Advertisement

Exploiting Temporal Persistence to Detect Covert Botnet Channels

  • Frederic Giroire
  • Jaideep Chandrashekar
  • Nina Taft
  • Eve Schooler
  • Dina Papagiannaki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5758)

Abstract

We describe a method to detect botnet command and control traffic and individual end-hosts. We introduce the notion of “destination traffic atoms” which aggregate the destinations and services that are communicated with. We then compute the ”persistence”, which is a measure of temporal regularity and that we propose in this paper, for individual destination atoms. Very persistent destination atoms are added to a host’s whitelist during a training period. Subsequently, we track the persistence of new destination atoms not already whitelisted in order to identify suspicious C&C destinations. A particularly novel aspect is that we track persistence at multiple timescales concurrently. Importantly, our method does not require any a-priori information about destinations, ports, or protocols used by the C&C communication, nor do we require payload inspection. We evaluate our system using extensive user traffic traces collected from an enterprise network, along with collected botnet traces.

We demonstrate that our method correctly identifies a botnet’s C&C traffic, even when it is very stealthy. We also show that filtering outgoing traffic with the constructed whitelists dramatically improves the performance of traditional anomaly detectors. Finally, we show that the C&C detection can be achieved with a very low false positive rate.

Keywords

Observation Window Enterprise Network User Trace Temporal Persistence Botnet Detection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    de Oliveira, K.C.: Botconomics: Mastering the Underground Economy of Botnets. FIRST Technical ColloquiumGoogle Scholar
  2. 2.
    McAfee Corp.: Avert Labs Threat Predictions for 2009, http://www.mcafee.com/us/local_content/reports/2009_threat_predictions_report.pdf
  3. 3.
    Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In: Proceedings of the Workshop on Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI 2005), Berkeley, CA, USA, p. 6. USENIX Association (2005)Google Scholar
  4. 4.
    Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow Anomaly Detection. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, Washington, DC, USA, pp. 48–62. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  5. 5.
    Gao, D., Reiter, M.K., Song, D.: On Gray-box Program Tracking for Anomaly Detection. In: Proceedings of the 13th USENIX Security Symposium, Berkeley, CA, USA, p. 8. USENIX Association (2004)Google Scholar
  6. 6.
    Binkley, J.R., Singh, S.: An Algorithm for Anomaly-based Botnet Detection. In: Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2006), Berkeley, CA, USA, p. 7. USENIX Association (2006)Google Scholar
  7. 7.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection through IDS-Driven Dialog Correlation. In: Proceedings of 16th USENIX Security Symposium, Berkeley, CA, USA, pp. 1–16. USENIX Association (2007)Google Scholar
  8. 8.
    Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In: Proceedings of the Annual Network and Distributed System Security Symposium (NDSS 2008) (Febuary 2008)Google Scholar
  9. 9.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-independent Botnet Detection. In: Proceedings of the 17th Usenix Security Symposium, Berkeley, CA, USA, pp. 139–154. USENIX Association (2008)Google Scholar
  10. 10.
    Kreibich, C., Kanich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., Savage, S.: On the Spam Campaign Trail. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET 2008 (2008)Google Scholar
  11. 11.
    Holz, T., Gorecki, C., Rieck, K., Freiling, F.: Measuring and Detecting Fast-Flux Service Networks. In: Proceedings of the Annual Network and Distributed System Security Symposium, NDSS 2008 (2008)Google Scholar
  12. 12.
    Jung, J., Paxson, V., Berger, A., Balakrishnan, H.: Fast Portscan Detection using Sequential Hypothesis Testing. In: IEEE Symposium on Security and Privacy, pp. 211–225 (2004)Google Scholar
  13. 13.
    Sekar, V., Xie, Y., Reiter, M.K., Zhang, H.: Is Host-Based Anomaly Detection + Temporal Correlation = Worm Causality? Technical Report CMU-CS-07-112, Carnegie Mellon University (March 2007)Google Scholar
  14. 14.
    McDaniel, P.D., Sen, S., Spatscheck, O., van der Merwe, J.E., Aiello, W., Kalmanek, C.R.: Enterprise Security: A Community of Interest Based Approach. In: Proceedings of the Annual Network and Distributed System Security Symposium, NDSS 2006 (2006)Google Scholar
  15. 15.
    ClamAV: Clam AntiVirus, http://www.clamav.net
  16. 16.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks (1999)Google Scholar
  17. 17.
    Stone-Gross, R., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: Analysis of a Botnet Takeover (May 2009), http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf
  18. 18.
    Porras, P., Saidi, H., Yegneswaran, V.: An Analysis of Conficker’s Logic and Rendezvous Points. Technical report, SRI International (March 2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Frederic Giroire
    • 1
  • Jaideep Chandrashekar
    • 2
  • Nina Taft
    • 2
  • Eve Schooler
    • 2
  • Dina Papagiannaki
    • 2
  1. 1.Project Mascotte, I3S(CNRS/UNS)/INRIAFrance
  2. 2.Intel ResearchUK

Personalised recommendations