Abstract
We describe a method to detect botnet command and control traffic and individual end-hosts. We introduce the notion of “destination traffic atoms” which aggregate the destinations and services that are communicated with. We then compute the ”persistence”, which is a measure of temporal regularity and that we propose in this paper, for individual destination atoms. Very persistent destination atoms are added to a host’s whitelist during a training period. Subsequently, we track the persistence of new destination atoms not already whitelisted in order to identify suspicious C&C destinations. A particularly novel aspect is that we track persistence at multiple timescales concurrently. Importantly, our method does not require any a-priori information about destinations, ports, or protocols used by the C&C communication, nor do we require payload inspection. We evaluate our system using extensive user traffic traces collected from an enterprise network, along with collected botnet traces.
We demonstrate that our method correctly identifies a botnet’s C&C traffic, even when it is very stealthy. We also show that filtering outgoing traffic with the constructed whitelists dramatically improves the performance of traditional anomaly detectors. Finally, we show that the C&C detection can be achieved with a very low false positive rate.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
de Oliveira, K.C.: Botconomics: Mastering the Underground Economy of Botnets. FIRST Technical Colloquium
McAfee Corp.: Avert Labs Threat Predictions for 2009, http://www.mcafee.com/us/local_content/reports/2009_threat_predictions_report.pdf
Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In: Proceedings of the Workshop on Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI 2005), Berkeley, CA, USA, p. 6. USENIX Association (2005)
Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow Anomaly Detection. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, Washington, DC, USA, pp. 48–62. IEEE Computer Society, Los Alamitos (2006)
Gao, D., Reiter, M.K., Song, D.: On Gray-box Program Tracking for Anomaly Detection. In: Proceedings of the 13th USENIX Security Symposium, Berkeley, CA, USA, p. 8. USENIX Association (2004)
Binkley, J.R., Singh, S.: An Algorithm for Anomaly-based Botnet Detection. In: Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2006), Berkeley, CA, USA, p. 7. USENIX Association (2006)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection through IDS-Driven Dialog Correlation. In: Proceedings of 16th USENIX Security Symposium, Berkeley, CA, USA, pp. 1–16. USENIX Association (2007)
Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In: Proceedings of the Annual Network and Distributed System Security Symposium (NDSS 2008) (Febuary 2008)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-independent Botnet Detection. In: Proceedings of the 17th Usenix Security Symposium, Berkeley, CA, USA, pp. 139–154. USENIX Association (2008)
Kreibich, C., Kanich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., Savage, S.: On the Spam Campaign Trail. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET 2008 (2008)
Holz, T., Gorecki, C., Rieck, K., Freiling, F.: Measuring and Detecting Fast-Flux Service Networks. In: Proceedings of the Annual Network and Distributed System Security Symposium, NDSS 2008 (2008)
Jung, J., Paxson, V., Berger, A., Balakrishnan, H.: Fast Portscan Detection using Sequential Hypothesis Testing. In: IEEE Symposium on Security and Privacy, pp. 211–225 (2004)
Sekar, V., Xie, Y., Reiter, M.K., Zhang, H.: Is Host-Based Anomaly Detection + Temporal Correlation = Worm Causality? Technical Report CMU-CS-07-112, Carnegie Mellon University (March 2007)
McDaniel, P.D., Sen, S., Spatscheck, O., van der Merwe, J.E., Aiello, W., Kalmanek, C.R.: Enterprise Security: A Community of Interest Based Approach. In: Proceedings of the Annual Network and Distributed System Security Symposium, NDSS 2006 (2006)
ClamAV: Clam AntiVirus, http://www.clamav.net
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks (1999)
Stone-Gross, R., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: Analysis of a Botnet Takeover (May 2009), http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf
Porras, P., Saidi, H., Yegneswaran, V.: An Analysis of Conficker’s Logic and Rendezvous Points. Technical report, SRI International (March 2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Giroire, F., Chandrashekar, J., Taft, N., Schooler, E., Papagiannaki, D. (2009). Exploiting Temporal Persistence to Detect Covert Botnet Channels. In: Kirda, E., Jha, S., Balzarotti, D. (eds) Recent Advances in Intrusion Detection. RAID 2009. Lecture Notes in Computer Science, vol 5758. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04342-0_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-04342-0_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04341-3
Online ISBN: 978-3-642-04342-0
eBook Packages: Computer ScienceComputer Science (R0)