Flow-based identification of botnet traffic by mining multiple log files

2008 First International Conference on Distributed Framework and Applications Pub Date : 2008-10-01 DOI:10.1109/ICDFMA.2008.4784437

M. Masud, T. Al-Khateeb, L. Khan, B. Thuraisingham, Kevin W. Hamlen

{"title":"Flow-based identification of botnet traffic by mining multiple log files","authors":"M. Masud, T. Al-Khateeb, L. Khan, B. Thuraisingham, Kevin W. Hamlen","doi":"10.1109/ICDFMA.2008.4784437","DOIUrl":null,"url":null,"abstract":"Botnet detection and disruption has been a major research topic in recent years. One effective technique for botnet detection is to identify Command and Control (C&C) traffic, which is sent from a C&C center to infected, hosts (bots) to control the bots. If this traffic can be detected, both the C&C center and the bots it controls can be detected, and the botnet can be disrupted. We propose a multiple log-file based temporal correlation technique for detecting C&C traffic. Our main assumption is that bots respond much faster than humans. By temporally correlating two host-based log files, we are able to detect this property and thereby detect bot activity in a host machine. In our experiments we apply this technique to log files produced by tcpdump and exedump, which record all incoming and outgoing network packets, and the start times of application executions at the host machine, respectively. We apply data mining to extract relevant features from these log files and detect C&C traffic. Our experimental results validate our assumption and show better overall performance when compared to other recently published techniques.","PeriodicalId":353319,"journal":{"name":"2008 First International Conference on Distributed Framework and Applications","volume":"38 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2008-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"105","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2008 First International Conference on Distributed Framework and Applications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICDFMA.2008.4784437","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 105

Abstract

Botnet detection and disruption has been a major research topic in recent years. One effective technique for botnet detection is to identify Command and Control (C&C) traffic, which is sent from a C&C center to infected, hosts (bots) to control the bots. If this traffic can be detected, both the C&C center and the bots it controls can be detected, and the botnet can be disrupted. We propose a multiple log-file based temporal correlation technique for detecting C&C traffic. Our main assumption is that bots respond much faster than humans. By temporally correlating two host-based log files, we are able to detect this property and thereby detect bot activity in a host machine. In our experiments we apply this technique to log files produced by tcpdump and exedump, which record all incoming and outgoing network packets, and the start times of application executions at the host machine, respectively. We apply data mining to extract relevant features from these log files and detect C&C traffic. Our experimental results validate our assumption and show better overall performance when compared to other recently published techniques.

查看原文本刊更多论文

基于多日志文件的僵尸网络流量识别

近年来，僵尸网络检测与破坏一直是一个重要的研究课题。僵尸网络检测的一种有效技术是识别命令和控制(C&C)流量，这些流量从C&C中心发送给受感染的主机(机器人)以控制机器人。如果可以检测到这种流量，则可以检测到C&C中心及其控制的机器人，并且可以中断僵尸网络。我们提出了一种基于多日志文件的时间相关技术来检测航控流量。我们的主要假设是，机器人的反应速度比人类快得多。通过暂时关联两个基于主机的日志文件，我们能够检测此属性，从而检测主机中的bot活动。在我们的实验中，我们将此技术应用于tcpdump和exedump生成的日志文件，它们分别记录所有传入和传出的网络数据包，以及主机上应用程序执行的开始时间。我们利用数据挖掘技术从这些日志文件中提取相关特征，并检测C&C流量。我们的实验结果验证了我们的假设，并且与其他最近发表的技术相比，显示出更好的整体性能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2008 First International Conference on Distributed Framework and Applications

自引率

0.00%

发文量