C&C tracer: Botnet command and control behavior tracing

The Botnet command and control (C&C) behavior becomes more and more dynamic and rapid so that information security analyst is difficult to capture the Botnet behavior in real time. In this work, we proposed a Botnet C&C behavior tracing system (naming C&C Tracer) for capturing the Botnet C&C behavior. The C&C Tracer consists of three components, such as: C&C active behavior feature extracting (CAFE), domain name status querying (DNSQ) and C&C status tracing analyzer (CSTA). In CAFE, different sources of Botnet URLs with diverse representing formats could be parsed for behavior feature generation. According to the parsed URLs, DNSQ can automatic query the C&C domains to the online domain name resolution repository and extract the domain name resolution result. Finally, CSTA considers different observed C&C live and active ability and schedules the tracing strategies. The proposed system not only can incorporate different public blacklist of Botnet C&C, but also dynamically tracing the Botnet C&C behavior for expanding the blacklist in time. This system is fully implemented and operating in real network environment since 2009. The C&C Tracer can reduce the non-active C&C domain name close to 80% with only 0.69% false postive rate. We demonstrate the real cases that identify the Botnet C&C servers by C&C tracer for showing the effectiveness of proposed system.