Botnet identification via universal anomaly detection

Shachar Siboni, Asaf Cohen

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

6 Scopus citations

Abstract

The problem of identifying and detecting Botnets Command and Control (C&C) channels is considered. A Botnet is a logical network of compromised machines (Bots) which are remotely controlled by an attacker (Botmaster) using a C&C infrastructure in order to perform malicious activities. Accordingly, a key objective is to identify and block the C&C before any real harm is caused. We propose an anomaly detection algorithm and apply it to timing data, which can be collected without deep inspection, from open as well as encrypted flows. The suggested algorithm utilizes the Lempel Ziv universal compression algorithm in order to optimally give a probability assignment for normal traffic (during learning), then estimate the likelihood of new sequences (during operation) and classify them accordingly. Furthermore, the algorithm is generic and can be applied to any sequence of events, not necessarily traffic-related. We evaluate the detection algorithm on real-world network traces, showing how a universal, low complexity C&C identifi- cation system can be built, with high detection rates for a given false-alarm probability.

Original languageEnglish
Title of host publication2014 IEEE International Workshop on Information Forensics and Security, WIFS 2014
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages101-106
Number of pages6
ISBN (Electronic)9781479988822
DOIs
StatePublished - 10 Apr 2015
Event2014 IEEE International Workshop on Information Forensics and Security, WIFS 2014 - Atlanta, United States
Duration: 3 Dec 20145 Dec 2014

Publication series

Name2014 IEEE International Workshop on Information Forensics and Security, WIFS 2014

Conference

Conference2014 IEEE International Workshop on Information Forensics and Security, WIFS 2014
Country/TerritoryUnited States
CityAtlanta
Period3/12/145/12/14

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Botnet identification via universal anomaly detection'. Together they form a unique fingerprint.

Cite this