Article

Botnet traffic detection techniques by C&C session classification using SVM

Authors:

Naoshi SatoAuthors Info & Claims

IWSEC'07: Proceedings of the Security 2nd international conference on Advances in information and computer security

Pages 91 - 104

Published: 29 October 2007 Publication History

Abstract

Bots, which are new malignant programs are hard to detect by signature based pattern matching techniques.

In this research, we focused on a unique function of the bots the remote control channel (C&C session). We clarified that the C&C session has unique characteristics that come from the behavior of bot programs. Accordingly, we propose an alternative technique to identify computers compromised by the bot program for the classification of the C&C session from the traffic data using a machine learning algorithm support vector machine (SVM). Our evaluation resulted in 95% accuracy in the identification of the C&C session by using SVM. We evaluated that the packet histogram vector of the session is better than the other vector definitions for the classification of the bot C&C session.

References

[1]

Barford, P., Yagneswaran, V.: An Inside Look at Botnets. In: Special Workshop on Malware Detection, Advances in Information Security, Springer, Heidelberg (2006).

[2]

Nepenthes Development Team: http://nepenthes.mwcollect.org/stats:scannertest Available from http://nepenthes.mwcollect.org/stats:scannertest

[3]

M. Roesch: Snort: Lightweight intrusion detection for networks. In: 13th Systems Administration Conference (LISA'99), pp. 229-238. USENIX Associations (1999).

Digital Library

[4]

Binkley, J.R., Singh, S.: An Algorithm for Anomaly-based Botnet Detection. In: Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), pp. 43-48 (July 2006).

Digital Library

[5]

Oikarinen, J., Reed, D.: Internet Relay Chat Protocol. RFC1459, Internet Engineering Task Force (1993).

[6]

Ramachandran, A., Feamster, N., Dagon, D.: Revealing Botnet Membership Using DNSBL Counter-Intelligence. In: Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), pp. 49-54 (July 2006).

Digital Library

[7]

C.W. Hanna: Using Snort to Detect Rogue IRC Bot Programs. Technical report, (October 2004).

[8]

Livadas, C., Walsh, B., Lapsley, D., Strayer, T.: Using Machine Learning Techniques to identify botnet traffic. In: Proceedings of 2nd IEEE LCN Workshop on Network Security (November 2006).

[9]

Nepenthes Development Team: Nepenthes - Finest Collection. Available from http://nepenthes.mwcollect.org/

[10]

ClamAV project: ClamAV. Available from http://www.clamav.net/

[11]

VMware Inc.: VMware workstation. Software available at http://www.vmware.com/

[12]

Moore, A.W., Zuev, D.: Internet Traffic Classification using Bayesian Analysis Techniques. In: SIGMETRICS '05: Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pp. 50-60 (2005).

Digital Library

[13]

Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A., Salamatian, K.: SIGCOMM Comput. Commun. Rev. Number 36(2), 23-26 (2006).

Digital Library

[14]

Vapnik, V.N.: The Nature of Statistical Learning Theory. Springer, New York (1995).

Digital Library

[15]

Fix, E., Hodges, J.: Discriminatory analysis: Nonparametric Discrimination: Consistency Properties. Technical report 21-49-004, USAF School of Aviation Medicine (1951).

[16]

R Development Core Team: R: A Language and Environment for Statistical Computing. (2005) http://www.R-project.org ISBN 3-900051-07-0

[17]

Dimitriadou, E., Hornik, K., Leisch, F., Meyer, D., Weingessel, A.: A: The e1071 Package (2006), Available at http://cran.r-project.org/src/contrib/Descriptions/e1071.html

[18]

Chang, C.-C., Lin, C.-J.: LIBSVM: A library for support vector machines. Software (2001), available at http://www.csie.ntu.edu.tw/~cjlin/libsvm

