Skip to main content
SpringerLink
Log in

Detection of Covert Botnet Command and Control Channels by Causal Analysis of Traffic Flows

  • Conference paper
Cyberspace Safety and Security (CSS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8300))

Included in the following conference series:

Abstract

The Command and Control communication of a botnet is evolving into sophisticated covert communication. Techniques as encryption, steganography, and recently the use of social network websites as a proxy, impede conventional detection of botnet communication. In this paper we propose detection of covert communication by passive host-external analysis of causal relationships between traffic flows and prior traffic or user activity. Identifying the direct causes of traffic flows, allows for real-time bot detection with a low exposure to malware, and offline forensic analysis of traffic. The proposed causal analysis of traffic is experimentally evaluated by a self-developed tool called CITRIC with various types of real Command and Control traffic.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alexa.com: Alexa, the web information company (visited March 2, 2013), http://www.alexa.com/topsites

  2. Asai, H., Fukuda, K., Esaki, H.: Traffic causality graphs: profiling network applications through temporal and spatial causality of flows. In: Proc. of the 23rd International Teletraffic Congress, ITCP, pp. 95–102 (2011)

    Google Scholar 

  3. Barford, P., Plonka, D.: Characteristics of network traffic flow anomalies. In: Proc. of the 1st ACM SIGCOMM Workshop on Internet Measurement, IMW 2001, pp. 69–73. ACM, New York (2001)

    Chapter  Google Scholar 

  4. Burghouwt, P., Spruit, M., Sips, H.: Towards detection of botnet communication through social media by monitoring user activity. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2011. LNCS, vol. 7093, pp. 131–143. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  5. Contagio: Skynet tor botnet / trojan.tbot samples (visited January 2013), http://contagiodump.blogspot.nl/2012/12/dec-2012-skynet-tor-botnet-trojantbot.html

  6. Cui, W., Katz, R.H., Tan, W.T.: Design and implementation of an extrusion-based break-in detector for personal computers. In: 21st Annual Computer Security Applications Conference, p. 10. IEEE (2005)

    Google Scholar 

  7. DeependResearch: Trojan nap aka kelihos/hlux (visited February 2013), http://www.deependresearch.org/2013/02/trojan-nap-aka-kelihoshlux-feb-2013.html

  8. Dietrich, C.J., Rossow, C.: Empirical research of ip blacklists. In: ISSE 2008 Securing Electronic Business Processes, pp. 163–171. Springer (2009)

    Google Scholar 

  9. Fawcett, T.: Roc graphs: Notes and practical considerations for data mining researchers. Tech. rep., HP Laboratories, Palo Alto CA (2004)

    Google Scholar 

  10. Google.com: Top 1000 sites - doubleclick ad planner (visited March 2, 2013), http://www.google.com/adplanner/static/top1000/

  11. Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proc. of the 17th USENIX Security Symposium SECURITY 2008. USENIX Association, Berkeley (2008)

    Google Scholar 

  12. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through ids-driven dialog correlation. In: Proc. of 16th USENIX Security Symposium, p. 12. USENIX Association (2007)

    Google Scholar 

  13. Gummadi, R., Balakrishnan, H., Maniatis, P., Ratnasamy, S.: Not-a-bot: Improving service availability in the face of botnet attacks. In: Proc. of the 6th USENIX Symposium on Networked Systems Design and Implementation NSDI 2009. USENIX Association, Berkeley (2009)

    Google Scholar 

  14. Iliofotou, M., Pappu, P., Faloutsos, M., Mitzenmacher, M., Singh, S., Varghese, G.: Network monitoring using traffic dispersion graphs (tdgs). In: Proc. of the 7th ACM SIGCOMM Conference on Internet Measurement, pp. 315–320. ACM (2007)

    Google Scholar 

  15. Karagiannis, T., Papagiannaki, K., Faloutsos, M.: Blinc: multilevel traffic classification in the dark. In: ACM SIGCOMM Computer Communication Review, pp. 229–240. ACM (2005)

    Google Scholar 

  16. Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., Borisov, N.: Stegobot: a covert social network botnet. In: Filler, T., Pevný, T., Craver, S., Ker, A. (eds.) IH 2011. LNCS, vol. 6958, pp. 299–313. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  17. Nazario, J.: Twitter-based botnet command channel (visited October 2010), http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel/

  18. Roesch, M., et al.: Snort-lightweight intrusion detection for networks. In: Proc. of the 13th USENIX Conference on System Administration, Seattle, Washington, pp. 229–238 (1999)

    Google Scholar 

  19. Satten, C.: Lossless gigabit remote packet capture with linux. Tech. rep., University of Washington (2008), http://staff.washington.edu/corey/gulp/

  20. Trammell, B.H., Boschi, E.: Rfc5103: Bidirectional flow export using ip flow information export (ipfix). IETF (2008)

    Google Scholar 

  21. Zhang, H., Banick, W., Yao, D., Ramakrishnan, N.: User intention-based traffic dependence analysis for anomaly detection. In: 2012 IEEE Symposium on Security and Privacy Workshops (SPW), pp. 104–112. IEEE (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Parallel and Distributed Systems Group, Delft University of Technology, Mekelweg 4, Delft, 2628CD, The Netherlands

    Pieter Burghouwt, Marcel Spruit & Henk Sips

Authors
  1. Pieter Burghouwt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marcel Spruit
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Henk Sips
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information Science and Engineering, Central South University, 410083, Changsha, Hunan, P.R. China

    Guojun Wang

  2. Computer Science Department, Colorado State University, 1873 Campus Delivery, 80523-1873, Fort Collins, CO, USA

    Indrakshi Ray

  3. Chinese Academy of Sciences, Institute of Software, 100190, Beijing, P.R. China

    Dengguo Feng

  4. information Security Group, City University London, EC1V 0HB, London, UK

    Muttukrishnan Rajarajan

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer International Publishing Switzerland

About this paper

Cite this paper

Burghouwt, P., Spruit, M., Sips, H. (2013). Detection of Covert Botnet Command and Control Channels by Causal Analysis of Traffic Flows. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds) Cyberspace Safety and Security. CSS 2013. Lecture Notes in Computer Science, vol 8300. Springer, Cham. https://doi.org/10.1007/978-3-319-03584-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-03584-0_10

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-03583-3

  • Online ISBN: 978-3-319-03584-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation