grievous threats to network security since it can evolve into many attacks, such as Denial-of-Service (DoS), spam, and phishing. However, current detection methods are inefficient to identify unknown botnet. The high-speed network environment makes botnet detection more difficult. To solve these problems, we improve the progress of packet processing technologies such as New Application Programming Interface (NAPI) and zero copy and propose an efficient quasi-real-time intrusion detection system. Our work detects botnet using supervised machine learning approach under the high-speed network environment. Our contributions are summarized as follows: (1) Build a detection framework using PF_ RING for sniffing and processing network traces to extract flow features dynamically. (2) Use random forest model to extract promising conversation features. (3) Analyze the performance of different classification algorithms. The proposed method is demonstrated by well-known CTU13 dataset and nonmalicious applications. The experimental results show our conversation-based detection approach can identify botnet with higher accuracy and lower false positive rate than flow-based approach.

XIE Kaibin,CAI Wandong,CAI Junzhao

DOI: https://doi.org/10.3969/j.issn.1009-8054.2008.03.030

2008-01-01

Abstract:Botnet is one of the most serious security threats against information system. Detecting potential botnet flow in Internet is of great significance to the improvement of information system. The paper mainly explores the botnet based on IRCP, then analyzes the signatures between zombies and IRC servers and finally proposes a decision tree-based method for detecting botnet flow. The experiment proves that this method is feasible.

Wei Lu,Mark Miller,Ling Xue

DOI: https://doi.org/10.1007/978-3-319-69155-8_4

2017-01-01

Abstract:The rapid rise of cloud computing technology marks the next wave of enterprise information technology, catering up a market demand of a digitized economy to deliver traditional utilities such as electricity, gas, water. It, however, also paves a secure and cheap way of forming a so-called botnet in the cloud. A botnet consists of a network compromised machines controlled by an attacker (a.k.a. botmaster). Traditionally botnets have been integrated with computers, and have been the primary cause of many malicious Internet attacks. However, with emerging technologies such as cloud computing have presented new challenges in simulating what a modern botnet could look like, and how effective they can be executed with the easily accessible resources provided by such technologies. In this paper we implement a novel cloud based botnet and then propose a new method for detecting it. It is our belief that each cloud based botnet has a unique level of entropy in their networking exchanges, and thus determining the randomness of the communications between the command and control server and the bots could be applied to discriminate bot behaviors from normal cloud users. The proposed approach is evaluated in a closed networking environment and the preliminary experimental evaluation results are promising and show significant potentials of using entropy to detect command and control channel of botnets in the cloud.

Binbin Wang,Zhitang Li,Dong Li,Feng Liu,Hao Chen

DOI: https://doi.org/10.1109/EBISS.2010.5473532

2010-01-01

Abstract:Botnet has become a prevalent platform for malicious attacks, which poses a significant threat to Internet security. Recently, botnets are inclined to utilize HTTP to route their command and control (C&C) communication instead of using the protocol Internet Relay Chat (IRC). And these web-based C&C bots try to blend into normal HTTP traffic, which makes them more difficult to be identified. In this work, we propose an automatic approach to identify web-based C&C bots by modeling the essential network behavior of web-based bots in supervised network. Experimental results show the proposed approach is very efficient and can detect web-base bots with low false positive ratio.

Guangli Wu,Xingyue Wang,Qian Lu,Hanlin Zhang

DOI: https://doi.org/10.1016/j.eswa.2024.123384

IF: 8.5

2024-02-11

Expert Systems with Applications

Abstract:A botnet is a group of hijacked devices that conduct various cyberattacks, which is one of the most dangerous threats on the internet. Individuals or organizations can effectively detect botnets by analyzing abnormal behaviors in network traffic. Existing works focus on extracting the deterministic behavioral features, which highly rely on statistical features and existing botnet interaction structures, resulting in unsatisfactory detection accuracy, especially for unknown botnet traffic. The botnet detection method based on the original traffic bytes has more advantages in this regard, especially the use of mining payload information in the traffic to enhance the identification of abnormal botnet behavior is the focus of this study. In this paper, we propose a dual-mode botnet detection scheme, which takes the original traffic bytes as the object, one is to encode the implicit semantic relationship between the traffic bytes through a multi-layer Transformer encoder, and the other is the network traffic Image representation, the spatial relationship of traffic bytes is captured by a deep neural network, and then botnet detection is achieved by maximizing the mutual information between the two. We conduct comprehensive experiments with both known botnets and unknown botnets to evaluate our scheme. Experimental results show that for known botnets, our approach achieves 99.84% and 91.92% detection accuracy with CTU-13 and ISCX-2014 datasets, respectively, which is 3.04% and 2.54% more accurate compared with the state-of-art (DL). For unknown datasets, our scheme is 10.19% more accurate than the existing traffic representation.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Jing Wang,Ioannis Ch. Paschalidis

DOI: https://doi.org/10.48550/arXiv.1503.02337

2015-03-09

Abstract:Signature-based botnet detection methods identify botnets by recognizing Command and Control (C\&C) traffic and can be ineffective for botnets that use new and sophisticate mechanisms for such communications. To address these limitations, we propose a novel botnet detection method that analyzes the social relationships among nodes. The method consists of two stages: (i) anomaly detection in an "interaction" graph among nodes using large deviations results on the degree distribution, and (ii) community detection in a social "correlation" graph whose edges connect nodes with highly correlated communications. The latter stage uses a refined modularity measure and formulates the problem as a non-convex optimization problem for which appropriate relaxation strategies are developed. We apply our method to real-world botnet traffic and compare its performance with other community detection methods. The results show that our approach works effectively and the refined modularity measure improves the detection accuracy.

