Botnet Detection Architecture Based on Heterogeneous Multi-sensor Information Fusion

Abstract:

As technology has been developed rapidly, botnet threats to the global cyber community are also increasing. And the botnet detection has recently become a major research topic in the field of network security. Most of the current detection approaches work only on the evidence from single information source, which can not hold all the traces of botnet and hardly achieve high accuracy. In this paper, a novel botnet detection architecture based on heterogeneous multi-sensor information fusion … Show more

“…The Contrabot framework is partly based on principles similar to existing collaborative botnet detection approaches such as [27,17,4,31,32], but it has a number of advantages: First, the ContraBot will employ traffic analysis in the core network, providing protection for a broader set of end-users. Secondly, our proposed set-up will combine information not only from network and client levels but also from in depth analysis of harvested code in order to improve the detection accuracy even further.…”

“…It will further develop ideas proposed by a variety of research groups, as reported in Oliner et al [17], Wang et al [31,32], and Flaglien et al [4], amongst others. We intend to extend this previous work to cover more scenarios and platforms.…”

“…Following the principles considered by the research groups presented in the previous section [27,17,4,31,32], ContraBot belongs to the emerging class of collaborative botnet detection approaches that integrate multiple principles of botnet detection, in order to provide more efficient and effective detection. The basic scientific hypothesis behind our method is that correlating the observations and analyses from client and network entities combined with in-depth analysis of harvested code will significantly improve the botnet classification ability, in comparison to todays state-of-theart methods.…”

“…Using these or similar concepts, several authors have proposed botnet detection systems that correlate alerts from several detection entities. Wang and Gong have proposed frameworks for collaborative [31] and fusion [32] detection while Zeng et al [35] proposed a combined botnet detection system.…”

“…The first framework [31] represents a hierarchical collaborative model that incorporates several independent detection systems, that use bot-related information from multiple sources such as network traffic, client computer internals and deployed honeypots. The second proposed framework [32] introduced the idea of combining multi-source information fusion with a collaborative detection framework. The framework envisions combining bot-related information originating from several sources (traffic monitors, IDSs, other botnet detection systems, firewalls) in order to determine the presence of a botnet within the monitored network.…”

A Collaborative Approach to Botnet Protection

“…The Contrabot framework is partly based on principles similar to existing collaborative botnet detection approaches such as [27,17,4,31,32], but it has a number of advantages: First, the ContraBot will employ traffic analysis in the core network, providing protection for a broader set of end-users. Secondly, our proposed set-up will combine information not only from network and client levels but also from in depth analysis of harvested code in order to improve the detection accuracy even further.…”

“…It will further develop ideas proposed by a variety of research groups, as reported in Oliner et al [17], Wang et al [31,32], and Flaglien et al [4], amongst others. We intend to extend this previous work to cover more scenarios and platforms.…”

“…Following the principles considered by the research groups presented in the previous section [27,17,4,31,32], ContraBot belongs to the emerging class of collaborative botnet detection approaches that integrate multiple principles of botnet detection, in order to provide more efficient and effective detection. The basic scientific hypothesis behind our method is that correlating the observations and analyses from client and network entities combined with in-depth analysis of harvested code will significantly improve the botnet classification ability, in comparison to todays state-of-theart methods.…”

“…Using these or similar concepts, several authors have proposed botnet detection systems that correlate alerts from several detection entities. Wang and Gong have proposed frameworks for collaborative [31] and fusion [32] detection while Zeng et al [35] proposed a combined botnet detection system.…”

“…The first framework [31] represents a hierarchical collaborative model that incorporates several independent detection systems, that use bot-related information from multiple sources such as network traffic, client computer internals and deployed honeypots. The second proposed framework [32] introduced the idea of combining multi-source information fusion with a collaborative detection framework. The framework envisions combining bot-related information originating from several sources (traffic monitors, IDSs, other botnet detection systems, firewalls) in order to determine the presence of a botnet within the monitored network.…”

A Collaborative Approach to Botnet Protection

A Markov Multi-Phase Transferable Belief Model for Cyber Situational Awareness

A Botnet-Oriented Collaborative Defense Scheme Description Language