Abstract
The rapid rise of cloud computing technology marks the next wave of enterprise information technology, catering up a market demand of a digitized economy to deliver traditional utilities such as electricity, gas, water. It, however, also paves a secure and cheap way of forming a so-called botnet in the cloud. A botnet consists of a network compromised machines controlled by an attacker (a.k.a. botmaster). Traditionally botnets have been integrated with computers, and have been the primary cause of many malicious Internet attacks. However, with emerging technologies such as cloud computing have presented new challenges in simulating what a modern botnet could look like, and how effective they can be executed with the easily accessible resources provided by such technologies. In this paper we implement a novel cloud based botnet and then propose a new method for detecting it. It is our belief that each cloud based botnet has a unique level of entropy in their networking exchanges, and thus determining the randomness of the communications between the command and control server and the bots could be applied to discriminate bot behaviors from normal cloud users. The proposed approach is evaluated in a closed networking environment and the preliminary experimental evaluation results are promising and show significant potentials of using entropy to detect command and control channel of botnets in the cloud.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Symantec. http://www.symantec.com/security_response/publications/threatreport.jsp. Accessed 1 June 2017
Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. In: Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007), 10 April 2007 (2007)
Uses of botnets, The Honeynet Project. https://www.honeynet.org/node/52
Sinit. http://www.symantec.com/security_response/writeup.jsp?docid=2003-100910-5701-99. Accessed 1 Apr 2017
Nugache. http://www.symantec.com/security_response/writeup.jsp?docid=2006-043016-0900-99. Accessed 1 Apr 2017
Phatbot. http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20658. Accessed 1 Apr 2017
Peacomm. http://www.symantec.com/security_response/writeup.jsp?docid=2007-011917-1403-99. Accessed 1 Apr 2017
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, pp. 41–52 (2006)
Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.: The nepenthes platform: an efficient approach to collect malware. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 165–184. Springer, Heidelberg (2006). doi:10.1007/11856214_9
Yegneswaran, V., Barford, P., Paxson, V.: Using honeynets for internet situational awareness. In: Proceedings of the 4th Workshop on Hot Topics in Networks, College Park, MD (2005)
Li, Z., Goyal, A., Chen, Y.: Honeynet-based botnet scan traffic analysis. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. ADIS, vol. 36, pp. 25–44. Springer, Heidelberg (2008). doi:10.1007/11555827_19. ISBN 978-0-387-68766-7
Freiling, F.C., Holz, T., Wicherski, G.: Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: de Capitani di Vimercati, S., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319–335. Springer, Heidelberg (2005). doi:10.1007/11555827_19
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, San Francisco, California (2008)
Strayer, T., Walsh, R., Livadas, C., Lapsley, D.: Detecting botnets with tight command and control. In: Proceedings 2006 31st IEEE Conference on Local Computer Networks, pp. 195–202 (2006)
Strayer, W.T., Lapsely, D., Walsh, R., Livadas, C.: Botnet detection based on network behavior. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. ADIS, vol. 36, pp. 1–24. Springer, Heidelberg (2008). doi:10.1007/978-0-387-68768-1_1
Livadas, C., Walsh, R., Lapsley, D., Strayer, T.: Using machine learning techniques to identify botnet traffic. In: Proceedings 2006 31st IEEE Conference on Local Computer Networks, pp. 967–974, November 2006
Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by IRC nickname evaluation. In: Proceedings of USENIX HotBots 2007 (2007)
Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: Proceedings of the 1st Conference on 1st Workshop on Hot Topics in Understanding Botnets, Cambridge, MA (2007)
Binkley, J.R., Singh, S.: An algorithm for anomaly-based botnet detection. In: USENIX SRUTI: 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (2006)
Gu, G.F., Zhang, J.J., Lee, W.K.: BotSniffer: detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, San Diego, CA, February 2008
Gu, G.F., Perdisci, R., Zhang, J.J., Lee, W.K.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium (Security 2008), San Jose, CA (2008)
Klijnsma, Y.: Large botnet cause of recent Tor network overload. http://blog.fox-it.com/2013/09/05/largebotnet-cause-of-recent-tor-network-overload/. Fox-It, 5 September 2013
Clark, K.P., Warnier, M., Brazier, F.M.T.: Botclouds - the future of cloud-based botnets? In: Leymann, F., Ivanov, I., van Sinderen, M.J., Shishkov, B.B. (eds.) Proceedings of the 1st International Conference on Cloud Computing and Services Science (CLOSER 2011), pp. 597–603. Science and Technology Publications (2011)
Torkashvan, M., Haghighi, H.: CBC2 a cloud-based botnet command and control. Ind. J. Sci. Technol. 8, 1–15 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Lu, W., Miller, M., Xue, L. (2017). Detecting Command and Control Channel of Botnets in Cloud. In: Traore, I., Woungang, I., Awad, A. (eds) Intelligent, Secure, and Dependable Systems in Distributed and Cloud Environments. ISDDC 2017. Lecture Notes in Computer Science(), vol 10618. Springer, Cham. https://doi.org/10.1007/978-3-319-69155-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-69155-8_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69154-1
Online ISBN: 978-3-319-69155-8
eBook Packages: Computer ScienceComputer Science (R0)