TY - JOUR
T1 - BotSpot
T2 - fast graph based identification of structured P2P bots
AU - Venkatesh, Bharath
AU - Choudhury, Sudip Hazra
AU - Nagaraja, Shishir
AU - Balakrishnan, N.
PY - 2015/11/1
Y1 - 2015/11/1
N2 - An essential component of a botnet is the Command and Control (C2) channel (a network). The mechanics of C2 establishment often involve the use of structured overlay techniques which create a scaffolding for sophisticated coordinated activities. However, it can also be used as a point of detection because of their distinct communication patterns. Achieving this is a needle-in-a-haystack search problem across distributed vantage points. The search technique must be efficient given the high traffic throughput of modern core routers. In this paper, we focus on efficient algorithms for C2 channel detection. Experimental results on real Internet traffic traces from an ISP’s backbone network indicate that our techniques, (i) have time complexity linear in the volume of traffic, (ii) have high F-measure, and (iii) are robust to the partial visibility arising from partial deployment of monitoring systems, and measurement inaccuracies arising from partial visibility and dynamics of background traffic.
AB - An essential component of a botnet is the Command and Control (C2) channel (a network). The mechanics of C2 establishment often involve the use of structured overlay techniques which create a scaffolding for sophisticated coordinated activities. However, it can also be used as a point of detection because of their distinct communication patterns. Achieving this is a needle-in-a-haystack search problem across distributed vantage points. The search technique must be efficient given the high traffic throughput of modern core routers. In this paper, we focus on efficient algorithms for C2 channel detection. Experimental results on real Internet traffic traces from an ISP’s backbone network indicate that our techniques, (i) have time complexity linear in the volume of traffic, (ii) have high F-measure, and (iii) are robust to the partial visibility arising from partial deployment of monitoring systems, and measurement inaccuracies arising from partial visibility and dynamics of background traffic.
KW - distribute hash table
KW - internet protocol address
KW - community detection algorithm
KW - dense subgraph
KW - domain name service
UR - http://www.scopus.com/inward/record.url?scp=84945493242&partnerID=8YFLogxK
U2 - 10.1007/s11416-015-0250-2
DO - 10.1007/s11416-015-0250-2
M3 - Article
AN - SCOPUS:84945493242
SN - 2274-2042
VL - 11
SP - 247
EP - 261
JO - Journal of Computer Virology and Hacking Techniques
JF - Journal of Computer Virology and Hacking Techniques
IS - 4
ER -