CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis

被引：39

作者：

Dietrich, Christian J. ^{[1
,3
]}

Rossow, Christian ^{[1
,2
]}

Pohlmann, Norbert ^{[1
]}

机构：

[1] Univ Appl Sci Gelsenkirchen, Inst Internet Secur, D-45877 Gelsenkirchen, Germany

[2] Vrije Univ Amsterdam, Network Inst, Amsterdam, Netherlands

[3] Univ Erlangen Nurnberg, Dept Comp Sci, D-91054 Erlangen, Germany

来源：

COMPUTER NETWORKS | 2013年 / 57卷 / 02期

关键词：

Botnet C&C; Botnet detection; Traffic analysis; Network security;

D O I：

10.1016/j.comnet.2012.06.019

中图分类号：

TP3 [计算技术、计算机技术];

学科分类号：

0812 ;

摘要：

We present CoCoSpot, a novel approach to recognize botnet command and control channels solely based on traffic analysis features, namely carrier protocol distinction, message length sequences and encoding differences. Thus, CoCoSpot can deal with obfuscated and encrypted C&C protocols and complements current methods to fingerprint and recognize botnet C&C channels. Using average-linkage hierarchical clustering of labeled C&C flows, we show that for more than 20 recent botnets and over 87,000 C&C flows, CoCoSpot can recognize more than 88% of the C&C flows at a false positive rate below 0.1%. (c) 2012 Elsevier B.V. All rights reserved.

引用

页码：475 / 486

页数：12

共 7 条

[1] Periodic Behavior in Botnet Command and Control Channels Traffic
AsSadhan, Basil
Moura, Jose M. F.
Lapsley, David
GLOBECOM 2009 - 2009 IEEE GLOBAL TELECOMMUNICATIONS CONFERENCE, VOLS 1-8, 2009, : 2157 - 2162
[2] Detecting Botnets using Command and Control Traffic
AsSadhan, Basil
Moura, Jose M. F.
Lapsley, David
Jones, Christine
Strayer, W. Timothy
2009 8TH IEEE INTERNATIONAL SYMPOSIUM ON NETWORK COMPUTING AND APPLICATIONS, 2009, : 156 - +
[3] Botnet Traffic Discriminatory Analysis Using Particle Swarm Optimization
Zhang, Yan
Huang, Shuguang
Wang, Yongyi
Zhang, Min
ADVANCES IN SWARM INTELLIGENCE, PT 2, PROCEEDINGS, 2010, 6146 : 499 - 507
[4] DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis
Wang, Tzy-Shiah
Lin, Hui-Tang
Cheng, Wei-Tsung
Chen, Chang-Yu
COMPUTERS & SECURITY, 2017, 64 : 1 - 15
[5] B-CAT: a model for detecting botnet attacks using deep attack behavior analysis on network traffic flows
Putra, Muhammad Aidiel Rachman
Ahmad, Tohari
Hostiadi, Dandy Pramana
JOURNAL OF BIG DATA, 2024, 11 (01)
[6] Novel Approach for Network Traffic Pattern Analysis using Clustering-based Collective Anomaly Detection
Ahmed M.
Mahmood A.N.
Annals of Data Science, 2015, 2 (1) : 111 - 130
[7] Anomaly Detection Based on LRD Behavior Analysis of Decomposed Control and Data Planes Network Traffic Using SOSS and FARIMA Models
AsSadhan, Basil
Zeb, Khan
Al-Muhtadi, Jalal
Alshebeili, Saleh
IEEE ACCESS, 2017, 5 : 13501 - 13519

← 1 →