25-06-2012, 12:08 PM
Clustering Analysis of Network Traffic for Protocol- and Structure
Clustering Analysis of Network.pdf (Size: 455.1 KB / Downloads: 30)
What Is a Bot/Botnet?
• Bot
– A malware instance that runs autonomously and automatically on
a compromised computer (zombie) without owner’s consent
– Profit-driven, professionally written, widely propagated
• Botnet (Bot Army): network of bots controlled by criminals
– Definition: “A coordinated group of malware instances that are
controlled by a botmaster via some C&C channel”
– Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P)
– “25% of Internet PCs are part of a botnet!
Challenges for Botnet Detection
• Bots are stealthy on the infected machines
– We focus on a network-based solution
• Bot infection is usually a multi-faceted and multiphased
process
– Only looking at one specific aspect likely to fail
• Bots are dynamically evolving
– Static and signature-based approaches may not be
effective
• Botnets can have very flexible design of C&C
channels
– A solution very specific to a botnet instance is not
desirable
Existing Botnet Detection Work
• [Binkley,Singh 2006]: IRC-based bot detection combine
IRC statistics and TCP work weight
• Rishi [Goebel, Holz 2007]: signature-based IRC bot
nickname detection
• [Livadas et al. 2006, Karasaridis et al. 2007]: (BBN,
AT&T) network flow level detection of IRC botnets (IRC
botnet)
• BotHunter [Gu etal Security’07]: dialog correlation to
detect bots based on an infection dialog model
• BotSniffer [Gu etal NDSS’08]: spatial-temporal
correlation to detect centralized botnet C&C
• TAMD [Yen, Reiter 2008]: traffic aggregation to detect
botnets that use a centralized C&C structure.
Two-step Clustering of C-flows
• Why multi-step?
• How?
– Coarse-grained clustering
• Using reduced feature space: mean and
variance of the distribution of FPH, PPF,
BPP, BPS for each C-flow (2*4=8)
• Efficient clustering algorithm: X-means
– Fine-grained clustering
• Using full feature space (13*4=52)
Summary and Future Work
• BotMiner
– New botnet detection system based on Horizontal
correlation
– Independent of botnet C&C protocol and structure
– Real-world evaluation shows promising results
• Future work
– More efficient clustering, more robust features
– New faster detection system using active techniques
• BotMiner: offline correlation, and requires a relatively long
time for detection
• BotProbe: fast detection by observing at most one round of
C&C
– New real-time solution for very high speed and very
large networks