Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  百年期刊
Journal of Tsinghua University(Science and Technology)    2017, Vol. 57 Issue (9) : 914-920     DOI: 10.16511/j.cnki.qhdxxb.2017.26.040
COMPUTER SCIENCE AND TECHNOLOGY |
Detection of IRC Botnet C&C channels using the instruction syntax
YAN Jianen, ZHANG Zhaoxin, XU Haiyan, ZHANG Hongli
School of Computer Science and Technology, Harbin Institute of Technology, Harbin 150001, China
Download: PDF(1248 KB)  
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks    
Abstract  The command and control (C&C) channel is a unique way that a Internet relay chat (IRC) Botnet sends commands to control the Botnet. This study analyzed the syntax characteristics of the control command to develop a method to detect the control command channel. A creditable coefficient was defined to describe the possibility of a sentence in a channel being a Botnet control command. An improved threshold random walk (TRW) algorithm was used with the creditable coefficients to accelerate the C&C channel detection. Tests show that this method can efficiently detect Botnet C&C channels.
Keywords Botnet      instruction syntax      threshold random walk (TRW)     
ZTFLH:  TP393.0  
Issue Date: 15 September 2017
Service
E-mail this article
E-mail Alert
RSS
Articles by authors
YAN Jianen
ZHANG Zhaoxin
XU Haiyan
ZHANG Hongli
Cite this article:   
YAN Jianen,ZHANG Zhaoxin,XU Haiyan, et al. Detection of IRC Botnet C&C channels using the instruction syntax[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(9): 914-920.
URL:  
http://jst.tsinghuajournals.com/EN/10.16511/j.cnki.qhdxxb.2017.26.040     OR     http://jst.tsinghuajournals.com/EN/Y2017/V57/I9/914
  
  
  
  
  
  
  
  
  
