Title :
A Novel IRC Botnet Detection Method Based on Packet Size Sequence
Author :
Ma, Xiaobo ; Guan, Xiaohong ; Tao, Jing ; Zheng, Qinghua ; Guo, Yun ; Liu, Lu ; Zhao, Shuang
Author_Institution :
MOE Key Lab. for Intell. Networks & Network Security, Xi´´an Jiaotong Univ., Xi´´an, China
Abstract :
Botnets have become a serious threat to Internet and are often deployed to control a large pool of zombies and perform notorious activities such as DDoS, information theft and spam sending. In this paper, a new method is developed for detecting IRC botnets by analyzing the characteristic of packet size sequence of the TCP conversation between IRC zombies and their command and control (C&C) servers. In comparison with IRC chat, the TCP conversations within IRC botnets show a nature of approximate periodicity defined as quasi-periodicity in this paper. A simple yet effective detection method is presented to detect IRC botnets by measuring the quasi-periodicity degree and packet average size of IRC conversations based on ukkonen algorithm. We evaluated our method using real-world IRC botnet traces captured from honeynet. The results show that our method can detect real-world IRC botnets from IRC traffic with high accuracy and has a low false positive rate.
Keywords :
Internet; security of data; IRC botnet detection method; IRC zombies; Internet; Internet relay chat; TCP conversations; command-and-control servers; distributed denial-of-service attack; honeynet; information theft; packet average size measurement; packet size sequence; quasiperiodicity degree measurement; spam sending; ukkonen algorithm; Command and control systems; Communications Society; Electronic mail; Intelligent networks; Internet; Large-scale systems; Manufacturing systems; National security; Size control; Web server;
Conference_Titel :
Communications (ICC), 2010 IEEE International Conference on
Conference_Location :
Cape Town
Print_ISBN :
978-1-4244-6402-9
DOI :
10.1109/ICC.2010.5502092
