Botgad detecting botnets by capturing group activities in network traffic
1 / 27

BotGAD : Detecting Botnets by Capturing Group Activities in Network Traffic - PowerPoint PPT Presentation

  • Uploaded on

BotGAD : Detecting Botnets by Capturing Group Activities in Network Traffic. Hyunsang Choi , Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE. Presenter: Yi Ning Chen. Outline.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' BotGAD : Detecting Botnets by Capturing Group Activities in Network Traffic' - yori

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Botgad detecting botnets by capturing group activities in network traffic

BotGAD: Detecting Botnets by Capturing Group Activitiesin Network Traffic

HyunsangChoi, Heejo Lee, and Hyogon Kim

COMSWARE '09, Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE

Presenter: Yi Ning Chen


  • Introduction

  • Related Work

  • Group Activity of Botnet and Detection Scheme

  • Case Study: BOTGAD Using DNS

  • Conclusion


  • A Botnet is a network of compromised machines controlled by an attacker to carry out online criminal activities including identity theft, e-mail spam, click fraud and DDoS attack.

  • A botnet'smaster can control the group remotely by command-and-control server (C&C server)

Difficulties of botnet detection
Difficulties of botnet detection

  • Botnet traffic is hard to detect because it is similar to normal traffic. What is worse, it may contain encrypted communication.

  • Botnets evolve quickly as more users fail to protect their computers, helping the attackers evade existing protection mechanisms.

  • Even botnet detections method can capture botnets which use the evasion techniques, most usually need huge amount of data which cannot be analyzed in real-time

Related works
Related Works

  • BotSniffer (2008)

    • BotSniffer has a similar concept with BotGADin respect of capturing the synchronized botnet communication.

    • Different from BotGAD, BotSniffer performs string matching to detect similar responses from botnets.

  • BotMiner (2008)

    • presents a botnet detection method which clusters botnet’s communication traffic and activity traffic.

Observation of botnet
Observation of Botnet

  • We find a common property of botnets: group activity.

    • Bots receive/send control traffic, download new codes, migrate the communication channel, and perform malicious behaviors.

Botnet life cycle
Botnet Life Cycle

Bots →DNS server,

C&C server

Bots →Target host

Bots → C&C server

Group activity of botnet
Group Activity of Botnet

  • Centralized botnets (HTTP and IRC)

  • P2P botnets

    • group activities can be observed during upgrading/ synchronizing

Two cases of group activities
Two Cases of Group Activities

  • Suppose that we monitor incoming and outgoing traffic at a network gateway.











Incoming group activity

Outgoing group activity

Internal and external group
Internal and External Group

  • ti: internal target

  • te: external target

  • An internal and an external group (Gi, Ge) which perform activity a to external/internal target within a time window wn,

  • Gi = {a, te, wn}

  • Ge= {a, ti, wn}

Characteristics of botnet group activity
Characteristics of Botnet Group Activity


  • Assume that a group is observed Gwithin wnand G’ within wn+1

  • To measure the group uniformity, we compute a similarity between G and G’

  • Kulczynski similarity

  • Cosine similarity

  • Jaccard similarity

Botgad detection framework
BotGAD Detection Framework

Data collection group classifier
Data Collection & Group Classifier

If IP Addr 1 perform the group activity within w1

Estimate group properties average similarity
Estimate Group Properties – Average Similarity

  • Some botnet groups can be seen in wi, not in

    wn+1 due to the relatively small value of w choice.

  • Therefore, we delete deficientcolumn vectors which satisfy (m is the number of hosts in the group.)

  • Average similarity value within a given monitoring time t (t=nw)

Estimate group properties p eriodicity intensity
Estimate Group Properties – Periodicity & Intensity

  • Periodicity

  • If the periodicity P is equal to zero, the group entries occurred periodically at each time window

  • Intensity

  • If the intensity is equal to one, the group entries appear intensively.

  • A lot of groups founded in normal communication patterns, do not appear intensively

Identify botnet
Identify Botnet

  • With the combination of average similarity, periodicity and intensity, BotGAD decides whether a groups is a botnet or not.

  • If average similarity > λD, the group is considered suspicious.

  • Delete false positives which have intensity < λI

  • Among remainder groups, if periodicity < λP, we judge the groups are periodic bots

Dns used in botnets 1 2
DNS Used in Botnets(1/2)

  • Rally

    • If a host infection succeeds, the host send DNS query to know the name of a C&C server.

  • Update

    • Botnetsusually update their codes with the latest one by downloading it from their web repository. the botnets find the repository using DNS.

  • Synchronization

    • Some botnets synchronize the system time of infected machines with the Network Time Protocol (NTP) using time server DNS (e.g., Storm worm botnet [16]).

Dns used in botnets 2 2
DNS Used in Botnets(2/2)

  • Cloning and Reconnection

    • Bots frequently do cloning and reconnecting to be undetectable. At the moment, bots find their new/old channel servers using DNS.

  • Migration

    • Botnetsmigrate C&C servers using DNS.

  • Attack

    • Spamming, DDoS attack and click fraud attacks may use DNS to find victims.


  • Collect DNS traces tapped from the gateway router of /16 campus network.

  • Experiment #1 on 2008/5/19

    • 6.28GB of DNS traffic and 19.52 million DNS queries

    • Observed average 640,000 domain groups, but only 8% of the groups (51,200) have more than 3 hosts.

    • Decide group size threshold, λS to be 3

  • Experiment #2 on 2008/12/24

    • 1.48GB of DNS traffic and 4.6 million DNS queries

    • DNS queries are decreased remarkably because the NAC (Network Access Control)

Measured 3 different similarities
Measured 3 Different Similarities

  • Experiment#1

  • w: 10 minute, t: 1 hour

Comparison of experiment results
Comparison of Experiment Results

  • The comparison infer that the NAC solution affects positively to BotGAD

Dealing with f alse p ositives
Dealing with False Positives

  • After applied λI , there were still some false positives. Most are update related domains, which can be removed using white list.

Evadability of botgad
Evadability of BotGAD

  • If bots intentionally generate fake DNS queries using source address spoofing, the fake queries can poison BotGAD.

  • We can check follow-up TCP connections of DNS queries to delete the fake queries.


  • We define an inherent property of botnets, called group activity.

  • We develop metric model to measure the property and detection mechanism which can detect botnetsfrom large scale networks in real-time.

  • We implemented BotGAD using DNS traffic as a case study and the effectiveness of the implemented system by the experiments on real-life campus network trace.