  
[1] 诸葛建伟, 韩心慧, 周勇林, 等. 僵尸网络研究[J]. 软件学报. 2008, 19(3):702-715.ZHU GE Jianwei, HAN Xinhui, ZHOU Yonglin, et al. Research and development of Botnets[J]. Journal of Software, 2008, 19(3):702-715. (in Chinese)
[2] CNCERT/CC.2013年中国互联网网络安全报告..http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.CNCERT/CC. The China Internet network security report 2013.. http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.(in Chinese)
url: http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.cncert/cc. the china internet network security report 2013.. http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.(in chinese)
[3] InfoSecurity:Anonymus hacking group uses IRC channles to co-ordinate DDoS attacks.. http://www.infosecurity-magazine.com/news/anonymous-hacking-group-uses-irc-channels-to-co/.
url: http://www.infosecurity-magazine.com/news/anonymous-hacking-group-uses-irc-channels-to-co/.
[4] Gu G F, Yegneswaran V, Porras P, et al. Active Botnet probing to identify obscure command and control channels[C]//Proceedings of the Computer Security Applications Conference. Washington, DC:IEEE Computer Society Press, 2009:241-253.
[5] Fedynyshyn G, Chuah M C, Tan G. Detection and classification of different Botnet C&C channels[C]//Proceedings of the 8th International Conference on Autonomic and Trusted Computing. Banff, Canada:Autonomic & Trusted Computing-international Conference Press, 2011:228-242.
[6] Gu G F, Porras P, Yegneswaran V, et al. BotHunter:Detecting malware infection through ids driven dialog correlation[C]//Proceedings of the 16th USENIX Security Symposium. Boston, MA, USA:USENIX Association Press, 2007:167-182.
[7] Livadas C, Walsh R, Lapsley D, et al. Using machine learning techniques to identify Botnet traffic[C]//Proceedings of the 2nd IEEE LCN Workshop on Network Security. Tampa, FL, USA:IEEE Computer Society Press, 2006:967-974.
[8] Strayer W T, Walsh R. Detecting Botnets with tight command and control[C]//Proceedings of the 31st IEEE Conference on Local Computer Networks. Tampa, FL, USA:IEEE Computer Society Press, 2006:195-202.
[9] Karasaridis A, Rexroad B, Hoeflin D. Wide-scale Botnet detection and characterization[C]//Proceedings of theUsenix Workshop on Hot Topics in Understanding Botnets. Cambridge, MA, USA:USENIX Association Press, 2007:7-7.
[10] Binkley J R, Singh S. An algorithm for anomaly-based Botnet detection[C]//Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet. San Jose, CA, USA:USENIX Association Press, 2006:43-48.
[11] 李润恒, 王明华, 贾焰. 基于通信特征提取和IP聚集的僵尸网络相似性度量模型[J].计算机学报, 2010, 33(1):45-54.LI Runheng, WANG Minghua, JIA Yan. Modeling Botnets similarity based on communication feature extraction and IP assembly[J].Chinese Journal of Computer, 2010, 33(1):45-54. (in Chinese)
[12] Goebel J, Thorsten H. Rishi:Identify bot contaminated hosts by IRC nickname evaluation[C]//Proceedings of the HotBots'07, First Workshop on Hot Topics in Understanding Botnets. Cambridge, MA, USA:USENIX Association Press, 2007:8-8.
[13] Ramachandran A, Feamster N, Dagon D. Revealing Botnet membership using DNSBL counter-intelligence[C]//Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet. San Jose, CA, USA:USENIX Association Press, 2006:49-54.
[14] Choi H, Lee H. Identifying Botnets by capturing group activities in DNS traffic[J]. Computer Networks, 2012, 56(1):20-33.
[15] Wang K, Huang C Y, Lin S J, et al. A fuzzy pattern-based filtering algorithm for Botnet detection[J]. Computer Networks the International Journal of Computer & Telecommunications Networking, 2011, 55(15):3275-3286.
url: http://dx.doi.org/ter Networks the International Journal of Computer
[16] Giroire F, Chandrashekar J, Taft N, et al. Exploiting temporal persistence to detect covert Botnet channels[C]//Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. Saint Malo, France:Springer-Verlag Press, 2009:326-345.
[17] Yen T F, Reiter M K. Traffic aggregation for malware detection[C]//Proceedings of the Fifth GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment. Paris, France:Springer-Verlag Press, 2008:207-227.
[18] Singh K, Guntuku S C, Thakur A, et al. Big data analytics framework for Peer-to-Peer Botnet detection using random forests[J]. Information Sciences, 2014, 278(19):488-497.
[19] Khattak S, Ramay N R, Khan K R, et al. A taxonomy of Botnet behavior, detection, and defense[J]. Communications Surveys & Tutorials IEEE, 2014, 16(2):898-924.
url: http://dx.doi.org/nications Surveys
[20] Jung J, Paxson, Berger A W, et al. Fast ports can detection using sequential hypothesis testing[C]//Proceedings of the IEEE Symposium on Security and Privacy. Berkeley, CA, USA:IEEE Computer Society Press, 2004:211-225.
[21] 闫健恩, 张兆心, 许海燕. 基于命令语法结构特征的IRC僵尸网络控制命令识别方法[J].高技术通讯, 2013, 23(6):571-577.YAN Jianen, ZHANG Zhaoxin, XU Haiyan. A identification method of IRC Botnets control commands based on the syntax[J]. High Technology Letters, 2013, 23(6):571-577. (in Chinese)
[22] Wald A. Sequential tests of statistical hypotheses[J]. The Annals of Mathematical Statistics, 1945, 16(2):117-186.
[1] XIA Zhuoqun, LI Wenhuan, JIANG Lalin, XU Ming. Path analysis attack prediction method for electric power CPS[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(2): 157-163.
[2] ZHAO Jun, BAO Congxiao, LI Xing. OpenFlow based software overlay router[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(2): 164-169.
[3] ZHANG Ting, WANG Yi, YANG Tong, LU Jianyuan, LIU Bin. Design and implementation of an evaluation platform for NDN name lookup algorithms[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(1): 1-7.
[4] XU Hongping, LIU Yang, YI Hang, YAN Xiaotao, KANG Jian, ZHANG Wenjin. Abnormal traffic flow identification for a measurement and control network for launch vehicles[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(1): 20-26,34.
[5] GAO Yang, MA Yangyang, ZHANG Liang, WANG Meilin, WANG Weiping. Synchronization control of cyber physical systems during malicious stochastic attacks[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(1): 14-19.
[6] JIANG Zhuo, WU Qian, LI Hewu, WU Jianping. Link on-off prediction based multipath transfer optimization for aircraft[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(12): 1239-1244.
[7] ZHANG Yu, PAN Xiaoming, LIU Qingzhong, CAO Junkuo, LUO Ziqiang. APT attacks and defenses[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(11): 1127-1133.
[8] HAN Xinhui, WEI Shuang, YE Jiayi, ZHANG Chao, YE Zhiyuan. Detect use-after-free vulnerabilities in binaries[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(10): 1022-1029.
[9] CAO Laicheng, HE Wenwen, LIU Yufei, GUO Xian, FENG Tao. Cooperative dynamic data possession scheme across a cloud storage environment[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(10): 1048-1055.
[10] LIU Wu, WANG Yongke, SUN Donghong, REN Ping, LIU Ke. Login authentication vulnerability mining and improved login authentication method based on an open source intelligent terminal[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(9): 897-902.
[11] MA Rui, ZHU Tianbao, MA Ke, HU Changzhen, ZHAO Xiaolin. Single-witness-based distributed detection for node replication attack[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(9): 909-913,920.
[12] CHEN Yu, WANG Na, WANG Jindong. An n-fold reduction of linguistic variables based on the triangular fuzzy numbers[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(8): 892-896.
[13] LI Yu, ZHAO Yong, GUO Xiaodong, LIU Guole. An assurance model for accesscontrol on cloud computing systems[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(4): 432-436.
[14] XU Mingwei, XIA Anqing, YANG Yuan, WANG Yuliang, SANG Meng. Intra-domain routing protocol OSPF+ for integrated terrestrial and space networks[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(1): 12-17.
[15] WANG Weiping, BAI Junyang, ZHANG Yuchan, WANG Jianxin. Dynamic taint tracking in JavaScript using revised code[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(9): 956-962,968.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
Copyright © Journal of Tsinghua University(Science and Technology), All Rights Reserved.
Powered by Beijing Magtech Co. Ltd