Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis

Paper
View File
pdf
397KB

Leyla Bilge
Symantec Research Labs
France

Davide Balzarotti
Eurecom
France

William Robertson
Northeastern University
United States

Engin Kirda
Northeastern University
United States

Christopher Kruegel
University of California, Santa Barbara
United States

Abstract:
Botnets continue to be a significant problem on the Internet.
Accordingly, a great deal of research has focused on methods for
detecting and mitigating the effects of botnets. Two of the primary
factors preventing the development of effective large-scale,
wide-area botnet detection systems are seemingly contradictory. On
the one hand, technical and administrative restrictions result in a
general unavailability of raw network data that would facilitate
botnet detection on a large scale. On the other hand, were this data
available, real-time processing at that scale would be a formidable
challenge. In contrast to raw network data, netflow data is widely
available. However, netflow data imposes several challenges for
performing accurate botnet detection.

In this paper, we present disclosure, a large-scale, wide-area botnet
detection system that incorporates a combination of novel techniques to
overcome the challenges imposed by the use of netflow data. In particular,
we identify several groups of features that allow disclosure to reliably
distinguish C&C channels from benign traffic using netflow records (i.e.,
flow sizes, client access patterns, and temporal behavior). To reduce
disclosure's false positive rate, we incorporate a number of external
reputation scores into our system's detection procedure. Finally, we provide
an extensive evaluation of disclosure over two large, real-world networks.
Our evaluation demonstrates that disclosure is able to perform real-time
detection of botnet C&C channels over datasets on the order of billions of
flows per day.

 

Powered by OpenConf®
Copyright ©2002-2012 Zakon Group LLC