Skip to main content
SpringerLink
Log in

Behavioral analysis of botnets for threat intelligence

  • Original Article
  • Published:
Information Systems and e-Business Management Aims and scope Submit manuscript

Abstract

This paper examines the behavioral patterns of fast-flux botnets for threat intelligence. The Threat Intelligence infrastructure, which we have specifically developed for fast-flux botnet detection and monitoring, enables this analysis. Cyber criminals and attackers use botnets to conduct a wide range of operations including spam campaigns, phishing scams, malware delivery, denial of service attacks, and click fraud. The most advanced botnet operators use fast-flux infrastructure and DNS record manipulation techniques to make their networks more stealthy, scalable, and resilient. Our analysis shows that such networks share common lifecycle characteristics, and form clusters based on size, growth and type of malicious behavior. We introduce a social network connectivity metric, and show that command and control and malware botnets have similar scores with this metric while spam and phishing botnets have similar scores. We describe how a Guilt-by-Association approach and connectivity metric can be used to predict membership in particular botnet families. Finally, we discuss the intelligence utility of fast-flux botnet behavior analysis as a cyber defense tool against advanced persistent threats.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24
Fig. 25

Similar content being viewed by others

References

  • Anti-Phishing Working Group (APWG) (2009) An APWG industry advisory—global phishing survey: trends and domain name use in 1H2009, October 2009

  • Caglayan A, Toothaker M (2010) FastFluxMonitor vs. Darknet traffic, SIE Workshop, 3 October 2010. Atlanta, GA

  • Caglayan A, Toothaker M, Drapeau D, Burke D, Eaton G (2009) Behavioral analysis of fast-flux service networks. Cyber security and information intelligence research workshop (CSIIRW-09), 13–15 April 2009, Oak Ridge, TN

  • Caglayan A, Toothaker M, Drapeau D, Burke D, Eaton G (2009) Real-time detection and classification of fast-flux service networks. Cybersecurity Applications and Technology Conference for Homeland Security (CATCH), 3–4 March 2009, Washington, DC

  • Caglayan A, Toothaker M, Drapeau D, Burke D, Eaton G (2010) Behavioral patterns of fast-flux service networks. Hawaii international conference on system sciences (HICSS-43) cyber security and information intelligence research Minitrack. Koloa, Kauai, Hawaii, 5–8 Jan 2010

  • Cox A, Golomb G (2010) The Kneber botnet. NetWitness Corporation, Herndon, VA, 17 Feb 2010

  • Caglayan A, Toothaker M, Drapeau D, Burke D, Eaton, G (2010) Guilt-by-association based discovery of botnet footprints NATO research and technology organization workshop on information security and defense. Antalya, Turkey, 26–30 Apr

  • Gartner (2010) Gartner survey shows phishing attacks escalated in 2007; more than $3 billion lost to these attacks. Available at: http://www.gartner.com/it/page.jsp?id=565125, accessed 3 Mar 2011

  • Holz T, Gorecki C, Rieck C, Freiling F (2008) Measuring and detecting fast-flux service networks. Presented at NDSS Symposium

  • ICANN (2008) GNSO issues report on fast-flux hosting, March 2008

  • ICANN (2008) Security and stability advisory committee. SAC 025: SSA advisory on fast-flux hosting and DNS, March 2008

  • ICANN Situation Awareness Note 2009-10-06

  • iDefense (2008) An iDefense topical research report: 2009 cyber threats and trends. 12 Dec 2008

  • Kanich C, Kreibich C, Levchenko K, Enright B, Voelker G, Paxson V, Savage S (2008) Spamalytics: an empirical analysis of spam marketing conversion. In: Proceedings of 15th ACM conference on computer and communication security

  • Konte M, Feamster N, Jung J (2009) Dynamics of online scam hosting infrastructure. Proceedings of passive and active measurement conference (PAM), Seoul, Korea, April 2009

  • Liu J, Xiao Y, Ghaboosi K, Deng H, Zhang J (2009) Botnet: classification, attacks, detection, tracing, and preventive measures. EURASIP J Wirel Commun Netw 9 (February 2009)

  • McGrath DK, Gupta M (2008) Behind phishing: an examination of phisher modi operandi. In: Proceedings of the USENIX workshop on large-scale exploits and emergent threats

  • McGrath DK, Kalafut A, Gupta M (2009) Phishing infrastructure fluxes all the way. IEEE Security and Privacy Magazine Special Issue on Securing the Domain Name System, September/October 2009

  • Moore T, Clayton R (2007) Examining the impact of website take-down on phishing. In: Proceedings of anti-phishing working group ecrime researcher’s summit (APWG eCrime), ACM

  • Namestnikov Y (2009) The economics of botnets, Kapersky Labs

  • National Research Council of the National Academies (2009) Technology, policy, law, and ethics regarding U.S. acquisition and use of cyberattack capabilities. Oct 2009, pp 117–121 (154–155, 230–231)

  • Passerini E, Paleari R, Martignoni L, Bruschi D (2008) FluXOR: detecting and monitoring fast-flux service networks. Detection of intrusions and malware, and vulnerability assessment, pp 186–206

  • Ramachandran A, Feamster N, Dagon D (2006) Revealing botnet membership using DNSBL counter-intelligence. In: USENIX 2nd workshop on steps to reducing unwanted traffic on the internet (SRUTI ‘06), July 2006

  • Stamos A (2010) Aurora response recommendations, iSEC Partners, 17 Feb 2010

  • Tufte ER (2006) Beautiful Evidence. Graphics Press, Cheshire

  • WOMBAT (Worldwide Observatory of Malicious Behaviors and Attack Threats) (2010) D15 (D4.5) intermediate report on contextual features. Eur Commun Seventh Frame Prog, 13, 32 (9 Feb 2010)

  • Zdrnja B, Brownlee N, Wessels D (2007) Passive monitoring of DNS anomalies. In: Hammerli BM, Sommer R (eds) DIMVA 2007. LNCS, vol. 4579. Springer, Heidelberg, pp 129–139

    Google Scholar 

  • Zhou CV, Leckie C, Karunasekera S (2009) Collaborative detection of fast flux phishing domains. J Netw 4(1)

Download references

Acknowledgments

This research was supported by U.S. Department of Homeland Security, Science and Technology Directorate Cybersecurity R&D program.

Author information

Authors and Affiliations

  1. Milcord, 1050 Winter Street, Suite 1000, Waltham, MA, 02451, USA

    Alper Caglayan, Mike Toothaker, Dan Drapeau, Dustin Burke & Gerry Eaton

Authors
  1. Alper Caglayan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mike Toothaker
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dan Drapeau
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dustin Burke
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Gerry Eaton
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alper Caglayan.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Caglayan, A., Toothaker, M., Drapeau, D. et al. Behavioral analysis of botnets for threat intelligence. Inf Syst E-Bus Manage 10, 491–519 (2012). https://doi.org/10.1007/s10257-011-0171-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10257-011-0171-7

Keywords

Search

Navigation