Abstract
In this paper, we propose a systematic approach to generate botnet traffic. Given the lack of benchmarking botnet traffic data, we anticipate that such an endeavour will be beneficial to the research community. To this end, we employ the proposed approach to generate the communication phase of the Zeus and Citadel botnet traffic as a case study. We evaluate the characteristics of the generated data against the characteristics of a sandbox Zeus botnet, as well as the Zeus and Citadel botnet captures in the wild provided by NETRESEC and Snort. Our analysis confirms that the generated data is comparable to the data captured in the wild.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Since these test data sets are one class data sets (only malicious), there is no TNR and FPR.
References
Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically generating models for botnet detection. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 232–249. Springer, Heidelberg (2009)
Kirubavathi Venkatesh, G., Anitha Nadarajan, R.: HTTP botnet detection using adaptive learning rate multilayer feed-forward neural network. In: Askoxylakis, I., Pöhls, H.C., Posegga, J. (eds.) WISTP 2012. LNCS, vol. 7322, pp. 38–48. Springer, Heidelberg (2012)
Strayer, W.T., Lapsely, D., Walsh, R., Livadas, C.: Botnet detection based on network behavior. Adv. Inf. Secur. 36, 1–24 (2008)
Haddadi, F., Runkel, D., Zincir-Heywood, A.N., Heywood, M.I.: On botnet behaviour analysis using GP and C4.5. In: GECCO Comp, pp. 1253–1260 (2014)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol- and structure- independent botnet detection. In: 17th USNIX Security Symposium, pp. 139–154 (2008)
Zhao, D., Traore, I., Ghorbani, A., Sayed, B., Saad, S., Lu, W.: Peer to peer botnet detection based on flow intervals. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) Information Security and Privacy Research. IFIP Advances in Information and Communication Technology, vol. 376, pp. 87–102. Springer, Heidelberg (2012)
François, J., Wang, S., State, R., Engel, T.: BotTrack: tracking botnets using netflow and pagerank. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011, Part I. LNCS, vol. 6640, pp. 1–14. Springer, Heidelberg (2011)
Haddadi, F., Morgan, J., Filho, E.G., Zincir-Heywood, A.N.: Botnet behaviour analysis using IP flows with HTTP filters using classifiers. In: Seventh International Workshop on Bio and Intelligent Computing, pp. 7–12 (2014)
Zeus Tracker. https://zeustracker.abuse.ch/
DNS-BH- Malware Domain Blocklist. http://www.malwaredomains.com/
Publicly available PCAP files. http://www.netresec.com/?page=PcapFiles
Zeus Trojan Analysis. https://labs.snort.org/papers/zeus.html
Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the zeus botnet crimeware toolkit. In: Eighth Annual International Conference on Privacy, Security and Trust, pp. 31–38 (2010)
Softflowd project. http://www.mindrot.org/projects/softflowd/
Cisco IOS NetFlow. http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html
Haddadi, F., Zincir-Heywood, A.N.: Data confirmation for botnet traffic analysis. Technical report (2014). https://www.cs.dal.ca/research/techreports/cs-2014-01
Acknowledgments
This research is supported by the Natural Science and Engineering Research Council of Canada (NSERC) grant, and is conducted as part of the Dalhousie NIMS Lab at https://projects.cs.dal.ca/projectx/.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Haddadi, F., Zincir-Heywood, A.N. (2015). Data Confirmation for Botnet Traffic Analysis. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds) Foundations and Practice of Security. FPS 2014. Lecture Notes in Computer Science(), vol 8930. Springer, Cham. https://doi.org/10.1007/978-3-319-17040-4_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-17040-4_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17039-8
Online ISBN: 978-3-319-17040-4
eBook Packages: Computer ScienceComputer Science (R0)