Abstract
Botnets can cause significant security threat and huge loss to organizations, and are difficult to discover their existence; therefore they have become one of the most severe threats on the Internet. The core component of botnets is their command and control server (C2 server or C&C server) through which the bot herder instructs zombie machines to launch attacks. A commonly used protocol, such as IRC (Internet Relay Chat) or HTTP, is adopted to communicate between bot ma-chines and the server. In addition, some advanced botnets might have multiple C2 servers to evade detection and to extend the life time. Therefore, identifying the C2 server is important to prevent botnet attacks or further damage. In this paper, detection scheme based on ant colony optimization algorithm is proposed to identify the paths from bot machines to the C2 server. The results show that the proposed detection can identify botnet servers efficiently.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Akiyama, M., Kawamoto, T., Shimamura, M., Yokoyama, T., Kadobayashi, Y., Yamaguchi, S.: A proposal of metrics for botnet detection based on its cooperative behavior. In: SAINT Workshops, p. 82 (2007)
AsSadhan, B., Moura, J.M.F., Lapsley, D.E.: Periodic behavior in botnet command and control channels traffic. In: GLOBECOM, pp. 1–6 (2009)
Choi, H., Lee, H., Kim, H.: BotGAD: detecting botnets by capturing group activities in network traffic. In: Proceedings of the Fourth International ICST Conference on Communication System Software and Middleware (2009)
Dorigo, M., Maniezzo, V., Colorni, A.: The ant system: optimization by a colony of cooperating agents. J. IEEE Trans. Syst. 26(1), 1–13 (1996)
Kondo, S., Sato, N.: Botnet traffic detection techniques by C&C session classification using SVM. In: International Workshop on Security, pp. 91–104 (2007)
Lai, G.H., Chen, C.M., Jeng, B.C., Chao, W.: Ant-based IP traceback. Exp. Syst. Appl. 34(4), 3071–3080 (2008)
Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: SIGCOMM, pp. 217–228 (2005)
Livadas, C., Walsh, R., Lapsley, D.E., Strayer, W.T.: Using machine learning techniques to identify botnet traffic. In: 31st IEEE Conference on Local Computer Networks, pp. 967–974 (2006)
Lu, W., Rammidi, G., Ghorbani, A.A.: Clustering botnet communication traffic based on n-gram feature selection. In: Proceedings of Computer Communications, pp. 502–514 (2011)
McGrath, D.K., Kalafut, A.J., Gupta, M.: Phishing infrastructure fluxes all the way. IEEE Secur. Priv. Mag. 7(5), 21–28 (2009)
Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: Proceedings of the 3th International Malicious and Unwanted Software (Malware), pp. 24–31 (2008)
Ranjan, S., Swaminathan, R., Uysal, M., Nucci, A., Knightly, E.: DDoS-shield: DDoS-resilient scheduling to counter application layer attacks. IEEE/ACM Trans. Networking 17(1), 26–39 (2009)
Strayer, W.T., Walsh, R., Livadas, C., Lapsley, D.E.: Detecting botnets with tight command and control. In: 31st IEEE Conference on Local Computer Networks, pp. 95–202 (2006)
Subramanian, D., Druschel, P., Chen, J.: Ants and reinforcement learning: a case study in routing in dynamic networks. In: Proceedings of International Joint Conference on Artificial Intelligence, pp. 832–839 (1997)
Trend Micro, Botnet threats and solutions: phishing (2006). http://anti-phishing.org/sponsors_technical_papers/trendMicro_Phishing.pdf
Wang, P., Lin, H.T., Wang, T.S.: A revised ant colony optimization scheme for discovering attack paths of botnet. In: IEEE International Conference on Parallel and Distributed Systems, pp. 918–923 (2011)
Wu, J., Zhang, L., Liang, J., Qu, S., Ni, Z.: A comparative study for fast-flux service networks detection. In: Sixth International Conference on Networked Computing and Advanced Information Management, pp. 346–350 (2010)
Yen, T.F., Reiter, M.K.: Traffic aggregation for malware detection. In: Lecture Notes in Computer Science, pp. 207–227 (2008)
Zhu, Z., Lu, G., Chen, Y., Fu, Z., Roberts, P., Han, K.: Botnet research survey. In: 32nd Annual IEEE International Conference in Computer Software and Application, pp. 967–972 (2008)
Upton, G.: An ant colony optimization algorithm for the stable roommates (2002). http://www.cs.earlham.edu/~uptongl/project/senior_thesis.html
Huang, C.Y.: Effective bot host detection based on network failure models. Comput. Netw. 57(2), 514–525 (2013)
Testbed@TWISC. http://testbed.ncku.edu.tw/
mIRC. http://www.mirc.com/
Unreal IRCd. http://www.unrealircd.com/
Wireshark. http://www.wireshark.org/
Acknowledgments
The study is based on the work sponsored by the Ministry of Science and Technology under the grant MOST 106-2221-E-110-017-MY3.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Chen, CM., Lai, GH. (2018). Ant-Based Botnet C&C Server Traceback. In: Peng, SL., Wang, SJ., Balas, V., Zhao, M. (eds) Security with Intelligent Computing and Big-data Services. SICBS 2017. Advances in Intelligent Systems and Computing, vol 733. Springer, Cham. https://doi.org/10.1007/978-3-319-76451-1_27
Download citation
DOI: https://doi.org/10.1007/978-3-319-76451-1_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76450-4
Online ISBN: 978-3-319-76451-1
eBook Packages: EngineeringEngineering (R0)