Discovering new indicators for botnet traffic detection

Proceedings of IEEE East-West Design & Test Symposium (EWDTS 2014) Pub Date : 2014-09-01 DOI:10.1109/EWDTS.2014.7027100

A. Adamov, V. Hahanov, Anders Carlsson

{"title":"Discovering new indicators for botnet traffic detection","authors":"A. Adamov, V. Hahanov, Anders Carlsson","doi":"10.1109/EWDTS.2014.7027100","DOIUrl":null,"url":null,"abstract":"Botnets became the powerful cyber weapon that involves tens of millions of infected computers - “cyber zombies” - all over the world. The security industry makes efforts to prevent spreading botnets and compromising an Individual Cyberspace (IC)[1] of users in such way. However, botnets continue existing despite numerous takedowns initiated by antivirus companies, Microsoft, FBI, Europol and others. In this paper we investigate existed methods of traffic detection represented mostly by IDS system and discover new indicators that can be utilized for improving botnet traffic detection. To do this we analyse the most prevalent backdoors communication protocols that stay behind of the popular botnets. As a result, we extracted new data that might be used in detection routines of IDS (Intrusion Detection System). An objective of the study is mining new indicators of compromise from botnet traffic and using them to identify cyber-attacks on IC. The analysis method assumes analysis of a communication protocol of the top botnet backdoors. The discovered results that can be used to improve detection of infected hosts in a local network are presented in this paper.","PeriodicalId":272780,"journal":{"name":"Proceedings of IEEE East-West Design & Test Symposium (EWDTS 2014)","volume":"31 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of IEEE East-West Design & Test Symposium (EWDTS 2014)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EWDTS.2014.7027100","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Botnets became the powerful cyber weapon that involves tens of millions of infected computers - “cyber zombies” - all over the world. The security industry makes efforts to prevent spreading botnets and compromising an Individual Cyberspace (IC)[1] of users in such way. However, botnets continue existing despite numerous takedowns initiated by antivirus companies, Microsoft, FBI, Europol and others. In this paper we investigate existed methods of traffic detection represented mostly by IDS system and discover new indicators that can be utilized for improving botnet traffic detection. To do this we analyse the most prevalent backdoors communication protocols that stay behind of the popular botnets. As a result, we extracted new data that might be used in detection routines of IDS (Intrusion Detection System). An objective of the study is mining new indicators of compromise from botnet traffic and using them to identify cyber-attacks on IC. The analysis method assumes analysis of a communication protocol of the top botnet backdoors. The discovered results that can be used to improve detection of infected hosts in a local network are presented in this paper.

查看原文本刊更多论文

发现僵尸网络流量检测的新指标

僵尸网络成为一种强大的网络武器，涉及全球数千万台受感染的计算机——“网络僵尸”。安全行业正在努力防止僵尸网络的传播，并以这种方式危及用户的个人网络空间(IC)[1]。然而，尽管反病毒公司、微软(Microsoft)、联邦调查局(FBI)、欧洲刑警组织(Europol)和其他机构发起了大量的打击行动，僵尸网络仍然存在。本文对以IDS系统为代表的现有流量检测方法进行了研究，并发现了可以用来改进僵尸网络流量检测的新指标。为此，我们分析了流行僵尸网络背后最流行的后门通信协议。结果，我们提取了新的数据，这些数据可能用于入侵检测系统的检测例程。该研究的目的是从僵尸网络流量中挖掘新的妥协指标，并使用它们来识别对IC的网络攻击。分析方法假设对顶级僵尸网络后门的通信协议进行分析。本文介绍了这些发现的结果，可以用来提高对本地网络中受感染主机的检测。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of IEEE East-West Design & Test Symposium (EWDTS 2014)

自引率

0.00%

发文量