Anomaly-Based Detection of IRC Botnets by Means of One-Class Support Vector Classifiers
The complexity of modern cyber attacks urges for the definition of detection and classification techniques more sophisticated than those based on the well known signature detection approach. As a matter of fact, attackers try to deploy armies of controlled bots by infecting vulnerable hosts. Such bots are characterized by complex executable command sets, and take part in cooperative and coordinated attacks. Therefore, an effective detection technique should rely on a suitable model of both the envisaged networking scenario and the attacks targeting it.
We will address the problem of detecting botnets, by describing a behavioral model, for a specific class of network users, and a set of features that can be used in order to identify botnet-related activities. Tests performed by using an anomaly-based detection scheme on a set of real network traffic traces confirmed the effectiveness of the proposed approach.
KeywordsInfected Host Control Channel Normal Channel Malicious User Anomaly Score
- 2.Barford, P., Yegneswaran, V.: An inside look at botnets. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Special Workshop on Malware Detection. Advances in Information Security, vol. 27. Springer, Heidelberg (2007)Google Scholar
- 3.Puri, R.: Bots and botnets: An overview. Technical report, SANS institute (2003)Google Scholar
- 4.Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: NDSS, The Internet Society (2006)Google Scholar
- 5.Strayer, W.T., Walsh, R., Livadas, C., Lapsley, D.: Detecting botnets with tight command and control. In: Proceedings 2006 31st IEEE Conference on Local Computer Networks, November 2006, pp. 195–202 (2006)Google Scholar
- 6.Akiyama, M., Kawamoto, T., Shimamura, M., Yokoyama, T., Kadobayashi, Y., Yamaguchi, S.: A proposal of metrics for botnet detection based on its cooperative behavior. In: SAINT-W 2007: Proceedings of the 2007 International Symposium on Applications and the Internet Workshops, Washington, DC, USA, p. 82. IEEE Computer Society, Los Alamitos (2007)CrossRefGoogle Scholar
- 7.Binkley, J.R., Singh, S.: An algorithm for anomaly-based botnet detection. In: SRUTI 2006: Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, Berkeley, CA, USA, p. 7. USENIX Association (2006)Google Scholar
- 8.Cooke, E., Jahanian, F., Mcpherson, D.: The zombie roundup: Understanding, detecting, and disrupting botnets, June 2005, pp. 39–44 (2005)Google Scholar
- 9.Livadas, C., Walsh, R., Lapsley, D., Strayer, W.: Using machine learning technliques to identify botnet traffic. In:31st IEEE Conference on Local Computer Networks, pp. 967–974 (November 2006)Google Scholar
- 10.Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Almeida, J.M., Almeida, V.A.F., Barford, P. (eds.) Internet Measurement Conference, pp. 41–52. ACM, New York (2006)Google Scholar
- 11.Ramachandran, A., Feamster, N., Dagon, D.: Revealing botnet membership using dnsbl counter-intelligence. In: SRUTI 2006: Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, Berkeley, CA, USA, p. 8. USENIX Association (2006)Google Scholar
- 13.Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by irc nickname evaluation. In: HotBots 2007: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, Berkeley, CA, USA, p. 8. USENIX Association (2007)Google Scholar
- 15.Mazzariello, C.: Irc traffic analysis for botnet detection. In: Fourth International Conference on Information Assurance and Security, IAS 2008, September 2008, pp. 318–323 (2008)Google Scholar