Botnet identification via universal anomaly detection

Shachar Siboni, Asaf Cohen

    Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

    7 Scopus citations

    Abstract

    The problem of identifying and detecting Botnets Command and Control (C&C) channels is considered. A Botnet is a logical network of compromised machines (Bots) which are remotely controlled by an attacker (Botmaster) using a C&C infrastructure in order to perform malicious activities. Accordingly, a key objective is to identify and block the C&C before any real harm is caused. We propose an anomaly detection algorithm and apply it to timing data, which can be collected without deep inspection, from open as well as encrypted flows. The suggested algorithm utilizes the Lempel Ziv universal compression algorithm in order to optimally give a probability assignment for normal traffic (during learning), then estimate the likelihood of new sequences (during operation) and classify them accordingly. Furthermore, the algorithm is generic and can be applied to any sequence of events, not necessarily traffic-related. We evaluate the detection algorithm on real-world network traces, showing how a universal, low complexity C&C identifi- cation system can be built, with high detection rates for a given false-alarm probability.

    Original languageEnglish
    Title of host publication2014 IEEE International Workshop on Information Forensics and Security, WIFS 2014
    PublisherInstitute of Electrical and Electronics Engineers
    Pages101-106
    Number of pages6
    ISBN (Electronic)9781479988822
    DOIs
    StatePublished - 1 Jan 2014
    Event2014 IEEE International Workshop on Information Forensics and Security, WIFS 2014 - Atlanta, United States
    Duration: 3 Dec 20145 Dec 2014

    Publication series

    Name2014 IEEE International Workshop on Information Forensics and Security, WIFS 2014

    Conference

    Conference2014 IEEE International Workshop on Information Forensics and Security, WIFS 2014
    Country/TerritoryUnited States
    CityAtlanta
    Period3/12/145/12/14

    ASJC Scopus subject areas

    • Computer Science Applications
    • Information Systems
    • Information Systems and Management
    • Safety, Risk, Reliability and Quality

    Fingerprint

    Dive into the research topics of 'Botnet identification via universal anomaly detection'. Together they form a unique fingerprint.

    Cite this