TY - GEN
T1 - Flow-based identification of botnet traffic by mining multiple log files
AU - Masud, Mohammad M.
AU - Al-khaleeb, Tahseen
AU - Khan, Lalifur
AU - Thuraisinghatn, Bhavani
AU - Hamlcn, Kevin W.
PY - 2008
Y1 - 2008
N2 - Botnet detection and disruption has been a major research topic in recent years, One effective technique for botnet detection is to identify Command and Control (C&C) traffic, which is sent from a C&C center to infected hosts (hots) to control the hots. If this traffic can be detected, both the C&C center and the hots it controls can be detected and the botnet can be disrupted. We propose a multiple log-tile based temporal correlation technique for detecting C&C traffic. Our main assumption is that hots respond much faster than humans. By temporally correlating two host-based loj files, we are able to detect this property and thereby detect hot activity in a host machine. In our experiments we apply this technique to Ion files produced by tepdump and exedump, which record all incoming and outgoing network packets, mid the start limes of application executions at the host machine, respectively. We apply data mining to extract relevant features from these loj files and detect C&C traffic. Our experimental results validate our assumption and show better overall performance when compared to other recently published techniques.
AB - Botnet detection and disruption has been a major research topic in recent years, One effective technique for botnet detection is to identify Command and Control (C&C) traffic, which is sent from a C&C center to infected hosts (hots) to control the hots. If this traffic can be detected, both the C&C center and the hots it controls can be detected and the botnet can be disrupted. We propose a multiple log-tile based temporal correlation technique for detecting C&C traffic. Our main assumption is that hots respond much faster than humans. By temporally correlating two host-based loj files, we are able to detect this property and thereby detect hot activity in a host machine. In our experiments we apply this technique to Ion files produced by tepdump and exedump, which record all incoming and outgoing network packets, mid the start limes of application executions at the host machine, respectively. We apply data mining to extract relevant features from these loj files and detect C&C traffic. Our experimental results validate our assumption and show better overall performance when compared to other recently published techniques.
KW - Botnet
KW - Data mining
KW - Intrusion detection
KW - Malware
UR - http://www.scopus.com/inward/record.url?scp=63749106613&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=63749106613&partnerID=8YFLogxK
U2 - 10.1109/ICDFMA.2008.4784437
DO - 10.1109/ICDFMA.2008.4784437
M3 - Conference contribution
AN - SCOPUS:63749106613
SN - 9781424423132
T3 - 2008 1st International Conference on Distributed Frameworks and Application, DFmA 2008
SP - 200
EP - 206
BT - 2008 1st International Conference on Distributed Frameworks and Application, DFmA 2008
T2 - 2008 1st International Conference on Distributed Frameworks and Application, DFmA 2008
Y2 - 21 October 2008 through 22 October 2008
ER -