Flow-based identification of botnet traffic by mining multiple log files

Mohammad M. Masud, Tahseen Al-khaleeb, Lalifur Khan, Bhavani Thuraisinghatn, Kevin W. Hamlcn

Research output: Chapter in Book/Report/Conference proceedingConference contribution

56 Citations (Scopus)

Abstract

Botnet detection and disruption has been a major research topic in recent years, One effective technique for botnet detection is to identify Command and Control (C&C) traffic, which is sent from a C&C center to infected hosts (hots) to control the hots. If this traffic can be detected, both the C&C center and the hots it controls can be detected and the botnet can be disrupted. We propose a multiple log-tile based temporal correlation technique for detecting C&C traffic. Our main assumption is that hots respond much faster than humans. By temporally correlating two host-based loj files, we are able to detect this property and thereby detect hot activity in a host machine. In our experiments we apply this technique to Ion files produced by tepdump and exedump, which record all incoming and outgoing network packets, mid the start limes of application executions at the host machine, respectively. We apply data mining to extract relevant features from these loj files and detect C&C traffic. Our experimental results validate our assumption and show better overall performance when compared to other recently published techniques.

Original languageEnglish
Title of host publication2008 1st International Conference on Distributed Frameworks and Application, DFmA 2008
Pages200-206
Number of pages7
DOIs
Publication statusPublished - 2008
Externally publishedYes
Event2008 1st International Conference on Distributed Frameworks and Application, DFmA 2008 - Penang, Malaysia
Duration: Oct 21 2008Oct 22 2008

Publication series

Name2008 1st International Conference on Distributed Frameworks and Application, DFmA 2008

Other

Other2008 1st International Conference on Distributed Frameworks and Application, DFmA 2008
Country/TerritoryMalaysia
CityPenang
Period10/21/0810/22/08

Keywords

  • Botnet
  • Data mining
  • Intrusion detection
  • Malware

ASJC Scopus subject areas

  • Artificial Intelligence
  • Computer Networks and Communications
  • Computer Science Applications
  • Software

Fingerprint

Dive into the research topics of 'Flow-based identification of botnet traffic by mining multiple log files'. Together they form a unique fingerprint.

Cite this