Efficient Detection of Bots in Subscribers´ Computers

Author

Brustoloni, José ; Farnan, Nicholas ; Villamarín-Salomón, Ricardo ; Kyle, David

Author_Institution

Dept. of Comput. Sci., Univ. of Pittsburgh, Pittsburgh, PA, USA

fYear

2009

fDate

14-18 June 2009

Firstpage

1

Lastpage

6

Abstract

We investigate how an ISP can efficiently detect bots in its subscribers´ computers, possibly as a value-added service or to prevent collateral damage to its infrastructure. By causing an ISP´s email servers and network links to get clogged or blacklisted, bots reduce the quality of service the ISP provides to its subscribers. We describe DNS Flagger, a novel device for ISP bot detection, and evaluate its efficiency. DNS flagger matches subscribers´ DNS traffic against IP and DNS signatures. In real-time experiments, we found that, on average, major anti-virus programs (AVs) detected only 59% of freshly caught bots, while DNS Flagger detected 73.1% or 91% of those bots, respectively on hosts that do not or do also have a major AV. There were no false alarms. Because its processing involves only a small fraction of all network traffic and can be performed at very high speed, a single DNS flagger can handle hundreds of thousands of subscribers.

Keywords

Internet; digital signatures; quality of service; security of data; telecommunication traffic; DNS flagger; DNS signature; IP signature; ISP bot detection; Internet service provider; antivirus program; email server; network links; network traffic; quality of service; subscriber computer; Communications Society; Computer worms; Home computing; Information analysis; Network servers; Peer to peer computing; Quality of service; Telecommunication traffic; Viruses (medical); Web server;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications, 2009. ICC '09. IEEE International Conference on

Conference_Location

Dresden

ISSN

1938-1883

Print_ISBN

978-1-4244-3435-0

Electronic_ISBN

1938-1883

Type

conf

DOI

10.1109/ICC.2009.5198970

Filename

5198970