Abstract
The Command and Control communication of a botnet is evolving into sophisticated covert communication. Techniques as encryption, steganography, and recently the use of social network websites as a proxy, impede conventional detection of botnet communication. In this paper we propose detection of covert communication by passive host-external analysis of causal relationships between traffic flows and prior traffic or user activity. Identifying the direct causes of traffic flows, allows for real-time bot detection with a low exposure to malware, and offline forensic analysis of traffic. The proposed causal analysis of traffic is experimentally evaluated by a self-developed tool called CITRIC with various types of real Command and Control traffic.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alexa.com: Alexa, the web information company (visited March 2, 2013), http://www.alexa.com/topsites
Asai, H., Fukuda, K., Esaki, H.: Traffic causality graphs: profiling network applications through temporal and spatial causality of flows. In: Proc. of the 23rd International Teletraffic Congress, ITCP, pp. 95–102 (2011)
Barford, P., Plonka, D.: Characteristics of network traffic flow anomalies. In: Proc. of the 1st ACM SIGCOMM Workshop on Internet Measurement, IMW 2001, pp. 69–73. ACM, New York (2001)
Burghouwt, P., Spruit, M., Sips, H.: Towards detection of botnet communication through social media by monitoring user activity. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2011. LNCS, vol. 7093, pp. 131–143. Springer, Heidelberg (2011)
Contagio: Skynet tor botnet / trojan.tbot samples (visited January 2013), http://contagiodump.blogspot.nl/2012/12/dec-2012-skynet-tor-botnet-trojantbot.html
Cui, W., Katz, R.H., Tan, W.T.: Design and implementation of an extrusion-based break-in detector for personal computers. In: 21st Annual Computer Security Applications Conference, p. 10. IEEE (2005)
DeependResearch: Trojan nap aka kelihos/hlux (visited February 2013), http://www.deependresearch.org/2013/02/trojan-nap-aka-kelihoshlux-feb-2013.html
Dietrich, C.J., Rossow, C.: Empirical research of ip blacklists. In: ISSE 2008 Securing Electronic Business Processes, pp. 163–171. Springer (2009)
Fawcett, T.: Roc graphs: Notes and practical considerations for data mining researchers. Tech. rep., HP Laboratories, Palo Alto CA (2004)
Google.com: Top 1000 sites - doubleclick ad planner (visited March 2, 2013), http://www.google.com/adplanner/static/top1000/
Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proc. of the 17th USENIX Security Symposium SECURITY 2008. USENIX Association, Berkeley (2008)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through ids-driven dialog correlation. In: Proc. of 16th USENIX Security Symposium, p. 12. USENIX Association (2007)
Gummadi, R., Balakrishnan, H., Maniatis, P., Ratnasamy, S.: Not-a-bot: Improving service availability in the face of botnet attacks. In: Proc. of the 6th USENIX Symposium on Networked Systems Design and Implementation NSDI 2009. USENIX Association, Berkeley (2009)
Iliofotou, M., Pappu, P., Faloutsos, M., Mitzenmacher, M., Singh, S., Varghese, G.: Network monitoring using traffic dispersion graphs (tdgs). In: Proc. of the 7th ACM SIGCOMM Conference on Internet Measurement, pp. 315–320. ACM (2007)
Karagiannis, T., Papagiannaki, K., Faloutsos, M.: Blinc: multilevel traffic classification in the dark. In: ACM SIGCOMM Computer Communication Review, pp. 229–240. ACM (2005)
Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., Borisov, N.: Stegobot: a covert social network botnet. In: Filler, T., Pevný, T., Craver, S., Ker, A. (eds.) IH 2011. LNCS, vol. 6958, pp. 299–313. Springer, Heidelberg (2011)
Nazario, J.: Twitter-based botnet command channel (visited October 2010), http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel/
Roesch, M., et al.: Snort-lightweight intrusion detection for networks. In: Proc. of the 13th USENIX Conference on System Administration, Seattle, Washington, pp. 229–238 (1999)
Satten, C.: Lossless gigabit remote packet capture with linux. Tech. rep., University of Washington (2008), http://staff.washington.edu/corey/gulp/
Trammell, B.H., Boschi, E.: Rfc5103: Bidirectional flow export using ip flow information export (ipfix). IETF (2008)
Zhang, H., Banick, W., Yao, D., Ramakrishnan, N.: User intention-based traffic dependence analysis for anomaly detection. In: 2012 IEEE Symposium on Security and Privacy Workshops (SPW), pp. 104–112. IEEE (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this paper
Cite this paper
Burghouwt, P., Spruit, M., Sips, H. (2013). Detection of Covert Botnet Command and Control Channels by Causal Analysis of Traffic Flows. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds) Cyberspace Safety and Security. CSS 2013. Lecture Notes in Computer Science, vol 8300. Springer, Cham. https://doi.org/10.1007/978-3-319-03584-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-03584-0_10
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-03583-3
Online ISBN: 978-3-319-03584-0
eBook Packages: Computer ScienceComputer Science (R0)