Botnet Dection system. Introduction. Botnet problem Challenges for botnet detection. What Is a Bot/Botnet?. Bot A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent Profit-driven, professionally written, widely propagated
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
– We focus on a network-based solution
– Only looking at one specific aspect likely to fail
– Static and signature-based approaches may not be effective
– A solution very specific to a botnet instance is not
Infection Lifecycle Model
to detect host infection behavior
– Without C&C, bots are just discrete, unorganized infections
– Relatively stable and unlikely to change within botnets
– Reveal C&C server and local victims
– The weakest link
– a set of clients that have (message/activity) response behavior
-A Dense response crowd: the fraction of clients with message/activity behavior within the group is larger than a threshold (e.g., 0.5).
– Many members have very similar responses
(encryption, etc.), protocols (IRC, HTTP, etc.),structures (P2P, etc.), C&C servers, dialog models
– C-plane (C&C communication plane): “who is talking to whom”
– A-plane (malicious activity plane): “who is doing what”
between a local host and a remote service?
– <protocol, srcIP, dstIP, dstPort>
in at least one common C-cluster are