Abstract
Defeating botnet is the key to secure Internet. A lot of cyber attacks are launched by botnets including DDoS, spamming, click frauds and information thefts. Despite of numerous methods have been proposed to detect botnets, botnet detection is still a challenging issue, as adversaries are constantly improving bots to write them stealthier. Existing anomaly-based detection mechanisms, particularly network-based approaches, are not sufficient to defend sophisticated botnets since they are too heavy or generate non-negligible amount of false alarms. As well, tracing attack sources is hardly achieved by existing mechanisms due to the pervasive use of source concealment techniques, such as an IP spoofing and a malicious proxy. In this paper, we propose a host-based mechanism to detect bots at the attack source. We monitor non-human generated attack traffics and trace their corresponding processes. The proposed mechanism effectively detects malicious bots irrespective of their structural characteristics. It can protect networks and system resources by shutting down attack traffics at the attack source. We evaluate our mechanism with eight real-life bot codes that have distinctive architectures, protocols and attack modules. In experimental results, our mechanism effectively detects bot processes in around one second after launching flood attacks or sending spam mails, while no false alarm is generated.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
The Honeynet Project. Know your enemy: Tracking botnets (2005), http://www.honeynet.org/papers/bots
Trend micro: Taxonomy of botnet threats. Technical report (2006)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: USENIX Security Symposium, pp. 167–182. USENIX Association (2007)
CISCO: Botnets: The new threat landscape. White Paper (2007)
Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In: 15th Annual Network and Distributed System Security Symposium, NDSS 2008 (2008)
Georgia Tech. Information Security Center: Emerging cyber threats (2009)
Symantec. Symantec global internet security threat report (2010)
Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A view on current malware behaviors. In: LEET. USENIX Association (2009)
Binkley, J.R.: An algorithm for anomaly-based botnet detection. In: The 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2006), pp. 43–48 (2006)
Cooke, E., Jahanian, F., Mcpherson, D.: The zombie roundup: Understanding, detecting, and disrupting botnets. In: SRUTI, pp. 39–44 (2005)
Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by irc nickname evaluation. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, p. 8. USENIX Association, Berkeley (2007), http://portal.acm.org/citation.cfm?id=1323128.1323136
Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-peer botnets: overview and case study. In: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pp. 1–1. USENIX Association, Berkeley (2007), http://portal.acm.org/citation.cfm?id=1323128.1323129
Gummadi, R., Balakrishnan, H., Maniatis, P., Ratnasamy, S.: Not-a-bot: Improving service availability in the face of botnet attacks. In: Rexford, J., Sirer, E.G. (eds.) NSDI, pp. 307–320. USENIX Association (2009)
John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying spamming botnets using botlab. In: Rexford, J., Sirer, E.G. (eds.) NSDI, pp. 291–306. USENIX Association (2009)
Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X.-y., Wang, X.: Effective and efficient malware detection at the end host. In: USENIX Security Symposium, pp. 351–366. USENIX Association (2009)
Kreibich, C., Warfield, A., Crowcroft, J., Hand, S., Pratt, I.: Using packet symmetry to curtail malicious traffic. In: Proceedings from the Fourth Workshop on Hot Topics in Networks (2005)
Stinson, E., Mitchell, J.C.: Characterizing Bots’ Remote Control Behavior. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 89–108. Springer, Heidelberg (2007)
Liu, J., Xiao, Y., Ghaboosi, K., Deng, H., Zhang, J.: Botnet: Classification, attacks, detection, tracing, and preventive measures. EURASIP Journal on Wireless Communication and Networking, Article ID 692654 (2009)
Liu, L., Chen, S., Yan, G., Zhang, Z.: Bottracer: Execution-based bot-like malware detection. In: Wu, T.C., Lei, C.L., Rijmen, V., Lee, D.T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 97–113. Springer, Heidelberg (2008)
McPherson, D., Dobbins, R., Hollyman, M., Labovitz, C., Nazario, J.: Worldwide infrastructure security report (2009)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In: 17th USENIX Security Symposium, pp. 139–154. USENIX Association (2008)
Zhuang, L., Dunagan, J., Simon, D.R., Wang, H.J., Osipkov, I., Tygar, J.D.: Characterizing botnets from email spam records. In: Monrose, F. (ed.) LEET. USENIX Association (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kwon, J., Lee, J., Lee, H. (2011). Hidden Bot Detection by Tracing Non-human Generated Traffic at the Zombie Host. In: Bao, F., Weng, J. (eds) Information Security Practice and Experience. ISPEC 2011. Lecture Notes in Computer Science, vol 6672. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21031-0_26
Download citation
DOI: https://doi.org/10.1007/978-3-642-21031-0_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21030-3
Online ISBN: 978-3-642-21031-0
eBook Packages: Computer ScienceComputer Science (R0)