research-article

BotGAD: detecting botnets by capturing group activities in network traffic

Authors:

Hyogon KimAuthors Info & Claims

COMSWARE '09: Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE

Article No.: 2, Pages 1 - 8

https://doi.org/10.1145/1621890.1621893

Published: 16 June 2009 Publication History

Abstract

Recent malicious attempts are intended to obtain financial benefits using a botnet which has become one of the major Internet security problems. Botnets can cause severe Internet threats such as DDoS attacks, identity theft, spamming, click fraud. In this paper, we define a group activity as an inherent property of the botnet. Based on the group activity model and metric, we develop a botnet detection mechanism, called BotGAD (Botnet Group Activity Detector). BotGAD enables to detect unknown botnets from large scale networks in real-time. Botnets frequently use DNS to rally infected hosts, launch attacks and update their codes. We implemented BotGAD using DNS traffic and showed the effectiveness by experiments on real-life network traces. BotGAD captured 20 unknown and 10 known botnets from two day campus network traces.

References

[1]

P. Barford and V. Yegneswaran. An inside look at botnets, 2006. Special Workshop on Malware Detection, Advances in Information Security, Springer Verlag.

[2]

J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection. In The 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI '06), 2006.

Digital Library

[3]

H. Choi, H. Lee, H. Lee, and H. Kim. Botnet Detection by Monitoring Group Activities in DNS Traffic. In Proceedings of IEEE Int'l Conf. Computer and Information Technology (CIT'07), Oct 2007.

Digital Library

[4]

E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: Understanding, detecting, and disturbing botnets. In The 1st Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI '05), July 2005.

Digital Library

[5]

Cyber-TA. SRI Honeynet and BotHunter Malware Analysis Automatic Summary Analysis Table. http://www.cyber-ta.org/releases/malware-analysis/public/.

[6]

D. Dagon. Botnet detection and response. In OARC Workshop, 2005, 2005.

[7]

D. Dagon, G. Gu, C. Lee, and W. Lee. A taxonomy of botnet structures. In Proceedings of the 23 Annual Computer Security Applications Conference (ACSAC'07), Dec 2007.

[8]

Domaincrawler. Domain Information Services. http://www.domaincrawler.com/.

[9]

J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by IRC nickname evaluation. In Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots'07), Apr 2007.

Digital Library

[10]

J. Grizzard, V. Sharma, C. Nunnery, B. Kang, and D. Dagon. Peer-to-peer botnets: Overview and case study. In Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots'07), Apr 2007.

Digital Library

[11]

G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the 17th USENIX Security Symposium (Security'08), July 2008.

Digital Library

[12]

G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium (Security'07), August 2007.

Digital Library

[13]

G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.

[14]

S. Herona. Working the botnet: how dynamic DNS is revitalising the zombie army. Network Security, pages 9--11, Jan 2007.

Digital Library

[15]

T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling. Detection and mitigation of fast-flux service networks. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), Feb 2008.

[16]

T. Holz, M. Steiner, F. Dahl, E. Biersacky, and F. Freiling. Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In Proceedings of the Firts workshop on Large-scale Exploits and Emergent Threats (LEET'08), Apr 2008.

Digital Library

[17]

H. Husna, S. Phithakkitnukoon, S. Palla, and R. Dantu. Behavior analysis of spam botnets. In Proceedings of The 3rd Intl. Conf. on COMmunication System softWAre and MiddlewaRE (COMSWARE'08), Jan 2008.

[18]

J. Jones. Botnets: Detection and mitigation, Feb 2003. FEDCIRC.

[19]

A. Karasaridis, B. Rexroad, and D. Hoeflin. Wide-scale botnet detection and characterization. In Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots'07), Apr 2007.

Digital Library

[20]

Korea Information Security Agency (KISA). Botnet C&C server domain list. http://www.knsp.org/sink_dns/total.uniq.dns.rr.txt.

[21]

L. Liu, S. Chen, G. Yan, and Z. Zhang. BotTracer: Execution-based bot-like malware detection. In Proceedings of the 11th Information Security Conference (ISC 2008), Sep 2008.

Digital Library

[22]

Microsoft Help and Support. http://support.microsoft.com/kb/318803.

[23]

Nmap, Network Mapper. Free Security Scanner. http://nmap.org/.

[24]

J. Oikarinen and D. Reed. Internet Relay Chat Protocol. RFC 1459, 1993.

[25]

A. Ramachandran, N. Feamster, and D. Dagon. Revealing botnet membership using dnsbl counter-intelligence. In The 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI '06), 2006.

Digital Library

[26]

E. Stinson and J. C. Mitchell. Towards systematic evaluation of the evadability of bot/botnet detection methods. In Proceedings of the 2nd USENIX Workshop on Offensive Technologies (WOOT'08), July 2008.

Digital Library

[27]

I. Trestian, S. Ranjan, A. Kuzmanovic, and A. Nucci. Unconstrained endpoint profiling (googling the internet). In Proceedings of the ACM SIGCOMM 2008 conference on Data communication (SIGCOMM'08), Aug 2008.

Digital Library

[28]

P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic updates in the domain name system (DNS update), 1997. http://www.faqs.org/rfcs/rfc2136.html/.

[29]

Wikipedia. Network Access Control. http://en.wikipedia.org/wiki/Network_Access_Control.

