An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic

AsSadhan, Basil; Moura, J.M.F.

doi:10.1016/j.jare.2013.11.005

Cited by 36 publications

(49 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our clustering model is based on C-flow and its four features [1]. A C-flow is a collection of all flows over a period of time.…”

Section: Network Traffic Clusteringmentioning

confidence: 99%

“…But they can be ineffective when bot variants are encountered. As for behavior-based detection, AsSadhan et al [1] detected botnet by finding the periodic behavior from network traffic. The advantage of such technique is that it is based on a basic property shared by many botnet variants and is independent of the structure (e.g., centralized, P2P) and C&C protocol (e.g., IRC, HTTP).…”

Section: Introductionmentioning

confidence: 99%

“…Choi et al [4] detected botnet activities by monitoring group activities in DNS traffic, assuming that a bot must look up the domain names of the C&C server. Another representative approach is Botminer [1] that performed across clusters of communication traffic and malicious activity. Botminer is independent of botnet structure and C&C protocol.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

BotCapturer: Detecting Botnets based on Two-Layered Analysis with Graph Anomaly Detection and Network Traffic Clustering

Wang¹,

Wang²,

Tan³

et al. 2018

IJPE

View full text Add to dashboard Cite

Botnets have become one of the most serious threats on the Internet. On the platform of botnets, attackers conduct series of malicious activities such as distributed denial-of-service (DDoS) or virtual currencies mining. Network traffic has been widely used as the data source for the detection of botnets. However, there are two main issues on the detection of botnets with network traffic. First, many traditional filtering methods such as whitelisting are not able to process the very large amount of traffic data in real-time due to their limited computational capability. Second, many existing detection methods, based on network traffic clustering, result in high false positive rates. In this work, we are motivated to resolve the above two issues by proposing a lightweight botnet detection system called BotCapturer, based on two-layered analysis with anomaly detection in graph and network communication traffic clustering. First, we identify anomalous nodes that correspond to C&C (Control and Command) servers with anomaly scores in a graph abstracted from the network traffic. Second, we take advantage of clustering algorithms to check whether the nodes interacting with an anomalous node share similar communication pattern. In order to minimize irrelevant traffic, we propose a traffic reduction method to reduce more than 85% background traffic. The reduction is conducted by filtering the packets that are unrelated to the hosts like C&C server. We collect a very big dataset by simulating five different botnets and mixing the collected traffic with background traffic obtained from ISP. Extensive experiments are conducted and evaluation results based on our own dataset show that BotCapturer reduces more than 85% input raw packet traces and achieves a high detection rate (100%) with a low false positive rate (0.01%), demonstrating that it is very effective and efficient in detecting latest botnets.

show abstract

“…Our clustering model is based on C-flow and its four features [1]. A C-flow is a collection of all flows over a period of time.…”

Section: Network Traffic Clusteringmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

BotCapturer: Detecting Botnets based on Two-Layered Analysis with Graph Anomaly Detection and Network Traffic Clustering

Wang¹,

Wang²,

Tan³

et al. 2018

IJPE

View full text Add to dashboard Cite

show abstract

“…The protocol hidden behavior analysis issue is given an undocumented protocol program C and captured protocol message M, monitoring and analy zing the process of C parsing M, (1) building the protocol behavior instruction sequences ; (2) inferring the potential trigger conditions according to the public behavior instruction sequences ; (3) mining and triggering the protocol's hidden behavior by static clustering analysis; (4) finally, evaluating the protocol's execution security. Our approach us es dynamic binary analysis combin ing static clustering techniques, which is based on the intuition that the most important protocol behavior is contained in the message parsing process.…”

Section: System Overviewmentioning

confidence: 99%

“…Having mo re knowledge of netwo rk protocol is of great value in many network security applications, such as deep packet inspection [1] , botnet analysis [2] , vulnerability discovery [3] and signature generation [4] . Most protocol reverse analysis focus on analyzing and inferring unknown protocol specifications, such as message format and fields [5] , but pay litt le attention to the protocol's behavior.…”

Section: Introductionmentioning

confidence: 99%

Analyze Network Protocol's Hidden Behavior

Pang

Pei

et al. 2015

2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC)

View full text Add to dashboard Cite

Unknown protocol's hidden behavior is becoming a new challenge in network security. This paper takes the captured messages and the binary code that implement the protocol both as the studied object. Dynamic Taint Analysis combined with Static Analysis is used for protocol analyzing. Firstly, monitor and analyze the process of protocol program parses the message in the virtual platform HiddenDisc prototype system developed by ourselves, record the protocol's public behavior, then based on our proposed Hidden Behavior Perception and M ining algorithm, static analyze the protocol's hidden behavior trigger conditions and hidden behavior instruction sequences. According to the hidden behavior trigger conditions, new protocol messages with the sensitive information are generated, and the hidden behaviors are executed by dynamic triggering. HiddenDisc prototype system can sense, trigger and analysis the protocol's hidden behaviors. According to the statistical analysis results, we propose the evaluation method of Protocol Execution Security. The experimental results show that the present method can accurately mining the protocol's hidden behaviors, and can evaluate unknown protocol's execution security.

show abstract

Network anomaly detection using a cross‐correlation‐based long‐range dependence analysis

et al. 2020

Self Cite

View full text Add to dashboard Cite

The detection of anomalies in network traffic is an important task in today's Internet. Among various anomaly detection methods, the techniques based on examination of the long-range dependence (LRD) behavior of network traffic stands out to be powerful. In this paper, we reveal anomalies in aggregated network traffic by examining the LRD behavior based on the cross-correlation function of the bidirectional control and data planes traffic. Specifically, observing that the conventional cross-correlation function has a low measure of dissimilarity between the two planes, which leads to a reduced anomaly detection performance, we propose a modification of the cross-correlation function to mitigate this issue. The performance of the proposed method is analyzed using a relatively recent Internet traffic captured at King Saud University. The results demonstrate that using the modified cross-correlation function has the ability to detect low volume and short duration attacks. It also compensates for some misdetections exhibited by using the autocorrelation structures of the bidirectional traffic of the control, data, and WHOLE (combined control and data) planes traffic. 1 | INTRODUCTION Internet services have been rapidly evolving due to continuous emergence of new technologies and high bandwidth applications. According to Cisco, the annual global IP traffic is expected to reach 3.30 Zettabyte by 2021. 1 This growth has introduced many challenges in terms of securing information, reliability of data transfer, and detection of traffic anomalies and attacks. Anomalies are patterns of data that deviate from normal behavior. A broad variety of such patterns in Internet traffic are frequently faced by network operators. These patterns could represent genuine abnormalities induced by physical or technical issues, such as high-rate flows, network outage, and sudden changes due to flash crowds. 2 However, such patterns could also be generated by malicious activities such as cyber intrusions, distributed denial of service (DDoS) attacks, port scanning, and worm propagation. 3,4 This type of malicious activities could likely introduce disastrous effects on the proper operation of networks. The mentioned malicious activities are considerably growing with time. According to the worldwide infrastructure security report, 5 it is evident that the volume of these attacks on data centers, networks infrastructures, and

show abstract

An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic

Cited by 36 publications

References 9 publications

BotCapturer: Detecting Botnets based on Two-Layered Analysis with Graph Anomaly Detection and Network Traffic Clustering

BotCapturer: Detecting Botnets based on Two-Layered Analysis with Graph Anomaly Detection and Network Traffic Clustering

Analyze Network Protocol's Hidden Behavior

Network anomaly detection using a cross‐correlation‐based long‐range dependence analysis

Contact Info

Product

Resources

About