COMPUTER SCIENCE AND TECHNOLOGY |
|
|
|
|
|
Detection of IRC Botnet C&C channels using the instruction syntax |
YAN Jianen, ZHANG Zhaoxin, XU Haiyan, ZHANG Hongli |
School of Computer Science and Technology, Harbin Institute of Technology, Harbin 150001, China |
|
|
Abstract The command and control (C&C) channel is a unique way that a Internet relay chat (IRC) Botnet sends commands to control the Botnet. This study analyzed the syntax characteristics of the control command to develop a method to detect the control command channel. A creditable coefficient was defined to describe the possibility of a sentence in a channel being a Botnet control command. An improved threshold random walk (TRW) algorithm was used with the creditable coefficients to accelerate the C&C channel detection. Tests show that this method can efficiently detect Botnet C&C channels.
|
Keywords
Botnet
instruction syntax
threshold random walk (TRW)
|
|
Issue Date: 15 September 2017
|
|
|
[1] |
诸葛建伟, 韩心慧, 周勇林, 等. 僵尸网络研究[J]. 软件学报. 2008, 19(3):702-715.ZHU GE Jianwei, HAN Xinhui, ZHOU Yonglin, et al. Research and development of Botnets[J]. Journal of Software, 2008, 19(3):702-715. (in Chinese)
|
[2] |
CNCERT/CC.2013年中国互联网网络安全报告..http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.CNCERT/CC. The China Internet network security report 2013.. http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.(in Chinese)
url: http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.cncert/cc. the china internet network security report 2013.. http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.(in chinese)
|
[3] |
InfoSecurity:Anonymus hacking group uses IRC channles to co-ordinate DDoS attacks.. http://www.infosecurity-magazine.com/news/anonymous-hacking-group-uses-irc-channels-to-co/.
url: http://www.infosecurity-magazine.com/news/anonymous-hacking-group-uses-irc-channels-to-co/.
|
[4] |
Gu G F, Yegneswaran V, Porras P, et al. Active Botnet probing to identify obscure command and control channels[C]//Proceedings of the Computer Security Applications Conference. Washington, DC:IEEE Computer Society Press, 2009:241-253.
|
[5] |
Fedynyshyn G, Chuah M C, Tan G. Detection and classification of different Botnet C&C channels[C]//Proceedings of the 8th International Conference on Autonomic and Trusted Computing. Banff, Canada:Autonomic & Trusted Computing-international Conference Press, 2011:228-242.
|
[6] |
Gu G F, Porras P, Yegneswaran V, et al. BotHunter:Detecting malware infection through ids driven dialog correlation[C]//Proceedings of the 16th USENIX Security Symposium. Boston, MA, USA:USENIX Association Press, 2007:167-182.
|
[7] |
Livadas C, Walsh R, Lapsley D, et al. Using machine learning techniques to identify Botnet traffic[C]//Proceedings of the 2nd IEEE LCN Workshop on Network Security. Tampa, FL, USA:IEEE Computer Society Press, 2006:967-974.
|
[8] |
Strayer W T, Walsh R. Detecting Botnets with tight command and control[C]//Proceedings of the 31st IEEE Conference on Local Computer Networks. Tampa, FL, USA:IEEE Computer Society Press, 2006:195-202.
|
[9] |
Karasaridis A, Rexroad B, Hoeflin D. Wide-scale Botnet detection and characterization[C]//Proceedings of theUsenix Workshop on Hot Topics in Understanding Botnets. Cambridge, MA, USA:USENIX Association Press, 2007:7-7.
|
[10] |
Binkley J R, Singh S. An algorithm for anomaly-based Botnet detection[C]//Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet. San Jose, CA, USA:USENIX Association Press, 2006:43-48.
|
[11] |
李润恒, 王明华, 贾焰. 基于通信特征提取和IP聚集的僵尸网络相似性度量模型[J].计算机学报, 2010, 33(1):45-54.LI Runheng, WANG Minghua, JIA Yan. Modeling Botnets similarity based on communication feature extraction and IP assembly[J].Chinese Journal of Computer, 2010, 33(1):45-54. (in Chinese)
|
[12] |
Goebel J, Thorsten H. Rishi:Identify bot contaminated hosts by IRC nickname evaluation[C]//Proceedings of the HotBots'07, First Workshop on Hot Topics in Understanding Botnets. Cambridge, MA, USA:USENIX Association Press, 2007:8-8.
|
[13] |
Ramachandran A, Feamster N, Dagon D. Revealing Botnet membership using DNSBL counter-intelligence[C]//Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet. San Jose, CA, USA:USENIX Association Press, 2006:49-54.
|
[14] |
Choi H, Lee H. Identifying Botnets by capturing group activities in DNS traffic[J]. Computer Networks, 2012, 56(1):20-33.
|
[15] |
Wang K, Huang C Y, Lin S J, et al. A fuzzy pattern-based filtering algorithm for Botnet detection[J]. Computer Networks the International Journal of Computer & Telecommunications Networking, 2011, 55(15):3275-3286.
url: http://dx.doi.org/ter Networks the International Journal of Computer
|
[16] |
Giroire F, Chandrashekar J, Taft N, et al. Exploiting temporal persistence to detect covert Botnet channels[C]//Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. Saint Malo, France:Springer-Verlag Press, 2009:326-345.
|
[17] |
Yen T F, Reiter M K. Traffic aggregation for malware detection[C]//Proceedings of the Fifth GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment. Paris, France:Springer-Verlag Press, 2008:207-227.
|
[18] |
Singh K, Guntuku S C, Thakur A, et al. Big data analytics framework for Peer-to-Peer Botnet detection using random forests[J]. Information Sciences, 2014, 278(19):488-497.
|
[19] |
Khattak S, Ramay N R, Khan K R, et al. A taxonomy of Botnet behavior, detection, and defense[J]. Communications Surveys & Tutorials IEEE, 2014, 16(2):898-924.
url: http://dx.doi.org/nications Surveys
|
[20] |
Jung J, Paxson, Berger A W, et al. Fast ports can detection using sequential hypothesis testing[C]//Proceedings of the IEEE Symposium on Security and Privacy. Berkeley, CA, USA:IEEE Computer Society Press, 2004:211-225.
|
[21] |
闫健恩, 张兆心, 许海燕. 基于命令语法结构特征的IRC僵尸网络控制命令识别方法[J].高技术通讯, 2013, 23(6):571-577.YAN Jianen, ZHANG Zhaoxin, XU Haiyan. A identification method of IRC Botnets control commands based on the syntax[J]. High Technology Letters, 2013, 23(6):571-577. (in Chinese)
|
[22] |
Wald A. Sequential tests of statistical hypotheses[J]. The Annals of Mathematical Statistics, 1945, 16(2):117-186.
|
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
|
Shared |
|
|
|
|
|
Discussed |
|
|
|
|