TY - GEN
T1 - Botnet identification via universal anomaly detection
AU - Siboni, Shachar
AU - Cohen, Asaf
N1 - Publisher Copyright:
© 2014 IEEE.
PY - 2014/1/1
Y1 - 2014/1/1
N2 - The problem of identifying and detecting Botnets Command and Control (C&C) channels is considered. A Botnet is a logical network of compromised machines (Bots) which are remotely controlled by an attacker (Botmaster) using a C&C infrastructure in order to perform malicious activities. Accordingly, a key objective is to identify and block the C&C before any real harm is caused. We propose an anomaly detection algorithm and apply it to timing data, which can be collected without deep inspection, from open as well as encrypted flows. The suggested algorithm utilizes the Lempel Ziv universal compression algorithm in order to optimally give a probability assignment for normal traffic (during learning), then estimate the likelihood of new sequences (during operation) and classify them accordingly. Furthermore, the algorithm is generic and can be applied to any sequence of events, not necessarily traffic-related. We evaluate the detection algorithm on real-world network traces, showing how a universal, low complexity C&C identifi- cation system can be built, with high detection rates for a given false-alarm probability.
AB - The problem of identifying and detecting Botnets Command and Control (C&C) channels is considered. A Botnet is a logical network of compromised machines (Bots) which are remotely controlled by an attacker (Botmaster) using a C&C infrastructure in order to perform malicious activities. Accordingly, a key objective is to identify and block the C&C before any real harm is caused. We propose an anomaly detection algorithm and apply it to timing data, which can be collected without deep inspection, from open as well as encrypted flows. The suggested algorithm utilizes the Lempel Ziv universal compression algorithm in order to optimally give a probability assignment for normal traffic (during learning), then estimate the likelihood of new sequences (during operation) and classify them accordingly. Furthermore, the algorithm is generic and can be applied to any sequence of events, not necessarily traffic-related. We evaluate the detection algorithm on real-world network traces, showing how a universal, low complexity C&C identifi- cation system can be built, with high detection rates for a given false-alarm probability.
UR - http://www.scopus.com/inward/record.url?scp=84929246600&partnerID=8YFLogxK
U2 - 10.1109/WIFS.2014.7084311
DO - 10.1109/WIFS.2014.7084311
M3 - Conference contribution
AN - SCOPUS:84929246600
T3 - 2014 IEEE International Workshop on Information Forensics and Security, WIFS 2014
SP - 101
EP - 106
BT - 2014 IEEE International Workshop on Information Forensics and Security, WIFS 2014
PB - Institute of Electrical and Electronics Engineers
T2 - 2014 IEEE International Workshop on Information Forensics and Security, WIFS 2014
Y2 - 3 December 2014 through 5 December 2014
ER -