Abstract
Botnets, as networks of compromised “zombie” computers, represent one of
the most serious security threats on the Internet today. This paper explores
how machines compromised with bot malware can be identified at local and
enterprise networks in accurate and time-efficient manner. The paper
introduces a novel multi-level botnet detection approach that performs
network traffic analysis of three protocols widely considered as the main
carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP,
UDP and DNS. The proposed method relies on supervised machine learning
for identifying patterns of botnet network traffic. The method has been
evaluated through a series of experiments using traffic traces originating
from 40 different bot samples and diverse benign applications. The
evaluation indicates accurate and time-efficient classification of botnet
traffic for all the three protocols as well as promising performance of
identifying potentially compromised machines. The future work will be
devoted to the optimization of traffic analysis and correlation of findings
from three analysis levels in order to increase the accuracy of identifying
compromised clients within the network.
Originalsprog | Engelsk |
---|---|
Tidsskrift | International Journal On Cyber Situational Awareness (IJCSA) |
Vol/bind | 1 |
Udgave nummer | 1 |
Antal sider | 27 |
ISSN | 2057-2182 |
Status | Udgivet - 2016 |