Title :
C&C tracer: Botnet command and control behavior tracing
Author :
Tsai, Meng-Han ; Chang, Kai-Chi ; Lin, Chang-Cheng ; Mao, Ching-Hao ; Lee, Huey-Ming
Author_Institution :
Project Resource Div., Inst. for Inf. Ind., Taipei, Taiwan
Abstract :
The Botnet command and control (C&C) behavior becomes more and more dynamic and rapid so that information security analyst is difficult to capture the Botnet behavior in real time. In this work, we proposed a Botnet C&C behavior tracing system (naming C&C Tracer) for capturing the Botnet C&C behavior. The C&C Tracer consists of three components, such as: C&C active behavior feature extracting (CAFE), domain name status querying (DNSQ) and C&C status tracing analyzer (CSTA). In CAFE, different sources of Botnet URLs with diverse representing formats could be parsed for behavior feature generation. According to the parsed URLs, DNSQ can automatic query the C&C domains to the online domain name resolution repository and extract the domain name resolution result. Finally, CSTA considers different observed C&C live and active ability and schedules the tracing strategies. The proposed system not only can incorporate different public blacklist of Botnet C&C, but also dynamically tracing the Botnet C&C behavior for expanding the blacklist in time. This system is fully implemented and operating in real network environment since 2009. The C&C Tracer can reduce the non-active C&C domain name close to 80% with only 0.69% false postive rate. We demonstrate the real cases that identify the Botnet C&C servers by C&C tracer for showing the effectiveness of proposed system.
Keywords :
computer network security; feature extraction; Botnet command and control; C&C active behavior feature extraction; C&C status tracing analyzer; behavior tracing; domain name status querying; feature generation; informationsecurityanalyst; Data mining; Databases; Feature extraction; IP networks; Labeling; Real time systems; Servers; Botnet; behavior tracing; command and control; domain name; network security;
Conference_Titel :
Systems, Man, and Cybernetics (SMC), 2011 IEEE International Conference on
Conference_Location :
Anchorage, AK
Print_ISBN :
978-1-4577-0652-3
DOI :
10.1109/ICSMC.2011.6083942