Detection and classification of different botnet C&C channels

Gregory Fedynyshyn; Mooi Choo Chuah; Gang Tan

doi:10.1007/978-3-642-23496-5_17

Detection and classification of different botnet C&C channels

Gregory Fedynyshyn, Mooi Choo Chuah, Gang Tan

Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

40 Scopus citations

Abstract

Unlike other types of malware, botnets are characterized by their command and control (C&C) channels, through which a central authority, the botmaster, may use the infected computer to carry out malicious activities. Given the damage botnets are capable of causing, detection and mitigation of botnet threats are imperative. In this paper, we present a host-based method for detecting and differentiating different types of botnet infections based on their C&C styles, e.g., IRC-based, HTTP-based, or peer-to-peer (P2P) based. Our ability to detect and classify botnet C&C channels shows that there is an inherent similarity in C&C structures for different types of bots and that the network characteristics of botnet C&C traffic is inherently different from legitimate network traffic. The best performance of our detection system has an overall accuracy of 0.929 and a false positive rate of 0.078.

Original language	English (US)
Title of host publication	Autonomic and Trusted Computing - 8th International Conference, ATC 2011, Proceedings
Pages	228-242
Number of pages	15
DOIs	https://doi.org/10.1007/978-3-642-23496-5_17
State	Published - 2011
Event	8th International Conference on Autonomic and Trusted Computing, ATC 2011 - Banff, AB, Canada Duration: Sep 2 2011 → Sep 4 2011

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	6906 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	8th International Conference on Autonomic and Trusted Computing, ATC 2011
Country/Territory	Canada
City	Banff, AB
Period	9/2/11 → 9/4/11

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-642-23496-5_17

Cite this

Fedynyshyn, G., Chuah, M. C., & Tan, G. (2011). Detection and classification of different botnet C&C channels. In Autonomic and Trusted Computing - 8th International Conference, ATC 2011, Proceedings (pp. 228-242). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6906 LNCS). https://doi.org/10.1007/978-3-642-23496-5_17

@inproceedings{f908e8e2e3ea4b01b2e775fc881a51d4,

title = "Detection and classification of different botnet C&C channels",

abstract = "Unlike other types of malware, botnets are characterized by their command and control (C&C) channels, through which a central authority, the botmaster, may use the infected computer to carry out malicious activities. Given the damage botnets are capable of causing, detection and mitigation of botnet threats are imperative. In this paper, we present a host-based method for detecting and differentiating different types of botnet infections based on their C&C styles, e.g., IRC-based, HTTP-based, or peer-to-peer (P2P) based. Our ability to detect and classify botnet C&C channels shows that there is an inherent similarity in C&C structures for different types of bots and that the network characteristics of botnet C&C traffic is inherently different from legitimate network traffic. The best performance of our detection system has an overall accuracy of 0.929 and a false positive rate of 0.078.",

author = "Gregory Fedynyshyn and Chuah, {Mooi Choo} and Gang Tan",

year = "2011",

doi = "10.1007/978-3-642-23496-5_17",

language = "English (US)",

isbn = "9783642234958",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "228--242",

booktitle = "Autonomic and Trusted Computing - 8th International Conference, ATC 2011, Proceedings",

note = "8th International Conference on Autonomic and Trusted Computing, ATC 2011 ; Conference date: 02-09-2011 Through 04-09-2011",

}

Fedynyshyn, G, Chuah, MC & Tan, G 2011, Detection and classification of different botnet C&C channels. in Autonomic and Trusted Computing - 8th International Conference, ATC 2011, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6906 LNCS, pp. 228-242, 8th International Conference on Autonomic and Trusted Computing, ATC 2011, Banff, AB, Canada, 9/2/11. https://doi.org/10.1007/978-3-642-23496-5_17

Detection and classification of different botnet C&C channels. / Fedynyshyn, Gregory; Chuah, Mooi Choo; Tan, Gang.
Autonomic and Trusted Computing - 8th International Conference, ATC 2011, Proceedings. 2011. p. 228-242 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6906 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Detection and classification of different botnet C&C channels

AU - Fedynyshyn, Gregory

AU - Chuah, Mooi Choo

AU - Tan, Gang

PY - 2011

Y1 - 2011

N2 - Unlike other types of malware, botnets are characterized by their command and control (C&C) channels, through which a central authority, the botmaster, may use the infected computer to carry out malicious activities. Given the damage botnets are capable of causing, detection and mitigation of botnet threats are imperative. In this paper, we present a host-based method for detecting and differentiating different types of botnet infections based on their C&C styles, e.g., IRC-based, HTTP-based, or peer-to-peer (P2P) based. Our ability to detect and classify botnet C&C channels shows that there is an inherent similarity in C&C structures for different types of bots and that the network characteristics of botnet C&C traffic is inherently different from legitimate network traffic. The best performance of our detection system has an overall accuracy of 0.929 and a false positive rate of 0.078.

AB - Unlike other types of malware, botnets are characterized by their command and control (C&C) channels, through which a central authority, the botmaster, may use the infected computer to carry out malicious activities. Given the damage botnets are capable of causing, detection and mitigation of botnet threats are imperative. In this paper, we present a host-based method for detecting and differentiating different types of botnet infections based on their C&C styles, e.g., IRC-based, HTTP-based, or peer-to-peer (P2P) based. Our ability to detect and classify botnet C&C channels shows that there is an inherent similarity in C&C structures for different types of bots and that the network characteristics of botnet C&C traffic is inherently different from legitimate network traffic. The best performance of our detection system has an overall accuracy of 0.929 and a false positive rate of 0.078.

UR - http://www.scopus.com/inward/record.url?scp=80052738809&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80052738809&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-23496-5_17

DO - 10.1007/978-3-642-23496-5_17

M3 - Conference contribution

AN - SCOPUS:80052738809

SN - 9783642234958

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 228

EP - 242

BT - Autonomic and Trusted Computing - 8th International Conference, ATC 2011, Proceedings

T2 - 8th International Conference on Autonomic and Trusted Computing, ATC 2011

Y2 - 2 September 2011 through 4 September 2011

ER -

Fedynyshyn G, Chuah MC, Tan G. Detection and classification of different botnet C&C channels. In Autonomic and Trusted Computing - 8th International Conference, ATC 2011, Proceedings. 2011. p. 228-242. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-23496-5_17

Detection and classification of different botnet C&C channels

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this