Abstract
Botnet is widely used in cyber-attacks and becomes a serious threat to network security. Existing approaches can detect botnet effectively in certain environments, however problems still exist in using host or network detection approaches respectively, such as robustness in detection tools, difficulties in global deployment and low precision rate. To solve the above problems, a novel detection approach called BotInfer is proposed. In BotInfer approach, host-based bot detection tools are deployed on some of the hosts; network flow of all the hosts is captured and analyzed; host detection result and flow information are correlated by the bot inference engine. Through the experiments, BotInfer can effectively detect the hosts in the network. When the deployment rate of bot detection tools in the network reaches 80%, the precision rate of the hosts with detection tools is about 99%, and the precision rate of the hosts without detection tools is about 86%.
Supported by the National Natural Science Foundation of China under Grant No.61170265; Fundamental Research Fund of Jilin University under Grant No. 201003035, No. 201103253.
Chapter PDF
Similar content being viewed by others
References
Park, Y., Reeves, D.S.: Identification of bot commands by run-time execution monitoring. In: 2009 Annual Computer Security Applications Conference, pp. 321–330 (2009)
Stinson, E., Mitchell, J.: Characterizing Bots Remote Control Behavior. In: 4th DIMVA Conference (July 2007)
Liu, L., Chen, S., Yan, G., Zhang, Z.: BotTracer: Execution-Based Bot-Like Malware Detection. In: International Conference on Information Security (2008)
Coskun, B., Dietrich, S., Memon, N.: Friends of An Enemy: Identifying Local Members of Peer-to-Peer Botnets Using Mutual Contacts. In: 2010 ACSAC Conference (2010)
Nagaraja, S., Mittal, P., Hong, C.-Y., Caesar, M., Borisov, N.: BotGrep: Finding P2P bots with structured graph analysis. In: USENIX Security Conference (August 2010)
Zeng, Y., Hu, X., Shin, K.G.: Detection of Botnets Using Combined Host- and Network-Level Information. In: DSN (2010)
Liu, L., Chen, S., Yan, G., Zhang, Z.: BotTracer: Execution-Based Bot-Like Malware Detection. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 97–113. Springer, Heidelberg (2008)
Jacob, G., Hund, R., Kruegel, C., Holz, T.: JACKSTRAWS: Picking Command and Control Connections from Bot Traffic. In: USENIX Security Symposium (2011)
Rieck, K., Trinius, P., Willems, C.: Automatic analysis of malware behavior using machine learning. Journal of Computer Security 19(4) (2011)
Karbalaie, F., Sami, A., Ahmadi, M.: Semantic Malware Detection by Deploying Graph Mining. International Journal of Computer Science Issues 9(1(3)) (2012)
Tegeler, F., Fu, X., Vigna, G., Kruegel, C.: BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection. In: CoNEXT (2012)
Bilge, L., Balzarotti, D., Robertson, W.: DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis. ACM (2012)
François, J., Wang, S., State, R., Engel, T.: Bottrack: Tracking Botnets Using Netflow and Pagerank. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011, Part I. LNCS, vol. 6640, pp. 1–14. Springer, Heidelberg (2011)
Gu, G.: Correlation-based Botnet Detection in Enterprise Networks. Doctor Thesis, GIT (2008)
Park, Y.H., Zhang, Q., Douglas, S., Reeves, D.: AntiBot: Clustering Common Semantic Patterns for Bot Detection. In: COMPSAC (2010)
Kwon, T., Su, Z.: Modeling High-Level Behavior Patterns for Precise Similarity analysis of Software. Technical Reports, University of California, CSE-2010-16 (2010)
Wang, X., Jiang, X.: Artificial Malware Immunization based on Dynamically Assigned Sense of Self. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 166–180. Springer, Heidelberg (2011)
Halkidi, M., Batistakis, Y., Vazirgiannis, M.: On Clustering Validation Techniques. JIIS 17(2-3), 107–145 (2001)
NetFlow probes: fprobe and fprobe-ulog, http://fprobe.sourceforge.net/
flow-tools, http://www.splintered.net/sw/flow-tools/docs/flow-tools.html
Safe Browsing API - Google Developers, https://developers.google.com/safe-browsing/
Alexa Top 500 Global Sites, http://www.alexa.com/topsites
R: Hierarchical Clustering, http://stat.ethz.ch/R-manual/R-patched/library/stats/html/hclust.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
He, Y., Li, Q., Ji, Y., Guo, D. (2013). BotInfer: A Bot Inference Approach by Correlating Host and Network Information. In: Hsu, CH., Li, X., Shi, X., Zheng, R. (eds) Network and Parallel Computing. NPC 2013. Lecture Notes in Computer Science, vol 8147. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40820-5_30
Download citation
DOI: https://doi.org/10.1007/978-3-642-40820-5_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40819-9
Online ISBN: 978-3-642-40820-5
eBook Packages: Computer ScienceComputer Science (R0)