Skip to main content
SpringerLink
Log in

Detection of Botnet Activities Through the Lens of a Large-Scale Darknet

  • Conference paper
  • First Online:
Book cover Neural Information Processing (ICONIP 2017)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 10638))

Included in the following conference series:

Abstract

The growing cyber-threats from botnets compel us to devise proper countermeasures to detect infected hosts in an efficient and timely manner. In this paper, botnet-host identification is approached from a new perspective: by exploring the temporal coincidence in botnet activities visible in the darknet, botnet probing campaigns and botnet hosts can be detected with high accuracy and efficiency. The insights to botnet behavioral characteristics and automated detection results obtained from this study suggest a promising expedient for botnet take-down and host reputation management on the Internet.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

References

  1. Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement (IMC 2006), pp. 41–52. ACM (2006). http://doi.acm.org/10.1145/1177080.1177086

  2. Ban, T., Zhu, L., Shimamura, J., Pang, S., Inoue, D., Nakao, K.: Behavior analysis of long-term cyber attacks in the darknet. In: Huang, T., Zeng, Z., Li, C., Leung, C.S. (eds.) ICONIP 2012. LNCS, vol. 7667, pp. 620–628. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34500-5_73

    Chapter  Google Scholar 

  3. Benson, K., Dainotti, A., Claffy, K., Aben, E.: Gaining insight into as-level outages through analysis of internet background radiation. In: Proceedings of the 2012 ACM Conference on CoNEXT Student Workshop, pp. 63–64 (2012)

    Google Scholar 

  4. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: 18th Annual Network and Distributed System Security Symposium, NDSS 2011, San Diego, CA, USA, 6–9 February 2011. http://www.eurecom.fr/publication/3281

  5. Cho, C.Y., Domagoj, B., Shin, E.C.R., Song, D.: Inference and analysis of formal models of botnet command and control protocols. In: Computer and Communications Security (CCS 2010), pp. 426–439. ACM (2010)

    Google Scholar 

  6. Choi, H., Lee, H., Lee, H., Kim, H.: Botnet detection by monitoring group activities in DNS traffic. In: Proceedings of the 7th IEEE International Conference on Computer and Information Technology, pp. 715–720 (2007)

    Google Scholar 

  7. Choi, H., Lee, H.: Identifying botnets by capturing group activities in DNS traffic. Comput. Netw. 56(1), 20–33 (2012). http://dx.doi.org/10.1016/j.comnet.2011.07.018

    Article  Google Scholar 

  8. Choi, H., Lee, H., Kim, H.: Botgad: detecting botnets by capturing group activities in network traffic. In: Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE, COMSWARE 2009, pp. 2:1–2:8. ACM (2009). http://doi.acm.org/10.1145/1621890.1621893

  9. Dagon, D., Gu, G., Lee, C.P.: A taxonomy of botnet structures. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. Advances in Information Security, vol. 36, pp. 143–164. Springer, Boston (2008). doi:10.1007/978-0-387-68768-1_8

    Chapter  Google Scholar 

  10. Dainotti, A., King, A., Claffy, K., Papale, F., Pescapè, A.: Analysis of a “/0” stealth scan from a botnet. In: Internet Measurement Conference, IMC 2012, pp. 1–14. ACM (2012)

    Google Scholar 

  11. Friess, N., Aycock, J., Vogt, R.: Black market botnets. In: Proceedings of the MIT Spam Conference, pp. 1–8 (2010)

    Google Scholar 

  12. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: detecting malware infection through ids-driven dialog correlation. In: USENIX Security Symposium, SS 2007, pp. 1–16. USENIX Association (2007)

    Google Scholar 

  13. Gu, G., Yegneswaran, V., Porras, P., Stoll, J., Lee, W.: Active botnet probing to identify obscure command and control channels. In: 2009 Annual Computer Security Applications Conference (ACSAC 2009), pp. 241–253 (2009)

    Google Scholar 

  14. Harder, U., Johnson, M.W., Bradley, J.T., Knottenbelt, W.J.: Observing internet worm and virus attacks with a small network telescope. Electr. Notes Theor. Comput. Sci. 151(3), 47–59 (2006)

