• DocumentCode
    1626507
  • Title

    Real-time Botnet command and control characterization at the host level

  • Author

    Etemad, F.F. ; Vahdani, P.

  • Author_Institution
    Dept. of Comput. Eng., Ferdowsi Univ. of Mashhad, Mashhad, Iran
  • fYear
    2012
  • Firstpage
    1005
  • Lastpage
    1009
  • Abstract
    A Botnet is a network of compromised machines which are controlled by a person called botmaster via a typical Command and Control (C&C) structure. Besides malicious activity on infected host, bots are employed to deliver attacks against outside targets including phishing, Distributed Denial of Service (DDoS) attacks and spamming. Counter measures against Botnet phenomenon are usually formed based on passive traffic analysis at network level. This limits encountering Botnets in a proactive manner. In this paper, we proposed a real-time approach which not only detects Botnet traffic on the host, but also can filter it from outgoing traffic in order to suppress the Botnet. Our approach works by detecting Botnet communication patterns which belongs to a centralized C&C structure. The capability of bot detection by real-time processing of host-related data solely, distinguishes our work from other existing approaches.
  • Keywords
    computer crime; computer network security; telecommunication traffic; unsolicited e-mail; C&C structure; DDoS attack; attack delivery; bot detection; botmaster; botnet communication pattern; botnet traffic; distributed denial of service attack; host level; infected host; malicious activity; network level; passive traffic analysis; phishing; real-time botnet command and control characterization; real-time processing; spamming; Command and control systems; Filtering; Malware; Protocols; Real-time systems; Servers; Botnet; Centralized C&C; Host-Based; detection; real-time;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Telecommunications (IST), 2012 Sixth International Symposium on
  • Conference_Location
    Tehran
  • Print_ISBN
    978-1-4673-2072-6
  • Type

    conf

  • DOI
    10.1109/ISTEL.2012.6483133
  • Filename
    6483133