Skip to main content
SpringerLink
Log in

Detection and Classification of Different Botnet C&C Channels

  • Conference paper
Autonomic and Trusted Computing (ATC 2011)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 6906))

Included in the following conference series:

Abstract

Unlike other types of malware, botnets are characterized by their command and control (C&C) channels, through which a central authority, the botmaster, may use the infected computer to carry out malicious activities. Given the damage botnets are capable of causing, detection and mitigation of botnet threats are imperative. In this paper, we present a host-based method for detecting and differentiating different types of botnet infections based on their C&C styles, e.g., IRC-based, HTTP-based, or peer-to-peer (P2P) based. Our ability to detect and classify botnet C&C channels shows that there is an inherent similarity in C&C structures for different types of bots and that the network characteristics of botnet C&C traffic is inherently different from legitimate network traffic. The best performance of our detection system has an overall accuracy of 0.929 and a false positive rate of 0.078.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Wurzinger, P., Bilge, L.: Automatically Generating Models for Botnet Detection. In: European Symposium on Research in Computer Security (2009)

    Google Scholar 

  2. Vokorokos, L., Balaz, A., Chovanec, M.: Intrusion Detection System Using Self Organizing Map. Acta Electrotechnica et Informatica (2006)

    Google Scholar 

  3. Giroire, F., Chandrashekar, J., Taft, N., Schooler, E., Papaginnaki, D.: Exploiting Temporal Persistence to Detect Covert Botnet Channels. Recent Advances in Intrusion Detection (2009)

    Google Scholar 

  4. Ramachandran, A., Mundada, Y., Tariq, M.B., Feamster, N.: Securing Enterprise Networks Using Traffic Tainting. Special Interest Group on Data Communication (2008)

    Google Scholar 

  5. Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. Network and Distributed System Security (2007)

    Google Scholar 

  6. Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In: Proceedings of the 17th Conference on Security Symposium (2008)

    Google Scholar 

  7. Chang, S., Daniels, T.: P2P Botnet Detection using Behavior Clustering & Statistical Test

    Google Scholar 

  8. Clam AntiVirus, http://www.clamav.net

  9. Weka 3 Data Mining and Machine Learning Software, http://www.cs.waikato.ac.nz/ml/weka/

  10. John, J., Moshchuk, A., Gribble, S., Krishnamurthy, A.: Studying Spamming Botnets Using Botlab. Network Systems Design and Implementation (2009)

    Google Scholar 

  11. Zeng, Y., Hu, X., Shin, K.: Detection of Botnets Using Combined Host- and Network-Level Information. In: International Conference on Dependable Systems & Networks (2008)

    Google Scholar 

  12. Stewart, J.: Inside the Storm: Protocols and Encryption of the Storm Botnet (2008), http://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf

  13. Pitsillidis, A., Levchenko, K., Kreibich, C., Kanich, C., Voelker, G., Paxson, V., Weaver, N., Savage, S.: Botnet Judo: Fighting Spam with Itself. Network and Distributed System Security (2009)

    Google Scholar 

  14. Porras, P., Saidi, H., Yegneswaran, V.: A Multi-perspective Analysis of the Storm (Peacomm) Worm (2007), http://www.cyber-ta.org/pubs/StormWorm/report

  15. Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Lehigh University, Bethlehem, PA, 18015, USA

    Gregory Fedynyshyn

Authors
  1. Gregory Fedynyshyn
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mooi Choo Chuah
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gang Tan
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Cloud and Security Laboratory, Hewlett-Packard Laboratories, BS34 8QZ, Stroke Gifford, United Kingdom

    Jose M. Alcaraz Calero

  2. Department of Computer Science, St. Francis Xavier University, B2G 2W5, Antigonish, NS, Canada

    Laurence T. Yang

  3. Security Laboratory, NEC Laboratories Europe, Kurfürsten-Anlage 36, 69115, Heidelberg, Germany

    Félix Gómez Mármol

  4. Departamento de Ingeniería del Software e Inteligencia, Universidad Complutense de Madrid (UCM), C/Profesor José García Santesmases s/n, 28040, Madrid, Spain

    Luis Javier García Villalba

  5. Department of Electrical and Computer Engineering, University of Florida, 216 Larsen Hll, 32611-6200, Gainesville, FL, USA

    Andy Xiaolin Li

  6. Department of Computing, Macquarie University, E6A339, 2109, Sydney, NSW, Australia

    Yan Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Fedynyshyn, G., Chuah, M.C., Tan, G. (2011). Detection and Classification of Different Botnet C&C Channels. In: Calero, J.M.A., Yang, L.T., Mármol, F.G., García Villalba, L.J., Li, A.X., Wang, Y. (eds) Autonomic and Trusted Computing. ATC 2011. Lecture Notes in Computer Science, vol 6906. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23496-5_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-23496-5_17

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-23495-8

  • Online ISBN: 978-3-642-23496-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation