Information Systems and e-Business Management

, Volume 10, Issue 4, pp 491–519

Behavioral analysis of botnets for threat intelligence

  • Alper Caglayan
  • Mike Toothaker
  • Dan Drapeau
  • Dustin Burke
  • Gerry Eaton
Original Article

DOI: 10.1007/s10257-011-0171-7

Cite this article as:
Caglayan, A., Toothaker, M., Drapeau, D. et al. Inf Syst E-Bus Manage (2012) 10: 491. doi:10.1007/s10257-011-0171-7

Abstract

This paper examines the behavioral patterns of fast-flux botnets for threat intelligence. The Threat Intelligence infrastructure, which we have specifically developed for fast-flux botnet detection and monitoring, enables this analysis. Cyber criminals and attackers use botnets to conduct a wide range of operations including spam campaigns, phishing scams, malware delivery, denial of service attacks, and click fraud. The most advanced botnet operators use fast-flux infrastructure and DNS record manipulation techniques to make their networks more stealthy, scalable, and resilient. Our analysis shows that such networks share common lifecycle characteristics, and form clusters based on size, growth and type of malicious behavior. We introduce a social network connectivity metric, and show that command and control and malware botnets have similar scores with this metric while spam and phishing botnets have similar scores. We describe how a Guilt-by-Association approach and connectivity metric can be used to predict membership in particular botnet families. Finally, we discuss the intelligence utility of fast-flux botnet behavior analysis as a cyber defense tool against advanced persistent threats.

Keywords

Fast-flux Botnet Phishing Malware Advanced persistent threat Bulletproof hosting Cyber threat intelligence 

Copyright information

© Springer-Verlag 2011

Authors and Affiliations

  • Alper Caglayan
    • 1
  • Mike Toothaker
    • 1
  • Dan Drapeau
    • 1
  • Dustin Burke
    • 1
  • Gerry Eaton
    • 1
  1. 1.MilcordWalthamUSA