[30]

Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldszmidt, and T. Wobber. How dynamic are ip addresses? In Proceedings of the ACM SIGCOMM 2007 conference on Data communication (SIGCOMM'07), Aug 2007.

Digital Library

[31]

L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten, and J. D. Tygar. Characterizing botnets from email spam records. In Proceedings of the Firts workshop on Large-scale Exploits and Emergent Threats (LEET'08), Apr 2008.

Digital Library

Cited By

Prof. Dnyaneshwar S. Rajnor Anjali Patil Tejas Lodaya Aayush Jain Prerana Gangurde (2024)Anti-Drone SystemInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-18573(506-518)Online publication date: 29-May-2024
https://doi.org/10.48175/IJARSCT-18573
Putra MAhmad THostiadi D(2024)B-CAT: a model for detecting botnet attacks using deep attack behavior analysis on network traffic flowsJournal of Big Data10.1186/s40537-024-00900-111:1Online publication date: 10-Apr-2024
https://doi.org/10.1186/s40537-024-00900-1
Asadi MJamali MHeidari ANavimipour N(2024)Botnets Unveiled: A Comprehensive Survey on Evolving Threats and Defense StrategiesTransactions on Emerging Telecommunications Technologies10.1002/ett.505635:11Online publication date: 20-Oct-2024
https://doi.org/10.1002/ett.5056
Show More Cited By

Index Terms

BotGAD: detecting botnets by capturing group activities in network traffic
1. Networks
  1. Network services
    1. Network management
    2. Network monitoring

Recommendations

WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
A Survey on Intrusion Detection and Prevention Systems
Abstract
In the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

COMSWARE '09: Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE

June 2009

183 pages

ISBN:9781605583532

DOI:10.1145/1621890

General Chairs:
Jan Bosch
Intuit Inc. California
,
Siobhán Clarke
Trinity College Dublin, Ireland

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 June 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Ministry of Knowledge Economy

Conference

COMSWARE '09

Sponsor:

COMSWARE '09: Fourth International Conference on Communication System Software and Middleware

June 16 - 19, 2009

Dublin, Ireland

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

68
Total Citations
View Citations
962
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)1

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Prof. Dnyaneshwar S. Rajnor Anjali Patil Tejas Lodaya Aayush Jain Prerana Gangurde (2024)Anti-Drone SystemInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-18573(506-518)Online publication date: 29-May-2024
https://doi.org/10.48175/IJARSCT-18573
Putra MAhmad THostiadi D(2024)B-CAT: a model for detecting botnet attacks using deep attack behavior analysis on network traffic flowsJournal of Big Data10.1186/s40537-024-00900-111:1Online publication date: 10-Apr-2024
https://doi.org/10.1186/s40537-024-00900-1
Asadi MJamali MHeidari ANavimipour N(2024)Botnets Unveiled: A Comprehensive Survey on Evolving Threats and Defense StrategiesTransactions on Emerging Telecommunications Technologies10.1002/ett.505635:11Online publication date: 20-Oct-2024
https://doi.org/10.1002/ett.5056
Rachman Putra MAhmad THostiadi D(2023)Botnet Dataset Overview Using Statistical Approach Based on Time Gap Activity Analysis2023 11th International Symposium on Digital Forensics and Security (ISDFS)10.1109/ISDFS58141.2023.10131832(1-6)Online publication date: 11-May-2023
https://doi.org/10.1109/ISDFS58141.2023.10131832
Ramesh RThangaraj S(2023)Analyzing and detecting Botnet Attacks using Anomaly Detection with Machine Learning2023 5th International Conference on Inventive Research in Computing Applications (ICIRCA)10.1109/ICIRCA57980.2023.10220903(911-915)Online publication date: 3-Aug-2023
https://doi.org/10.1109/ICIRCA57980.2023.10220903
Yadav BKushwaha VKumar MPathak N(2023)Detection of botnet in Machine Learning2023 International Conference on Disruptive Technologies (ICDT)10.1109/ICDT57929.2023.10151328(36-42)Online publication date: 11-May-2023
https://doi.org/10.1109/ICDT57929.2023.10151328
Dai HSun CSun XLv B(2023)Malware Detection Based on Periodic Communication Behavior2023 5th International Conference on Artificial Intelligence and Computer Applications (ICAICA)10.1109/ICAICA58456.2023.10405439(79-85)Online publication date: 28-Nov-2023
https://doi.org/10.1109/ICAICA58456.2023.10405439
Bediya AKumar R(2022)A Novel Intrusion Detection System for Internet of Things Network SecurityResearch Anthology on Convergence of Blockchain, Internet of Things, and Security10.4018/978-1-6684-7132-6.ch020(330-348)Online publication date: 8-Jul-2022
https://doi.org/10.4018/978-1-6684-7132-6.ch020
Fan ZWang QJiao HLiu JCui ZLiu SLiu Y(2022)PUMD: a PU learning-based malicious domain detection frameworkCybersecurity10.1186/s42400-022-00124-x5:1Online publication date: 1-Oct-2022
https://doi.org/10.1186/s42400-022-00124-x
Safitri WAhmad THostiadi D(2022)Analyzing Machine Learning-based Feature Selection for Botnet Detection2022 1st International Conference on Information System & Information Technology (ICISIT)10.1109/ICISIT54091.2022.9872812(386-391)Online publication date: 27-Jul-2022
https://doi.org/10.1109/ICISIT54091.2022.9872812
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten