485–489 (September 2007)Ĭooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disturbing Botnets. Network and Parallel Computing (NPC 2007). Springer, Heidelberg (2004)Ĭhi, Z., Zhao, Z.: Detecting and Blocking Malicious Traffic Caused by IRC Protocol Based Botnets. 43–48 (2006)īlum, A., Song, D., Venkataraman, S.: Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds. 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), San Jose, CA, July 7, 2006, pp. Security, Springer, Heidelberg (2006)īinkley, J., Singh, S.: An Algorithm for Anomaly-based Botnet Detection. Special Workshop on Malware Detection, Advances in Info. This process is experimental and the keywords may be updated as the learning algorithm improves.īächer, P., Holz, T., Kötter, M., Wicherski, G.: Know Your Enemy: Tracking Botnets, March 13 (2005), īarford, P., Yegneswaran, V.: An Inside Look at Botnets. These keywords were added by machine and not by the authors. Due to the message queuing and throttling functionality of IRC servers, mixing chaff with the watermarked flow does not significantly impact the effectiveness of our watermarking approach. We achieved virtually a 100% detection rate of watermarked (encrypted and unencrypted) IRC traffic with a false positive rate on the order of 10 − 5. We have empirically validated the effectiveness of our botnet flow watermarking approach with live experiments on PlanetLab nodes and public IRC servers on different continents. To the best of our knowledge, this is the first approach that has the potential to allow real-time botmaster traceback across the Internet. As a result, our watermarking technique can be used to trace any interactive botnet C&C traffic and it only requires a few dozen packets to be effective. This produces specific differences in lengths between randomly chosen pairs of messages in a network flow. Our watermarking scheme relies on adding padding characters to outgoing botnet C&C messages at the application layer. Our approach allows us to uniquely identify and trace any IRC-based botnet flow even if 1) it is encrypted (e.g., via SSL/TLS) 2) it passes multiple intermediate stepping stones (e.g., IRC server, SOCKs) and 3) it is mixed with other botnet traffic. We present a novel flow watermarking technique to address all four obstacles simultaneously. Most existing traceback approaches can address one or two of these issues, but no single approach can overcome all of them. The four main obstacles are 1) the low-traffic nature of the bot-to-botmaster link 2) chains of “stepping stones ” 3) the use of encryption along these chains and 4) mixing with traffic from other bots. Despite the increasing botnet threat, research in the area of botmaster traceback is limited.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |