Abstract
Botnet is one of the most threatening attacks recently. Web-based botnet attacks are serious, as hacker takes advantage of the HTTP connections hiding malicious transmissions in a vast amount of normal traffic that is not easily detectable. In addition, integrating with fast-flux domain technology, botnet may use a web server to issue attack commands and fast-flux technology to extend the lifespan of the malicious website. This study conducts anomalous flow analysis on web-based botnets and explores the effect of fast-flux domains. The proposed detection mechanism examines flow traffic and web domains to identify a botnet either using HTTP as control and command channel or using fast-flux domain for cloaking. Based on the experiments on both testbed and real network environments, the results prove that the proposed method can effectively identify these botnets.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In: Proc. 15th Annual Network and Distributed System Security Symposium (2008)
Polychronakis, M., Mavrommatis, P., Provos, N.: Ghost turns Zombie: Exploring the Life Cycle of Web-based Malware. In: Proc. 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (2008)
Lee, J.S., Jeong, H.C., Park, J.H., Kim, M., Noh, B.N.: The Activity Analysis of Malicious HTTP-based Botnets using Degree of Periodic Repeatability. In: International Conference on Security Technology, SECTECH 2008, pp. 13–15 (2008)
Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies Using Traffic Feature Distribution. In: Proc. 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, vol. 11(12), pp. 217–228 (2005)
Wang, K.M.: A Netflow Based Internet-worm Detecting System in Large Network. In: Third International Conference on Digital Information Management, ICDIM 2008, pp. 581–586 (2008)
Holz, T., Gorecki, C., Freiling, F., Rieck, K.: Measuring and Detecting of Fast-Flux Service Networks. In: Proc. 15th Annual Network & Distributed System Security Symposium (2008)
Zhou, C.A., Leckie, C., Karunasekera, S.: Collaborative Detection of Fast Flux Phishing Domains. Journal of Networks 4(1), 75–84 (2009)
Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FluXOR: Detecting and Monitoring Fast-Flux Service Networks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 186–206. Springer, Heidelberg (2008)
Yu, S., Zhou, S., Wang, S.: Fast Flux Attack Network Identification Based on Agent Lifespan. In: IEEE International Conference on Wireless Communications, Networking and Information Security, WCNIS 2010, pp. 658–662 (2010)
McAfee (2003), http://www.siteadvisor.com/
SPAMHAUS (1998), http://www.spamhaus.org/lookup.lasso
WOT (2010), http://www.mywot.com/
Free PC Security (2007), http://www.freepcsecurity.co.uk/
Testbed @ NCKU (2007), https://testbed.ncku.edu.tw
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chen, CM., Huang, MZ., Ou, YH. (2013). Detecting Web-Based Botnets with Fast-Flux Domains. In: Pan, JS., Yang, CN., Lin, CC. (eds) Advances in Intelligent Systems and Applications - Volume 2. Smart Innovation, Systems and Technologies, vol 21. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35473-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-35473-1_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35472-4
Online ISBN: 978-3-642-35473-1
eBook Packages: EngineeringEngineering (R0)