CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis

被引:39
|
作者
Dietrich, Christian J. [1 ,3 ]
Rossow, Christian [1 ,2 ]
Pohlmann, Norbert [1 ]
机构
[1] Univ Appl Sci Gelsenkirchen, Inst Internet Secur, D-45877 Gelsenkirchen, Germany
[2] Vrije Univ Amsterdam, Network Inst, Amsterdam, Netherlands
[3] Univ Erlangen Nurnberg, Dept Comp Sci, D-91054 Erlangen, Germany
来源
COMPUTER NETWORKS | 2013年 / 57卷 / 02期
关键词
Botnet C&C; Botnet detection; Traffic analysis; Network security;
D O I
10.1016/j.comnet.2012.06.019
中图分类号
TP3 [计算技术、计算机技术];
学科分类号
0812 ;
摘要
We present CoCoSpot, a novel approach to recognize botnet command and control channels solely based on traffic analysis features, namely carrier protocol distinction, message length sequences and encoding differences. Thus, CoCoSpot can deal with obfuscated and encrypted C&C protocols and complements current methods to fingerprint and recognize botnet C&C channels. Using average-linkage hierarchical clustering of labeled C&C flows, we show that for more than 20 recent botnets and over 87,000 C&C flows, CoCoSpot can recognize more than 88% of the C&C flows at a false positive rate below 0.1%. (c) 2012 Elsevier B.V. All rights reserved.
引用
收藏
页码:475 / 486
页数:12
相关论文
共 50 条
  • [1] Periodic Behavior in Botnet Command and Control Channels Traffic
    AsSadhan, Basil
    Moura, Jose M. F.
    Lapsley, David
    GLOBECOM 2009 - 2009 IEEE GLOBAL TELECOMMUNICATIONS CONFERENCE, VOLS 1-8, 2009, : 2157 - 2162
  • [2] Detection of Botnet Command and Control Traffic by the Identification of Untrusted Destinations
    Burghouwt, Pieter
    Spruit, Marcel
    Sips, Henk
    INTERNATIONAL CONFERENCE ON SECURITY AND PRIVACY IN COMMUNICATION NETWORKS, SECURECOMM 2014, PT I, 2015, 152 : 174 - 182
  • [3] Active Botnet Probing to Identify Obscure Command and Control Channels
    Gu, Guofei
    Yegneswaran, Vinod
    Porras, Phillip
    Stoll, Jennifer
    Lee, Wenke
    25TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, 2009, : 241 - +
  • [4] Fluxing botnet command and control channels with URL shortening services
    Lee, Sangho
    Kim, Jong
    COMPUTER COMMUNICATIONS, 2013, 36 (03) : 320 - 332
  • [5] Subspace Clustering for Interpretable Botnet Traffic Analysis
    Araki, Shohei
    Hu, Bo
    Kamiya, Kazunori
    Tanikawa, Masaki
    Takahashi, Kneji
    ICC 2019 - 2019 IEEE INTERNATIONAL CONFERENCE ON COMMUNICATIONS (ICC), 2019,
  • [6] Using coverage analysis to extract Botnet command-and-control protocol
    Wang, Zhi
    Cai, Ya-Yun
    Liu, Lu
    Jia, Chun-Fu
    Tongxin Xuebao/Journal on Communications, 2014, 35 (01): : 156 - 166
  • [7] BotDet: A System for Real Time Botnet Command and Control Traffic Detection
    Ghafir, Ibrahim
    Prenosil, Vaclav
    Hammoudeh, Mohammad
    Baker, Thar
    Jabbar, Sohail
    Khalid, Shehzad
    Jaf, Sardar
    IEEE ACCESS, 2018, 6 : 38947 - 38958
  • [8] Comparative Analysis and Evaluation of Botnet Command and Control Models
    Marupally, Pavan Roy
    Paruchuri, Vamsi
    2010 24TH IEEE INTERNATIONAL CONFERENCE ON ADVANCED INFORMATION NETWORKING AND APPLICATIONS (AINA), 2010, : 82 - 89
  • [9] Using Behavioral Similarity for Botnet Command-and-Control Discovery
    Jusko, Jan
    Rehak, Martin
    Stiborek, Jan
    Kohout, Jan
    Pevny, Tomas
    IEEE INTELLIGENT SYSTEMS, 2016, 31 (05) : 16 - 23
  • [10] Inference and Analysis of Formal Models of Botnet Command and Control Protocols
    Cho, Chia Yuan
    Babic, Domagoj
    Shin, Eui Chul Richard
    Song, Dawn
    PROCEEDINGS OF THE 17TH ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY (CCS'10), 2010, : 426 - 439
12345