Data Confirmation for Botnet Traffic Analysis

Haddadi, Fariba; Zincir-Heywood, A. Nur

doi:10.1007/978-3-319-17040-4_21

Fariba Haddadi¹⁷ &
A. Nur Zincir-Heywood¹⁷

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8930))

Included in the following conference series:

International Symposium on Foundations and Practice of Security

971 Accesses
4 Citations

Abstract

In this paper, we propose a systematic approach to generate botnet traffic. Given the lack of benchmarking botnet traffic data, we anticipate that such an endeavour will be beneficial to the research community. To this end, we employ the proposed approach to generate the communication phase of the Zeus and Citadel botnet traffic as a case study. We evaluate the characteristics of the generated data against the characteristics of a sandbox Zeus botnet, as well as the Zeus and Citadel botnet captures in the wild provided by NETRESEC and Snort. Our analysis confirms that the generated data is comparable to the data captured in the wild.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
Since these test data sets are one class data sets (only malicious), there is no TNR and FPR.

References

Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically generating models for botnet detection. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 232–249. Springer, Heidelberg (2009)
Chapter Google Scholar
Kirubavathi Venkatesh, G., Anitha Nadarajan, R.: HTTP botnet detection using adaptive learning rate multilayer feed-forward neural network. In: Askoxylakis, I., Pöhls, H.C., Posegga, J. (eds.) WISTP 2012. LNCS, vol. 7322, pp. 38–48. Springer, Heidelberg (2012)
Google Scholar
Strayer, W.T., Lapsely, D., Walsh, R., Livadas, C.: Botnet detection based on network behavior. Adv. Inf. Secur. 36, 1–24 (2008)
Article Google Scholar
Haddadi, F., Runkel, D., Zincir-Heywood, A.N., Heywood, M.I.: On botnet behaviour analysis using GP and C4.5. In: GECCO Comp, pp. 1253–1260 (2014)
Google Scholar
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol- and structure- independent botnet detection. In: 17th USNIX Security Symposium, pp. 139–154 (2008)
Google Scholar
Zhao, D., Traore, I., Ghorbani, A., Sayed, B., Saad, S., Lu, W.: Peer to peer botnet detection based on flow intervals. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) Information Security and Privacy Research. IFIP Advances in Information and Communication Technology, vol. 376, pp. 87–102. Springer, Heidelberg (2012)
Chapter Google Scholar
François, J., Wang, S., State, R., Engel, T.: BotTrack: tracking botnets using netflow and pagerank. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011, Part I. LNCS, vol. 6640, pp. 1–14. Springer, Heidelberg (2011)
Chapter Google Scholar
Haddadi, F., Morgan, J., Filho, E.G., Zincir-Heywood, A.N.: Botnet behaviour analysis using IP flows with HTTP filters using classifiers. In: Seventh International Workshop on Bio and Intelligent Computing, pp. 7–12 (2014)
Google Scholar
Zeus Tracker. https://zeustracker.abuse.ch/
DNS-BH- Malware Domain Blocklist. http://www.malwaredomains.com/
Alexa. http://www.alexa.com/topsites
Publicly available PCAP files. http://www.netresec.com/?page=PcapFiles
Zeus Trojan Analysis. https://labs.snort.org/papers/zeus.html
Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the zeus botnet crimeware toolkit. In: Eighth Annual International Conference on Privacy, Security and Trust, pp. 31–38 (2010)
Google Scholar
Softflowd project. http://www.mindrot.org/projects/softflowd/
Cisco IOS NetFlow. http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html
Haddadi, F., Zincir-Heywood, A.N.: Data confirmation for botnet traffic analysis. Technical report (2014). https://www.cs.dal.ca/research/techreports/cs-2014-01

Download references

Acknowledgments

This research is supported by the Natural Science and Engineering Research Council of Canada (NSERC) grant, and is conducted as part of the Dalhousie NIMS Lab at https://projects.cs.dal.ca/projectx/.

Author information

Authors and Affiliations

Faculty of Computer Science, Dalhousie University, Halifax, NS, Canada
Fariba Haddadi & A. Nur Zincir-Heywood

Authors

Fariba Haddadi
View author publications
You can also search for this author in PubMed Google Scholar
A. Nur Zincir-Heywood
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fariba Haddadi .

Editor information

Editors and Affiliations

TELECOM Bretagne, Cesson Sévigné, France
Frédéric Cuppens
TELECOM SudParis, Evry, France
Joaquin Garcia-Alfaro
Dalhousie University, Halifax, Nova Scotia, Canada
Nur Zincir Heywood
University of Calgary, Calgary, Canada
Philip W. L. Fong

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Haddadi, F., Zincir-Heywood, A.N. (2015). Data Confirmation for Botnet Traffic Analysis. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds) Foundations and Practice of Security. FPS 2014. Lecture Notes in Computer Science(), vol 8930. Springer, Cham. https://doi.org/10.1007/978-3-319-17040-4_21

Download citation

DOI: https://doi.org/10.1007/978-3-319-17040-4_21
Published: 05 April 2015
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17039-8
Online ISBN: 978-3-319-17040-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics