Skip to main content
Other
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
Proceedings of the 15th Annual Network and Distributed System Security Symposium
  • Guofei Gu
  • Junjie Zhang, Wright State University - Main Campus
  • Wenke Lee
Document Type
Conference Proceeding
Publication Date
2-1-2008
Disciplines
Abstract

Botnets are now recognized as one of the most serious security threats. In contrast to previous malware, botnets have the characteristic of a command and control (C&C) channel. Botnets also often use existing common protocols, e.g., IRC, HTTP, and in protocol-conforming manners. This makes the detection of botnet C&C a challenging problem. In this paper, we propose an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowledge of signatures or C&C server addresses. This detection approach can identify both the C&C servers and infected hosts in the network. Our approach is based on the observation that, because of the pre-programmed activities related to C&C, bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity. For example, they engage in coordinated communication, propagation, and attack and fraudulent activities. Our prototype system, BotSniffer, can capture this spatial-temporal correlation in network traffic and utilize statistical algorithms to detect botnets with theoretical bounds on the false positive and false negative rates. We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.

Comments

Presented at the 16th Annual Network & Distributed System Security Symposium, San Diego, CA.

Citation Information
Guofei Gu, Junjie Zhang and Wenke Lee. "BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic" Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)
Available at: http://works.bepress.com/junjie_zhang/5/