Portal de Periódicos da CAPES

Statistical Characterization of the Botnets C&C Traffic

2012; Elsevier BV; Volume: 1; Linguagem: Inglês

10.1016/j.protcy.2012.02.030

2212-0173

Pedro Correia, Eduardo Rocha, António Nogueira, Paulo Salvador,

Advanced Malware Detection Techniques

Botnets are used for various purposes, most of them related to illegitimate activity, being also the sources of massive exploit activity as they recruit new vulnerable systems to expand their reach. Due to their volume, diverse capabilities and robustness, botnets pose a significant and growing threat to enterprise networks and to the Internet itself. Detecting botnets is a hard task and traditional network security systems are unable to successfully complete it. In fact, botnets are evolving and can be quite flexible: the protocols used for Command and Control (C&C) evolved from traditional IRC to others and the structure moved from centralized to distributed, using for example the Peer-to-Peer (P2P) communication paradigm. So, new generation botnet detection systems should be independent of the C&C protocol, botnet structure, infection model and resilient to the change of C&C server addresses. In addition, they should use all available information (from network probes, servers, routing elements, traffic statistics, identification of illicit applications), correlating it in the most useful way. Characterizing existing botnets is crucial to design and efficient detection methodology. Several approaches can be taken to study this phenomenon: analyze its source code, which can be a hard task mainly due to license restrictions; study of the botnet control, particularly the activity of its C&C server(s); study of the botnet behavior, namely its possible scanning activities, Denial of Service (DoS) attacks, spamming or phishing activities, among other possibilities. This work will mainly use the last two approaches to characterize (i) the traffic generated by each bot when communicating with the C&C server(s) and (ii) identify and analyze the main patterns of the botnet generated traffic.