Social and Information Networks,Physics and Society

Hongling Jiang,Xiuli Shao

DOI: https://doi.org/10.1007/s12083-012-0150-x

IF: 3.488

2012-01-01

Peer-to-Peer Networking and Applications

Abstract:Botnets are widely used by attackers and they have evolved from centralized structures to distributed structures. Most of the modern P2P bots launch attacks in a stealthy way and the detection approaches based on the malicious traffic of bots are inefficient. In this paper, an approach that aims to detect Peer-to-Peer (P2P) botnets is proposed. Unlike previous works, the approach is independent of any malicious traffic generated by bots and does not require bots’ information provided by external systems. It detects P2P bots by focusing on the instinct characteristics of their Command and Control (C&C) communications, which are identified by discovering flow dependencies in C&C traffic. After discovering the flow dependencies, our approach distinguishes P2P bots and normal hosts by clustering technique. Experimental results on real-world network traces merged with synthetic P2P botnet traces indicate that 1) flow dependency can be used to detect P2P botnets, and 2) the proposed approach can detect P2P botnets with a high detection rate and a low false positive rate.

DONG Kai-kun,LIU Yang,GUO Li,DONG Lan

DOI: https://doi.org/10.3969/j.issn.1009-8054.2008.04.019

2008-01-01

Abstract:Botnet is one of the most serious threats to the security of the Internet nowadays.As compared with IRC Botnets, the control of P2P Botnets is more secure, robust and stealthy. The working principles for typical P2P Botnets are presented.And then the methods for peer discovery of P2P Botnets are classified, and their weak points are analyzed respectively. Based on the analysis, the methods for detecting P2P Botnets are given.

NIU Wei-na,ZHANG Xiao-song,SUN En-bo,YANG Guo-wu,ZHAO Ling-yuan

DOI: https://doi.org/10.3969/j.issn.1001-0548.2017.06.019

2017-01-01

Abstract:The botnet has been one of the most common threats to the network security since it exploits multiple malicious codes like worm, Trojans, Rootkit, etc. toperform thedenial-of-service attack, send phishing links, and provide malicious services. Peer-to-peer (P2P) botnet is more difficult to be detected compared with IRC, HTTP and other types of botnets because it has typical features of the centralization and distribution. To solve these problems, we propose an effective two-stage traffic classification method to detect P2P botnet traffic based on both non-P2P traffic filtering mechanism and machine learning techniques on conversation features. At the first stage, the non-P2P packages are filtered to reduce the amount of network traffic, according to well-known ports, DNS query, and flow counting. At the second stage, the conversation features based on data flow features and flow similarity are extracted. Finally, the P2P botnet is detected by using Random Forest based on the decision tree model. Experimental evaluations on UNB ISCX botnet dataset shows that our two-stage detection method has a higher accuracy than traditional P2P botnet detection methods.

Hao Tu,Zhi-Tang Li,Bin Liu

DOI: https://doi.org/10.1007/978-3-540-71549-8_40

2007-01-01

Abstract:Botnet is a new trend in Internet attacks. Because the propagation of botnets will not cause large traffic like worm, it is often difficult to detect it. Till now, the most common method to detect botnets is to use honeynets. Although previous work has described an active detection technique using DNS hijacking technique[1], there are little information about how to detect the domain names which botnets used. Some researchers also use DNS based method to detect botnets[2,3], but all of them use simple signature or statistical method which require much prior knowledge.

Zhitang Li,Binbin Wang,Dong Li,Hao Chen,Feng Liu,ZhengBin Hu

DOI: https://doi.org/10.4304/jnw.5.5.517-526

2010-01-01

Abstract:Nowadays, botnets use peer-to-peer (P2P) networks for command and control (C&C) infrastructure. In contrast to traditional centralized-organized botnets, there is no central point of failure for structed-P2P-based botnets, which makes the botnets more concealable and robust and consequently degrades the botnet detection efficiency. In this work, an efficient structured-P2P-based botnet detection strategy through the aggregation and stability analysis of network traffic is proposed. Considering that the flows related to the structured-P2P-based bot exhibit stability on statistical meaning due to the impartial position in botnet and performing pre-programmed control activities automatically, we develop a stability detection subsystem to differentiate regular clients from bots. However, there may exist a large quantity of flows in supervised network, which makes botnet detection rather inefficient. Thus, a small flow-aggregation extraction subsystem is further developed to exclude a majority of flows unlikely for C&C communication of structured-P2P-based bots ahead of stability detection. Extensive experimental results show the proposed approach is very efficient and can detect structured-P2P-based botnet with low false positive ratio.

Xiaobo Ma,Xiaohong Guan,Jing Tao,Qinghua Zheng,Yun Guo,Lu Liu,Shuang Zhao

DOI: https://doi.org/10.1109/ICC.2010.5502092

2010-01-01

Abstract:Botnets have become a serious threat to Internet and are often deployed to control a large pool of zombies and perform notorious activities such as DDoS, information theft and spam sending. In this paper, a new method is developed for detecting IRC botnets by analyzing the characteristic of packet size sequence of the TCP conversation between IRC zombies and their command and control (C&C) servers. In comparison with IRC chat, the TCP conversations within IRC botnets show a nature of approximate periodicity defined as quasi-periodicity in this paper. A simple yet effective detection method is presented to detect IRC botnets by measuring the quasi-periodicity degree and packet average size of IRC conversations based on ukkonen algorithm. We evaluated our method using real-world IRC botnet traces captured from honeynet. The results show that our method can detect real-world IRC botnets from IRC traffic with high accuracy and has a low false positive rate.