Detecting Botnets with Tight Command and Control

Author

Strayer, W. Timothy ; Walsh, Robert ; Livadas, Carl ; Lapsley, David

Author_Institution

BBN Technol., Cambridge, MA

fYear

2006

Firstpage

195

Lastpage

202

Abstract

Systems are attempting to detect botnets by examining traffic content for IRC commands or by setting up honeynets. Our approach for detecting botnets is to examine flow characteristics such as bandwidth, duration, and packet timing looking for evidence of botnet command and control activity. We have constructed an architecture that first eliminates traffic that is unlikely to be a part of a botnet, classifies the remaining traffic into a group that is likely to be part of a botnet, then correlates the likely traffic to find common communications patterns that would suggest the activity of a botnet. Our results show that botnet evidence can be extracted from a traffic trace containing almost 9 million flows

Keywords

distributed processing; security of data; telecommunication traffic; IRC commands; botnets detection; command and control; communication patterns; communication traffic; honeynets; Bandwidth; Command and control systems; Communication system traffic control; Computer networks; Control systems; Government; Hospitals; Information security; Internet; Timing;

fLanguage

English

Publisher

ieee

Conference_Titel

Local Computer Networks, Proceedings 2006 31st IEEE Conference on

Conference_Location

Tampa, FL

ISSN

0742-1303

Print_ISBN

1-4244-0418-5

Electronic_ISBN

0742-1303

Type

conf

DOI

10.1109/LCN.2006.322100

Filename

4116547