Abstract
The growing cyber-threats from botnets compel us to devise proper countermeasures to detect infected hosts in an efficient and timely manner. In this paper, botnet-host identification is approached from a new perspective: by exploring the temporal coincidence in botnet activities visible in the darknet, botnet probing campaigns and botnet hosts can be detected with high accuracy and efficiency. The insights to botnet behavioral characteristics and automated detection results obtained from this study suggest a promising expedient for botnet take-down and host reputation management on the Internet.
References
Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement (IMC 2006), pp. 41–52. ACM (2006). http://doi.acm.org/10.1145/1177080.1177086
Ban, T., Zhu, L., Shimamura, J., Pang, S., Inoue, D., Nakao, K.: Behavior analysis of long-term cyber attacks in the darknet. In: Huang, T., Zeng, Z., Li, C., Leung, C.S. (eds.) ICONIP 2012. LNCS, vol. 7667, pp. 620–628. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34500-5_73
Benson, K., Dainotti, A., Claffy, K., Aben, E.: Gaining insight into as-level outages through analysis of internet background radiation. In: Proceedings of the 2012 ACM Conference on CoNEXT Student Workshop, pp. 63–64 (2012)
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: 18th Annual Network and Distributed System Security Symposium, NDSS 2011, San Diego, CA, USA, 6–9 February 2011. http://www.eurecom.fr/publication/3281
Cho, C.Y., Domagoj, B., Shin, E.C.R., Song, D.: Inference and analysis of formal models of botnet command and control protocols. In: Computer and Communications Security (CCS 2010), pp. 426–439. ACM (2010)
Choi, H., Lee, H., Lee, H., Kim, H.: Botnet detection by monitoring group activities in DNS traffic. In: Proceedings of the 7th IEEE International Conference on Computer and Information Technology, pp. 715–720 (2007)
Choi, H., Lee, H.: Identifying botnets by capturing group activities in DNS traffic. Comput. Netw. 56(1), 20–33 (2012). http://dx.doi.org/10.1016/j.comnet.2011.07.018
Choi, H., Lee, H., Kim, H.: Botgad: detecting botnets by capturing group activities in network traffic. In: Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE, COMSWARE 2009, pp. 2:1–2:8. ACM (2009). http://doi.acm.org/10.1145/1621890.1621893
Dagon, D., Gu, G., Lee, C.P.: A taxonomy of botnet structures. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. Advances in Information Security, vol. 36, pp. 143–164. Springer, Boston (2008). doi:10.1007/978-0-387-68768-1_8
Dainotti, A., King, A., Claffy, K., Papale, F., Pescapè, A.: Analysis of a “/0” stealth scan from a botnet. In: Internet Measurement Conference, IMC 2012, pp. 1–14. ACM (2012)
Friess, N., Aycock, J., Vogt, R.: Black market botnets. In: Proceedings of the MIT Spam Conference, pp. 1–8 (2010)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: detecting malware infection through ids-driven dialog correlation. In: USENIX Security Symposium, SS 2007, pp. 1–16. USENIX Association (2007)
Gu, G., Yegneswaran, V., Porras, P., Stoll, J., Lee, W.: Active botnet probing to identify obscure command and control channels. In: 2009 Annual Computer Security Applications Conference (ACSAC 2009), pp. 241–253 (2009)
Harder, U., Johnson, M.W., Bradley, J.T., Knottenbelt, W.J.: Observing internet worm and virus attacks with a small network telescope. Electr. Notes Theor. Comput. Sci. 151(3), 47–59 (2006)
Hyslip, T., Pittman, J.: A survey of botnet detection techniques by command and control infrastructure. JDFSL 10(1), 7–26 (2015)
Inoue, D., Eto, M., Yoshioka, K., Baba, S., Suzuki, K., Nakazato, J., Ohtaka, K., Nakao, K.: Nicter: an incident analysis system toward binding network monitoring with malware analysis. In: Proceedings of the 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing, pp. 58–66 (2008)
Inoue, D., Yoshioka, K., Eto, M., Yamagata, M., Nishino, E., Takeuchi, J., Ohkouchi, K., Nakao, K.: An incident analysis system NICTER and its analysis engines based on data mining techniques. In: Köppen, M., Kasabov, N., Coghill, G. (eds.) ICONIP 2008. LNCS, vol. 5506, pp. 579–586. Springer, Heidelberg (2009). doi:10.1007/978-3-642-02490-0_71
Lai, T.L.: Sequential change-point detection in quality control and dynamical systems. J. R. Stat. Soc. Ser. B 57(4), 613–658 (1995)
Mazzariello, C.: IRC traffic analysis for botnet detection. In: 2008 Fourth International Conference on Information Assurance and Security (ISIAS 2008), pp. 318–323 (2008)
Mizoguchi, S., Kugisaki, Y., Kasahara, Y., Hori, Y., Sakurai, K.: Implementation and evaluation of bot detection scheme based on data transmission intervals. In: 2010 6th IEEE Workshop on Secure Network Protocols (NPSec), pp. 73–78 (2010)
Nakao, K., Yoshioka, K., Inoue, D., Eto, M.: A novel concept of network incident analysis based on multi-layer ovservation of malware activities. In: Proceedings of The 2nd Joint Workshop on Information Security (JWIS07), pp. 267–279 (2007)
Puri, R.: Bots & botnet: an overview. http://www.sans.org/readingroom/whitepapers/malicious/1299.php
Vapnik, V.N.: The Nature of Statistical Learning Theory. Springer, New York (1995). doi:10.1007/978-1-4757-2440-0
Yen, T.-F., Reiter, M.K.: Traffic aggregation for malware detection. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 207–227. Springer, Heidelberg (2008). doi:10.1007/978-3-540-70542-0_11
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Ban, T., Zhu, L., Shimamura, J., Pang, S., Inoue, D., Nakao, K. (2017). Detection of Botnet Activities Through the Lens of a Large-Scale Darknet. In: Liu, D., Xie, S., Li, Y., Zhao, D., El-Alfy, ES. (eds) Neural Information Processing. ICONIP 2017. Lecture Notes in Computer Science(), vol 10638. Springer, Cham. https://doi.org/10.1007/978-3-319-70139-4_45
Download citation
DOI: https://doi.org/10.1007/978-3-319-70139-4_45
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70138-7
Online ISBN: 978-3-319-70139-4
eBook Packages: Computer ScienceComputer Science (R0)