Automatic Discovery of Botnet Communities on Large-Scale Communication Network

1. input network flows network application communities Step 1. Payload Signatures based Application Classifier P2P Step 3 Bots IRC Flows IRC unknown flows Step 2. Cross-Association based Application Classifier Human IRC Flows WEB Automatic Discovery of Botnet Communities on Large-Scale Communication Network Wei Lu and Ali A. Ghorbani, Faculty of Computer Science, University of New Brunswick, Fredericton, Canada OUR METHODOLOGY WHAT IS BOTNET? Payload Signatures based Classifier MAJOR CHALLENGES OF BOTNET DETECTION? Traditional IRC botnet can be easily detected and shut down due to their centralized architecture. Techniques for creating botnet are evolving now from centralized (i.e. IRC and Http) to distributed (i.e. P2P based, e.g. Phatbot with WASTE, Nugache, Peacomm), raising two major challenges: (1) How to identify network applications for the Internet traffic? (2) How to detect zero-day botnet? Cross-Association Clustering WHY APPLICATION DISCOVERY IMPORTANT? 40% Internet traffic are unknown on a WiFi ISP network, raising an important question, i.e. what unknown traffic stand for? new applications, or just simply zero-day botnet traffic? Discriminating Botnet C&C Flows from Normal Traffic WHY ZERO-DAY BOTNET DETECTION IMPORTANT? Current techniques limited by existing well-known botnets, like Kaiten IRC bot, Blackengery HTTP bot or some cracked P2P bots, like peacomm, Phatbot with WASTE. How to detect botnets created by new P2P techniques? BotMiner?