    Article  Google Scholar 

  15. Hyslip, T., Pittman, J.: A survey of botnet detection techniques by command and control infrastructure. JDFSL 10(1), 7–26 (2015)

    Google Scholar 

  16. Inoue, D., Eto, M., Yoshioka, K., Baba, S., Suzuki, K., Nakazato, J., Ohtaka, K., Nakao, K.: Nicter: an incident analysis system toward binding network monitoring with malware analysis. In: Proceedings of the 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing, pp. 58–66 (2008)

    Google Scholar 

  17. Inoue, D., Yoshioka, K., Eto, M., Yamagata, M., Nishino, E., Takeuchi, J., Ohkouchi, K., Nakao, K.: An incident analysis system NICTER and its analysis engines based on data mining techniques. In: Köppen, M., Kasabov, N., Coghill, G. (eds.) ICONIP 2008. LNCS, vol. 5506, pp. 579–586. Springer, Heidelberg (2009). doi:10.1007/978-3-642-02490-0_71

    Chapter  Google Scholar 

  18. Lai, T.L.: Sequential change-point detection in quality control and dynamical systems. J. R. Stat. Soc. Ser. B 57(4), 613–658 (1995)

    MATH  Google Scholar 

  19. Mazzariello, C.: IRC traffic analysis for botnet detection. In: 2008 Fourth International Conference on Information Assurance and Security (ISIAS 2008), pp. 318–323 (2008)

    Google Scholar 

  20. Mizoguchi, S., Kugisaki, Y., Kasahara, Y., Hori, Y., Sakurai, K.: Implementation and evaluation of bot detection scheme based on data transmission intervals. In: 2010 6th IEEE Workshop on Secure Network Protocols (NPSec), pp. 73–78 (2010)

    Google Scholar 

  21. Nakao, K., Yoshioka, K., Inoue, D., Eto, M.: A novel concept of network incident analysis based on multi-layer ovservation of malware activities. In: Proceedings of The 2nd Joint Workshop on Information Security (JWIS07), pp. 267–279 (2007)

    Google Scholar 

  22. Puri, R.: Bots & botnet: an overview. http://www.sans.org/readingroom/whitepapers/malicious/1299.php

  23. Vapnik, V.N.: The Nature of Statistical Learning Theory. Springer, New York (1995). doi:10.1007/978-1-4757-2440-0

    Book  MATH  Google Scholar 

  24. Yen, T.-F., Reiter, M.K.: Traffic aggregation for malware detection. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 207–227. Springer, Heidelberg (2008). doi:10.1007/978-3-540-70542-0_11

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. National Institute of Information and Communications Technology, Tokyo, 184-8795, Japan

    Tao Ban, Daisuke Inoue & Koji Nakao

  2. Unitec Institute of Technology, Auckland, 1025, New Zealand

    Lei Zhu & Shaoning Pang

  3. Clwit Inc., Tokyo, 140-0001, Japan

    Jumpei Shimamura

Authors
  1. Tao Ban
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lei Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jumpei Shimamura
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Shaoning Pang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Daisuke Inoue
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Koji Nakao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tao Ban .

Editor information

Editors and Affiliations

  1. Guangdong University of Technology, Guangzhou, China

    Derong Liu

  2. Guangdong University of Technology, Guangzhou, China

    Shengli Xie

  3. South China University of Technology, Guangzhou, China

    Yuanqing Li

  4. Institute of Automation, Chinese Academy of Sciences, Beijing, China

    Dongbin Zhao

  5. King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia

    El-Sayed M. El-Alfy

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ban, T., Zhu, L., Shimamura, J., Pang, S., Inoue, D., Nakao, K. (2017). Detection of Botnet Activities Through the Lens of a Large-Scale Darknet. In: Liu, D., Xie, S., Li, Y., Zhao, D., El-Alfy, ES. (eds) Neural Information Processing. ICONIP 2017. Lecture Notes in Computer Science(), vol 10638. Springer, Cham. https://doi.org/10.1007/978-3-319-70139-4_45

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-70139-4_45

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-70138-7

  • Online ISBN: 978-3-319-70139-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation