Abstract
Bots, which are new malignant programs are hard to detect by signature based pattern matching techniques.
In this research, we focused on a unique function of the bots the remote control channel (C&C session). We clarified that the C&C session has unique characteristics that come from the behavior of bot programs. Accordingly, we propose an alternative technique to identify computers compromised by the bot program for the classification of the C&C session from the traffic data using a machine learning algorithm support vector machine (SVM). Our evaluation resulted in 95% accuracy in the identification of the C&C session by using SVM. We evaluated that the packet histogram vector of the session is better than the other vector definitions for the classification of the bot C&C session.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Barford, P., Yagneswaran, V.: An Inside Look at Botnets. In: Special Workshop on Malware Detection, Advances in Information Security, Springer, Heidelberg (2006)
Nepenthes Development Team: http://nepenthes.mwcollect.org/stats:scannertest available from http://nepenthes.mwcollect.org/stats:scannertest
M. Roesch: Snort: Lightweight intrusion detection for networks. In: 13th Systems Administration Conference (LISA 1999), pp. 229–238. USENIX Associations (1999)
Binkley, J.R., Singh, S.: An Algorithm for Anomaly-based Botnet Detection. In: Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), pp. 43–48 (July 2006)
Oikarinen, J., Reed, D.: Internet Relay Chat Protocol. RFC1459, Internet Engineering Task Force (1993)
Ramachandran, A., Feamster, N., Dagon, D.: Revealing Botnet Membership Using DNSBL Counter-Intelligence. In: Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), pp. 49–54 (July 2006)
Hanna, C.W.: Using Snort to Detect Rogue IRC Bot Programs. Technical report, (October 2004)
Livadas, C., Walsh, B., Lapsley, D., Strayer, T.: Using Machine Learning Techniques to identify botnet traffic. In: Proceedings of 2nd IEEE LCN Workshop on Network Security (November 2006)
Nepenthes Development Team: Nepenthes - Finest Collection, available from http://nepenthes.mwcollect.org/
ClamAV project: ClamAV, available from http://www.clamav.net/
VMware Inc.: VMware workstation. Software available at http://www.vmware.com/
Moore, A.W., Zuev, D.: Internet Traffic Classification using Bayesian Analysis Techniques. In: SIGMETRICS 2005: Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pp. 50–60 (2005)
Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A., Salamatian, K.: SIGCOMM Comput. Commun. Rev. Number 36(2), 23–26 (2006)
Vapnik, V.N.: The Nature of Statistical Learning Theory. Springer, New York (1995)
Fix, E., Hodges, J.: Discriminatory analysis: Nonparametric Discrimination: Consistency Properties. Technical report 21-49-004, USAF School of Aviation Medicine (1951)
R Development Core Team: R: A Language and Environment for Statistical Computing. (2005), http://www.R-project.org ISBN 3-900051-07-0
Dimitriadou, E., Hornik, K., Leisch, F., Meyer, D., Weingessel, A.: A: The e1071 Package (2006), available at http://cran.r-project.org/src/contrib/Descriptions/e1071.html
Chang, C.-C., Lin, C.-J.: LIBSVM: A library for support vector machines. Software (2001), available at http://www.csie.ntu.edu.tw/~cjlin/libsvm
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kondo, S., Sato, N. (2007). Botnet Traffic Detection Techniques by C&C Session Classification Using SVM. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds) Advances in Information and Computer Security. IWSEC 2007. Lecture Notes in Computer Science, vol 4752. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75651-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-540-75651-4_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75650-7
Online ISBN: 978-3-540-75651-4
eBook Packages: Computer ScienceComputer Science (R0)