Exploiting Temporal Persistence to Detect Covert Botnet Channels

Giroire, Frédéric; Chandrashekar, Jaideep; Taft, Nina; Schooler, Eve M.; Papagiannaki, Dina

doi:10.1007/978-3-642-04342-0_17

Cited by 69 publications

(57 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We verified that this is essentially the same botnet as the aforementioned botnet, as they both contacted the same IRC server 220.196.X.226, The bot observed in June contacted port 3938 while the later bot contacted the server 9 We know that it is the same botnet because the binaries use the same C&C channel. 10 At first glance, this looks like a BASE64 encoded string.…”

Section: Bot Binaries With Cleartext Communicationmentioning

confidence: 59%

“…In our honeynet, we have observed at least two other commands issued by the same botnet (with different bot binaries). 9 The changes in commands reflected relocation of binary hosting websites and file names. Apparently, the original hosting site (media.pixpond.com) was no longer available, so the botmaster switched to two other websites (imgplace.com and img2.freeimagehosting.net).…”

Section: Bot Binaries With Cleartext Communicationmentioning

confidence: 99%

See 1 more Smart Citation

Active Botnet Probing to Identify Obscure Command and Control Channels

Gu¹,

Yegneswaran

Porras

et al. 2009

2009 Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Abstract-We consider the problem of identifying obscure chat-like botnet command and control (C&C) communications, which are indistinguishable from human-human communication using traditional signature-based techniques. Existing passive-behavior-based anomaly detection techniques are limited because they either require monitoring multiple botinfected machines that belong to the same botnet or require extended monitoring times. In this paper, we explore the potential use of active botnet probing techniques in a network middlebox as a means to augment and complement existing passive botnet C&C detection strategies, especially for small botnets with obfuscated C&C content and infrequent C&C interactions. We present an algorithmic framework that uses hypothesis testing to separate botnet C&C dialogs from humanhuman conversations with desired accuracy and implement a prototype system called BotProbe. Experimental results on multiple real-world IRC bots demonstrate that our proposed active methods can successfully identify obscure and obfuscated botnet communications. A real-world user study on about one hundred participants also shows that the technique has a low false positive rate on human-human conversations. We discuss the limitations of BotProbe and hope this preliminary feasibility study on the use of active techniques in botnet research can inspire new thoughts and directions within the malware research community.

show abstract

Section: Bot Binaries With Cleartext Communicationmentioning

confidence: 59%

Section: Bot Binaries With Cleartext Communicationmentioning

confidence: 99%

Active Botnet Probing to Identify Obscure Command and Control Channels

Gu¹,

Yegneswaran

Porras

et al. 2009

2009 Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…Inspired by the persistency concept [16], the authors Fedynyshyn, et al [17] proposed a solution to use the persistency to detect C&C channels and classify them to their architecture (IRC, HTTP or P2P) by monitoring individual host's traffic. Garasia,et al [18] applied the Apriori association algorithm [19] to identify the presence of a C&C channel for HTTP botnets, by applying four main phases named traffic representation, filtering, separation and detection.…”

Section: Related Workmentioning

confidence: 99%

Machine Learning Based Botnet Identification Traffic

Azab

Alazab

Aiash

2016

2016 IEEE Trustcom/BigDataSE/Ispa

View full text Add to dashboard Cite

“…Giroire et al propose detection of botnet C&C traffic by identifying new repeated combinations of traffic destinations within varying time windows [26]. This type of anomaly detection assumes C&C traffic that connects multiple times to the same destination.…”

Section: Related Workmentioning

confidence: 99%

Detection of Botnet Command and Control Traffic by the Multistage Trust Evaluation of Destination Identifiers

Burghouwt¹,

Spruit²,

Sips³

2015

ICST Transactions on Security and Safety

View full text Add to dashboard Cite

Network-based detection of botnet Command and Control communication is a difficult task if the traffic has a relatively low volume and if popular protocols, such as HTTP, are used to resemble normal traffic. We present a new network-based detection approach that is capable of detecting this type of Command and Control traffic in an enterprise network by estimating the trustworthiness of the traffic destinations. If the destination identifier of a traffic flow origins directly from: human input, prior traffic from a trusted destination, or a defined set of legitimate applications, the destination is trusted and its associated traffic is classified as normal. Advantages of this approach are: the ability of zero day malicious traffic detection, low exposure to malware by passive host-external traffic monitoring, and the applicability for real-time filtering. Experimental evaluation demonstrates successful detection of diverse types of Command and Control Traffic.

show abstract

Exploiting Temporal Persistence to Detect Covert Botnet Channels

Cited by 69 publications

References 4 publications

Active Botnet Probing to Identify Obscure Command and Control Channels

Active Botnet Probing to Identify Obscure Command and Control Channels

Machine Learning Based Botnet Identification Traffic

Detection of Botnet Command and Control Traffic by the Multistage Trust Evaluation of Destination Identifiers

Contact Info

Product

Resources

About