IRC botnet detection based on host behavior

被引：1

作者：

Wang, Wei ^{[1
,2
]}

Fang, Bin-Xing ^{[1
,2
]}

Cui, Xiang ^{[2
]}

机构：

[1] Research Center of Computer Network and Information Security, Harbin Institute of Technology

[2] Research Center of Information Security, Institute of Computing Technology, Chinese Acad. of Sci.

来源：

Jisuanji Xuebao/Chinese Journal of Computers | 2009年 / 32卷 / 10期

关键词：

Botnet; Command sequence; IRC nickname; Similarity measurement;

D O I：

10.3724/SP.J.1016.2009.01980

中图分类号：

学科分类号：

摘要：

There are two problems in current algorithms for IRC botnets detection. One is that detection algorithms require some prior knowledge of botnets to generate matching patterns. The other is that algorithms can not perform detection online. To solve these problems, this paper proposes two IRC botnet detection algorithms based on host behavior. Three attributes, LCS_rate, compositive distance and RN_dice coefficient, are discussed to quantify the similarity of nicknames from three aspects: content, composition and structure. To detect IRC botnets online, extended TRW algorithm based on the similarity of nicknames is proposed. This paper also proposes a detection algorithm based on the command sequence of IRC clients. Evaluations of these algorithms indicate that the two algorithms are correct and valid. At last, detection algorithms are used in large-scale network to detect IRC botnets and detect 162 bot channels within two weeks.

引用

页码：1980 / 1988

页数：8

共 20 条

[1]

Du Y.-J., Cui X., Botnets and its enlightment, China Data Communication, 7, 5, pp. 9-13, (2005)

[2]

Oikarinen J., Reed D., Internet relay chat protocol, (1993)

[3]

Zhuge J.-W., Han X.-H., Zhou Y.-L., Et al., HoneyBow: An automated malware collection tool based on the high-interaction honeypot principle, Journal of Communications, 28, 12, pp. 8-13, (2007)

[4]

Malan D.J., Rapid detection of botnets through collaborative networks of peers, (2007)

[5]

Al-Hammadi Y., Aickelin U., Detecting botnets through log correlation, Proceedings of the IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation, pp. 97-100, (2006)

[6]

Binkley J.R., Singh S., An algorithm for anomaly-based bot-net detection, Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet, pp. 43-48, (2006)

[7]

Strayer W.T., Walsh R., Et al., Detecting botnets with tight command and control, Proceedings of the 31st IEEE Conference on Local Computer Networks, pp. 195-202, (2006)

[8]

Goebel J., Et al., Rishi: Identify bot contaminated hosts by IRC nickname evaluation, Proceedings of the HotBots'07, (2007)

[9]

Karasaridis A., Rexroad B., Et al., Wide-scale botnet detection and characterization, Proceedings of the HotBots'07, First Workshop on Hot Topics in Understanding Botnets, (2007)

[10]

Gu G., Porras P., Yegneswaran V., Et al., BotHunter: Detecting malware infection through ids-driven dialog correlation, Proceedings of the 16th USENIX Security Symposium (Security'07), pp. 167-182, (2007)

← 1 2 →