Abstract
Botnets are collections of compromised computers which have come under the control of a malicious person or organisation via malicious software stored on the computers, and which can then be used to interfere with, misuse, or deny access to a wide range of Internet-based services. With the current trend towards increasing use of the Internet to support activities related to banking, commerce, healthcare and public administration, it is vital to be able to detect and neutralise botnets, so that these activities can continue unhindered. In this paper we present an overview of existing botnet detection techniques and argue why a new, composite detection approach is needed to provide efficient and effective neutralisation of botnets. This approach should combine existing detection efforts into a collaborative botnet protection framework that receives input from a range of different sources, such as packet sniffers, on-access anti-virus software and behavioural analysis of network traffic, computer sub-systems and application programs. Finally, we introduce ContraBot, a collaborative botnet detection framework which combines approaches that analyse network traffic to identify patterns of botnet activity with approaches that analyse software to detect items which are capable of behaving maliciously.
Chapter PDF
Similar content being viewed by others
References
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: Proceedings of the 19th USENIX Security Symposium (Security 2010). USENIX Association (August 2010)
Choi, H., Lee, H.: Identifying botnets by capturing group activities in DNS traffic. Journal of Computer Networks 56, 20–33 (2011)
Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 202–215 (May 2002)
Flaglien, A., Franke, K., Årnes, A.: Identifying malware using cross-evidence correlation. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics VII. IFIP ACIT, ch.13, vol. 361, pp. 169–182. Springer, Boston (2011)
Goebel, J., Holz, T.: Rishi: Identifying bot-contaminated hosts by IRC nickname evaluation. In: HotBots 2007: Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets, Cambridge, Mass. USENIX Association (June 2007)
Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-peer botnets; Overview and case study. In: HotBots 2007: Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets, Cambridge, Mass. USENIX Association (June 2007)
Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: NDSS 2008: Proceedings of the 15th Annual Network and Distributed System Security Symposium, San Diego. Internet Society (February 2008)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, pp. 139–154 (2008)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium, San Jose, California, pp. 167–182. USENIX Association (July 2007)
Hogben, G. (ed.): Botnets: Detection, measurement, disinfection and defence. Tech. rep., ENISA (2011)
Jensen, C., Korsgaard, T.: Dynamics of trust evolution: Auto-configuration of disposiional trust dynamics. In: Proceedings of the International Conference on Security and Cryptography (SECRYPT 2008), Porto, Portugal, pp. 509–517 (July 2008)
Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: HotBots 2007: Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets, Cambridge, Mass. USENIX Association (June 2007)
Lu, W., Rammidi, G., Ghorbani, A.A.: Clustering botnet communication traffic based on n-gram feature selection. Computer Communications 34, 502–514 (2011)
Marsh, S.: Formalizing Trust as a Computational Concept, PhD thesis, University of Stirling, Dept. of Computer Science and Mathematics (1994)
Masud, M.M., Al-Khateeb, T., Khan, L., Turaisingham, B., Hamlen, K.W.: Flow-based identification of botnet traffic by mining multiple log file. In: Proceedings of the International Conference on Distributed Frameworks and Applications (DFMA), Penang, Malaysia (2008)
Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of CCS 2002, pp. 245–254. ACM (November 2002)
Oliner, A.J., Kulkarni, A.V., Aiken, A.: Community Epidemic Detection Using Time-Correlated Anomalies. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 360–381. Springer, Heidelberg (2010)
Porras, P., Saidi, H., Yegneswaran, V.: A multi-perspective analysis of the Storm (peacomm) worm. Tech. rep., SRI International (2007), http://www.cyber-ta.org/pubs/StormWorm/report
Porras, P., Saidi, H., Yegneswaran, V.: Conficker C analysis. Tech. rep., SRI International (2009), http://mtc.sri.com/Conficker/addendumC/index.html
Ramachandran, A., Feamster, N., Dagon, D.: Revealing botnet membership using DNSBL counter-intelligence. In: SRUTI 2006: Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet, San Jose, California, pp. 49–54. USENIX Association (June 2006)
Roesch, M.: Snort – lightweight intrusion detection for networks. In: Proceedings of Usenix LISA 1999. USENIX Association (1999)
Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Lu, W., Felix, J., Hakimian, P.: Detecting P2P botnets through network behavior analysis and machine learning. In: 2011 Ninth Annual International Conference on Privacy, Security and Trust, Montreal. IEEE (July 2011)
Setia, S., Roy, S., Jajodia, S.: Secure data aggregation in wireless sensor networks. In: Lopez, Zhou (eds.) Wireless Sensor Networks Security (2008)
Shin, S., Xu, Z., Gu, G.: EFFORT: Efficient and effective bot malware detection. In: Proceedings of 31st Annual IEEE Conference on Computer Communications (INFOCOM 2012), Orlando, Florida. IEEE (March 2012)
Sinclair, G., Nunnery, C., Kang, B.B.: The Waledac protocol: The how and why. In: Proceedings of International Conference on Malicious and Unwanted Software, MALWARE (2009)
Stinson, E., Mitchell, J.C.: Characterizing bots’ remote control behavior. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection, Advances in Information Security, vol. 36, pp. 45–64. Springer (2008)
Strayer, W.T., Lapsely, D., Walsh, R., Livadas, C.: Botnet detection based on network behaviour. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection, Advances in Information Security, vol. 36, pp. 1–24. Springer (2008)
Symantec Inc.: Symantec global internet security threat report, trends for 2010. Security Report XVI, Symantec Inc. (April 2011)
Symantec Inc.: Counterclank bot. Tech. rep., Symantec Inc. (2012), http://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99
Villamarin-Salomon, R., Brustoloni, J.C.: Identifying botnets using anomaly detection techniques applied to DNS traffic. In: Proceedings of 5th IEEE Consumer Communications and Networking Conference (CCNC 2008), pp. 476–481 (2008)
Wang, H., Gong, Z.: Collaboration-based botnet detection architecture. In: Proceedings of 2nd International Conference on Intelligent Computational Technology and Automation, Zhangjiajie, China (2009)
Wang, H., Hou, J., Gong, Z.: Botnet detection architecture based on heterogeneous multi-sensor information fusion. Journal of Networks 6(12), 1655–1661 (2011)
Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. In: HotBots 2007: Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets, Cambridge, Mass. USENIX Association (June 2007)
Weng, J., Miao, C., Goh, A.: Improving collaborative filtering with trust-based metrics. In: Proceedings of ACM Symposium on Applied Computing (SAC), pp. 1860–1864. ACM, New York (2006)
Zeng, Y., Hu, X., Shin, K.G.: Detection of botnets using combined host- and network-level information. In: Proceedings of 40th International Conference on Dependable Systems and Networks, DSN (2010)
Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., Luo, X.: Detecting stealthy P2P botnets using statistical traffic fingerprints. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks (DSN), Hong Kong, pp. 121–132. IEEE/IFIP (June 2011)
Zhang, Y., Meratnia, N., Havinga, P.: Outlier detection techniques for wireless sensor networks: A survey. In: IEEE Communications Surveys and Tutorials (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Stevanovic, M., Revsbech, K., Pedersen, J.M., Sharp, R., Jensen, C.D. (2012). A Collaborative Approach to Botnet Protection. In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds) Multidisciplinary Research and Practice for Information Systems. CD-ARES 2012. Lecture Notes in Computer Science, vol 7465. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32498-7_47
Download citation
DOI: https://doi.org/10.1007/978-3-642-32498-7_47
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32497-0
Online ISBN: 978-3-642-32498-7
eBook Packages: Computer ScienceComputer Science (R0)