BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. Botnets are now the key platform for many Internet attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. Most of the current botnet detection approaches work only on specific botnet command and control (C&C) protocols (e.g., IRC) and structures (e.g., centralized), and can become ineffective as botnets change their C&C techniques. In this paper, we present a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C&C server names/addresses). We start from the definition and essential properties of botnets. We define a botnet as a coordinated group of malware instances that are controlled via C&C communication channels. The essential properties of a botnet are that the bots communicate with some C&C servers/peers, perform malicious activities, and do so in a similar or correlated way. Accordingly, our detection framework clusters similar communication traffic and similar malicious traffic, and performs cross cluster correlation to identify the hosts that share both similar communication patterns and similar malicious activity patterns. These hosts are thus bots in the monitored network. We have implemented our BotMiner prototype system and evaluated it using many real network traces. The results show that it can detect real-world botnets (IRC-based, HTTP-based, and P2P botnets including Nugache and Storm worm), and has a very low false positive rate.
Keywords for this software
References in zbMATH (referenced in 5 articles )
Showing results 1 to 5 of 5.
- Qi, Biao; Shi, Zhixin; Wang, Yan; Wang, Jizhi; Wang, Qiwen; Jiang, Jianguo: BotTokenizer: exploring network tokens of HTTP-based botnet using malicious network traces (2018)
- Sexton, Joseph; Storlie, Curtis; Neil, Joshua: Attack chain detection (2015)
- Choi, Jaehoon; Kang, Jaewoo; Lee, Jinseung; Song, Chihwan; Jin, Qingsong; Lee, Sunwon; Uh, Jinsun: Mining botnets and their evolution patterns (2013) ioport
- Kwon, Jonghoon; Lee, Jehyun; Lee, Heejo: Hidden bot detection by tracing non-human generated traffic at the zombie host (2011)
- Kotenko, Igor; Konovalov, Alexey; Shorov, Andrey: Simulation of botnets: agent-based approach (2010)