中国邮电高校学报(英文) ›› 2011, Vol. 18 ›› Issue (2): 106-113.doi: 10.1016/S1005-8885(10)60052-0

• Artificial Intelligence • 上一篇    下一篇

Analysis on the time-domain characteristics of botnets control traffic

李为民1,缪晨2,刘芳1,雷振明3   

  1. 1. 北京邮电大学
    2.
    3. 北京邮电大学 信息处理与智能技术重点实验室
  • 收稿日期:2010-08-27 修回日期:2011-02-21 出版日期:2011-04-30 发布日期:2011-04-15
  • 通讯作者: 李为民 E-mail: lwm_bupt@163.com
  • 基金资助:

    国家科技支撑项目 “可信互联网”

Analysis on the time-domain characteristics of botnets control traffic

  • Received:2010-08-27 Revised:2011-02-21 Online:2011-04-30 Published:2011-04-15

摘要:

Botnets are networks composed with malware-infect ed computers. They are designed and organized to be controlled by an adversary. As victims are infected through their inappropriate network behaviors in most cases, the Internet protocol (IP) addresses of infected bots are unpredictable. Plus, a bot can get an IP address through dynamic host configuration protocol (DHCP), so they need to get in touch with the controller initiatively and they should attempt continuously because a controller can’t be always online. The whole process is carried out under the command and control (C&C) channel. Our goal is to characterize the network traffic under the C&C channel on the time domain. Our analysis draws upon massive data obtained from honeynet and a large Internet service provider (ISP) Network. We extract and summarize fingerprints of the bots collected in our honeynet. Next, with the fingerprints, we use deep packet inspection (DPI) Technology to search active bots and controllers in the Internet. Then, we gather and analyze flow records reported from network traffic monitoring equipments. In this paper, we propose a flow record interval analysis on the time domain characteristics of botnets control traffic, and we propose the algorithm to identify the communications in the C&C channel based on our analysis. After that, we evaluate our approach with a 3.4 GB flow record trace and the result is satisfactory. In addition, we believe that our work is also useful information in the design of botnet detection schemes with the deep flow inspection (DFI) technology.

关键词:

botnet detection, netflow record, time domain analysis, deep flow inspection

Abstract:

Botnets are networks composed with malware-infect ed computers. They are designed and organized to be controlled by an adversary. As victims are infected through their inappropriate network behaviors in most cases, the Internet protocol (IP) addresses of infected bots are unpredictable. Plus, a bot can get an IP address through dynamic host configuration protocol (DHCP), so they need to get in touch with the controller initiatively and they should attempt continuously because a controller can’t be always online. The whole process is carried out under the command and control (C&C) channel. Our goal is to characterize the network traffic under the C&C channel on the time domain. Our analysis draws upon massive data obtained from honeynet and a large Internet service provider (ISP) Network. We extract and summarize fingerprints of the bots collected in our honeynet. Next, with the fingerprints, we use deep packet inspection (DPI) Technology to search active bots and controllers in the Internet. Then, we gather and analyze flow records reported from network traffic monitoring equipments. In this paper, we propose a flow record interval analysis on the time domain characteristics of botnets control traffic, and we propose the algorithm to identify the communications in the C&C channel based on our analysis. After that, we evaluate our approach with a 3.4 GB flow record trace and the result is satisfactory. In addition, we believe that our work is also useful information in the design of botnet detection schemes with the deep flow inspection (DFI) technology.

Key words:

botnet detection, netflow record, time domain analysis, deep flow inspection