Real-time Botnet command and control characterization at the host level

Etemad, Farhood Farid; Vahdani, Payam

doi:10.1109/istel.2012.6483133

Cited by 9 publications

(9 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this case, we need a host-based detection to eliminate the bot program from the host. ere are various researches in host-based detection techniques [9][10][11]. Huang [10] proposes an effective bot host detection solution based on network failure tracking in a host during short period.…”

Section: Botnet Detection At the Host Sidementioning

confidence: 99%

Hybrid Botnet Detection Based on Host and Network Analysis

Almutairi¹,

Mahfoudh

Almutairi³

et al. 2020

Journal of Computer Networks and Communications

View full text Add to dashboard Cite

Botnet is one of the most dangerous cyber-security issues. The botnet infects unprotected machines and keeps track of the communication with the command and control server to send and receive malicious commands. The attacker uses botnet to initiate dangerous attacks such as DDoS, fishing, data stealing, and spamming. The size of the botnet is usually very large, and millions of infected hosts may belong to it. In this paper, we addressed the problem of botnet detection based on network’s flows records and activities in the host. Thus, we propose a general technique capable of detecting new botnets in early phase. Our technique is implemented in both sides: host side and network side. The botnet communication traffic we are interested in includes HTTP, P2P, IRC, and DNS using IP fluxing. HANABot algorithm is proposed to preprocess and extract features to distinguish the botnet behavior from the legitimate behavior. We evaluate our solution using a collection of real datasets (malicious and legitimate). Our experiment shows a high level of accuracy and a low false positive rate. Furthermore, a comparison between some existing approaches was given, focusing on specific features and performance. The proposed technique outperforms some of the presented approaches in terms of accurately detecting botnet flow records within Netflow traces.

show abstract

Section: Botnet Detection At the Host Sidementioning

confidence: 99%

Hybrid Botnet Detection Based on Host and Network Analysis

Almutairi¹,

Mahfoudh

Almutairi³

et al. 2020

Journal of Computer Networks and Communications

View full text Add to dashboard Cite

show abstract

“…They suggest that the false positives (caused mainly by software updates) can be minimised using whitelisting. Etemad & Vahdani (2012) take a similar approach for centralised botnet detection. Like Wang et al (2010), they identify C&C traffic by the presence of periodic HTTP messages.…”

Section: Identification Of Control Trafficmentioning

confidence: 99%

“…Bot Traffic: Repetitive HTTP requests generated at regular intervals. Features: Degree of periodic repeatability (Etemad & Vahdani, 2012), periodic factor (Eslahi et al, 2015), HTTP messages range of absolute frequencies (Eslahi et al, 2015), HTTP messages time sequence (Eslahi et al, 2015), HTTP request density (Cai & Zou, 2012), HTTP request periodicity (Eslahi et al, 2013) Bots communicating with C&Cs over HTTP need to poll them continuously to receive updates. To achieve this, they will repeatedly generate similar HTTP requests to the server at regular intervals.…”

Section: Application Layer/httpmentioning

confidence: 99%

“…The actual period length will be configured by the botmaster, and may be different across different instances of the same malware. Etemad & Vahdani (2012) measure this using the degree of periodic repeatability (and repeatability standard deviation), where a low value means that communication takes place at regular intervals and is therefore suspicious. Eslahi et al (2013) split their observation window into equal time intervals and find the distribution of group events across those intervals.…”

Section: Application Layer/httpmentioning

confidence: 99%

“…Figure 4. HTTP-based features, from (Etemad & Vahdani, 2012), (Eslahi et al, 2013), (Eslahi et al, 2015), (Cai & Zou, 2012), (Al-Bataineh & White, 2012), (Li et al, 2014), & (Grill & Rehak, 2014). cannot be identified at the next stage.…”

Section: Characterisation and Identificationmentioning

confidence: 99%

See 2 more Smart Citations

Survey of approaches and features for the identification of HTTP-based botnet traffic

Acarali

Rajarajan

Komninos

et al. 2016

Journal of Network and Computer Applications

View full text Add to dashboard Cite

Botnet use is on the rise, with a growing number of botmasters now switching to the HTTP-based C&C infrastructure. This offers them more stealth by allowing them to blend in with benign web traffic. Several works have been carried out aimed at characterising or detecting HTTP-based bots, many of which use network communication features as identifiers of botnet behaviour. In this paper, we present a survey of these approaches and the network features they use in order to highlight how botnet traffic is currently differentiated from normal traffic. We classify papers by traffic types, and provide a breakdown of features by protocol. In doing so, we hope to highlight the relationships between features at the application, transport and network layers.

show abstract

Real time multi stage unsupervised intelligent engine for NIDS to enhance detection rate of unknown attacks

Amoli

Hämäläinen

2013

2013 IEEE Third International Conference on Information Science and Technology (ICIST)

View full text Add to dashboard Cite

Real-time Botnet command and control characterization at the host level

Cited by 9 publications

References 15 publications

Hybrid Botnet Detection Based on Host and Network Analysis

Hybrid Botnet Detection Based on Host and Network Analysis

Survey of approaches and features for the identification of HTTP-based botnet traffic

Real time multi stage unsupervised intelligent engine for NIDS to enhance detection rate of unknown attacks

Contact Info

Product

Resources

About