The command and control (C&C) channel is a unique way that a Internet relay chat (IRC) Botnet sends commands to control the Botnet. This study analyzed the syntax characteristics of the control command to develop a method to detect the control command channel. A creditable coefficient was defined to describe the possibility of a sentence in a channel being a Botnet control command. An improved threshold random walk (TRW) algorithm was used with the creditable coefficients to accelerate the C&C channel detection. Tests show that this method can efficiently detect Botnet C&C channels.
YAN Jianen
,
ZHANG Zhaoxin
,
XU Haiyan
,
ZHANG Hongli
. Detection of IRC Botnet C&C channels using the instruction syntax[J]. Journal of Tsinghua University(Science and Technology), 2017
, 57(9)
: 914
-920
.
DOI: 10.16511/j.cnki.qhdxxb.2017.26.040
[1] 诸葛建伟, 韩心慧, 周勇林, 等. 僵尸网络研究[J]. 软件学报. 2008, 19(3):702-715.ZHU GE Jianwei, HAN Xinhui, ZHOU Yonglin, et al. Research and development of Botnets[J]. Journal of Software, 2008, 19(3):702-715. (in Chinese) [2] CNCERT/CC.2013年中国互联网网络安全报告..http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.CNCERT/CC. The China Internet network security report 2013.. http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.(in Chinese) [3] InfoSecurity:Anonymus hacking group uses IRC channles to co-ordinate DDoS attacks.. http://www.infosecurity-magazine.com/news/anonymous-hacking-group-uses-irc-channels-to-co/. [4] Gu G F, Yegneswaran V, Porras P, et al. Active Botnet probing to identify obscure command and control channels[C]//Proceedings of the Computer Security Applications Conference. Washington, DC:IEEE Computer Society Press, 2009:241-253. [5] Fedynyshyn G, Chuah M C, Tan G. Detection and classification of different Botnet C&C channels[C]//Proceedings of the 8th International Conference on Autonomic and Trusted Computing. Banff, Canada:Autonomic & Trusted Computing-international Conference Press, 2011:228-242. [6] Gu G F, Porras P, Yegneswaran V, et al. BotHunter:Detecting malware infection through ids driven dialog correlation[C]//Proceedings of the 16th USENIX Security Symposium. Boston, MA, USA:USENIX Association Press, 2007:167-182. [7] Livadas C, Walsh R, Lapsley D, et al. Using machine learning techniques to identify Botnet traffic[C]//Proceedings of the 2nd IEEE LCN Workshop on Network Security. Tampa, FL, USA:IEEE Computer Society Press, 2006:967-974. [8] Strayer W T, Walsh R. Detecting Botnets with tight command and control[C]//Proceedings of the 31st IEEE Conference on Local Computer Networks. Tampa, FL, USA:IEEE Computer Society Press, 2006:195-202. [9] Karasaridis A, Rexroad B, Hoeflin D. Wide-scale Botnet detection and characterization[C]//Proceedings of theUsenix Workshop on Hot Topics in Understanding Botnets. Cambridge, MA, USA:USENIX Association Press, 2007:7-7. [10] Binkley J R, Singh S. An algorithm for anomaly-based Botnet detection[C]//Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet. San Jose, CA, USA:USENIX Association Press, 2006:43-48. [11] 李润恒, 王明华, 贾焰. 基于通信特征提取和IP聚集的僵尸网络相似性度量模型[J].计算机学报, 2010, 33(1):45-54.LI Runheng, WANG Minghua, JIA Yan. Modeling Botnets similarity based on communication feature extraction and IP assembly[J].Chinese Journal of Computer, 2010, 33(1):45-54. (in Chinese) [12] Goebel J, Thorsten H. Rishi:Identify bot contaminated hosts by IRC nickname evaluation[C]//Proceedings of the HotBots'07, First Workshop on Hot Topics in Understanding Botnets. Cambridge, MA, USA:USENIX Association Press, 2007:8-8. [13] Ramachandran A, Feamster N, Dagon D. Revealing Botnet membership using DNSBL counter-intelligence[C]//Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet. San Jose, CA, USA:USENIX Association Press, 2006:49-54. [14] Choi H, Lee H. Identifying Botnets by capturing group activities in DNS traffic[J]. Computer Networks, 2012, 56(1):20-33. [15] Wang K, Huang C Y, Lin S J, et al. A fuzzy pattern-based filtering algorithm for Botnet detection[J]. Computer Networks the International Journal of Computer & Telecommunications Networking, 2011, 55(15):3275-3286. [16] Giroire F, Chandrashekar J, Taft N, et al. Exploiting temporal persistence to detect covert Botnet channels[C]//Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. Saint Malo, France:Springer-Verlag Press, 2009:326-345. [17] Yen T F, Reiter M K. Traffic aggregation for malware detection[C]//Proceedings of the Fifth GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment. Paris, France:Springer-Verlag Press, 2008:207-227. [18] Singh K, Guntuku S C, Thakur A, et al. Big data analytics framework for Peer-to-Peer Botnet detection using random forests[J]. Information Sciences, 2014, 278(19):488-497. [19] Khattak S, Ramay N R, Khan K R, et al. A taxonomy of Botnet behavior, detection, and defense[J]. Communications Surveys & Tutorials IEEE, 2014, 16(2):898-924. [20] Jung J, Paxson, Berger A W, et al. Fast ports can detection using sequential hypothesis testing[C]//Proceedings of the IEEE Symposium on Security and Privacy. Berkeley, CA, USA:IEEE Computer Society Press, 2004:211-225. [21] 闫健恩, 张兆心, 许海燕. 基于命令语法结构特征的IRC僵尸网络控制命令识别方法[J].高技术通讯, 2013, 23(6):571-577.YAN Jianen, ZHANG Zhaoxin, XU Haiyan. A identification method of IRC Botnets control commands based on the syntax[J]. High Technology Letters, 2013, 23(6):571-577. (in Chinese) [22] Wald A. Sequential tests of statistical hypotheses[J]. The Annals of Mathematical Statistics, 1945, 16(2):117-186.