Cited By

Lu LFeng YSakurai K(2017)C&C session detection using random forestProceedings of the 11th International Conference on Ubiquitous Information Management and Communication10.1145/3022227.3022260(1-6)Online publication date: 5-Jan-2017
https://dl.acm.org/doi/10.1145/3022227.3022260
García SUhlíř VRehak MCriado NRehak MSuch JVercouter L(2014)Identifying and modeling botnet C&C behaviorsProceedings of the 1st International Workshop on Agents and CyberSecurity10.1145/2602945.2602949(1-8)Online publication date: 6-May-2014
https://dl.acm.org/doi/10.1145/2602945.2602949
Zand AVigna GYan XKruegel CCho YShin SKim SHung CHong J(2014)Extracting probable command and control signatures for detecting botnetsProceedings of the 29th Annual ACM Symposium on Applied Computing10.1145/2554850.2554896(1657-1662)Online publication date: 24-Mar-2014
https://dl.acm.org/doi/10.1145/2554850.2554896
Show More Cited By

Botnet traffic detection techniques by C&C session classification using SVM
1. Networks
  1. Network services
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Detecting HTTP-Based Botnet Based on Characteristic of the C & C Session Using by SVM
ASIAJCIS '13: Proceedings of the 2013 Eighth Asia Joint Conference on Information Security

With the spread of computer, the increase of malwareis a serious problem. In some malware, damage caused by bot net is a serious problem. Botnets perform the attack by remote control. The purpose of the present work is to suppress the bot net activity ...
Classification of Botnet Detection Based on Botnet Architechture
CSNT '12: Proceedings of the 2012 International Conference on Communication Systems and Network Technologies

Nowadays, Botnets pose a major threat to the security of online ecosystems and computing assets. A Botnet is a network of computers which are compromised under the influence of Bot (malware) code. This paper clarifies Botnet phenomenon and discusses ...
Detecting botnet by anomalous traffic

Botnets can cause significant security threat and huge loss to organizations, and are difficult to discover their existence. Therefore they have become one of the most severe threats on the Internet. The core component of botnets is their command and ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

IWSEC'07: Proceedings of the Security 2nd international conference on Advances in information and computer security

October 2007

460 pages

ISBN:3540756507

Editors:
Atsuko Miyaji
Japan Advanced Institute of Science and Technology, School of Information Science, Ishikawa, Japan
,
Hiroaki Kikuchi
Tokai University, School of Information Technology and Electronics, Kanagawa, Japan
,
Kai Rannenberg
Goethe University, Frankfurt Institute of Business Informatics, Frankfurt/Main, Germany

Sponsors

NICT: National Institute of Information and Communications Technology
Carnegie Mellon CyLab
ICF: International Communication Foundation

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 29 October 2007

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
18
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lu LFeng YSakurai K(2017)C&C session detection using random forestProceedings of the 11th International Conference on Ubiquitous Information Management and Communication10.1145/3022227.3022260(1-6)Online publication date: 5-Jan-2017
https://dl.acm.org/doi/10.1145/3022227.3022260
García SUhlíř VRehak MCriado NRehak MSuch JVercouter L(2014)Identifying and modeling botnet C&C behaviorsProceedings of the 1st International Workshop on Agents and CyberSecurity10.1145/2602945.2602949(1-8)Online publication date: 6-May-2014
https://dl.acm.org/doi/10.1145/2602945.2602949
Zand AVigna GYan XKruegel CCho YShin SKim SHung CHong J(2014)Extracting probable command and control signatures for detecting botnetsProceedings of the 29th Annual ACM Symposium on Applied Computing10.1145/2554850.2554896(1657-1662)Online publication date: 24-Mar-2014
https://dl.acm.org/doi/10.1145/2554850.2554896
Coskun BDietrich SMemon NGates CFranz MMcDermott J(2010)Friends of an enemyProceedings of the 26th Annual Computer Security Applications Conference10.1145/1920261.1920283(131-140)Online publication date: 6-Dec-2010
https://dl.acm.org/doi/10.1145/1920261.1920283

View Options

View options

Figures

Tables

Media

View Table of Conten