BotHunter: detecting malware infection through IDS-driven dialog correlation
作者: Vinod Yegneswaran , Guofei Gu , Wenke Lee , Martin Fong , Phillip Porras
DOI:
关键词:
摘要: We present a new kind of network perimeter monitoring strategy, which focuses on recognizing the infection and coordination dialog that occurs during successful malware infection. BotHunter is an application designed to track two-way communication flows between internal assets external entities, developing evidence trail data exchanges match state-based sequence model. consists correlation engine driven by three malware-focused packet sensors, each charged with detecting specific stages process, including inbound scanning, exploit usage, egg downloading, outbound bot dialog, attack propagation. The correlator then ties together intrusion alarms those patterns are highly indicative local host When found BotHunter's model, consolidated report produced capture all relevant events event sources played role process. refer this analytical strategy matching broader Internet as dialog-based correlation, contrast other detection alert methods. our experimental results using in both virtual live testing environments, discuss release prototype. made available for operational use help stimulate research understanding life cycle infections.
poly.edu
sch.gr 
sri.com 
acm.org 参考文章(41)
David Dagon, Cliff Changchun Zou, Wenke Lee, Modeling Botnet Propagation Using Time Zones. network and distributed system security symposium. ,(2006)
Jan Goebel, Thorsten Holz, Rishi: identify bot contaminated hosts by IRC nickname evaluation conference on workshop on hot topics in understanding botnets. pp. 8- 8 ,(2007)
Paul Barford, Vinod Yegneswaran, An Inside Look at Botnets Advances in Information Security. pp. 171- 191 ,(2007) , 10.1007/978-0-387-44599-1_8
Suresh Singh, James R. Binkley, An algorithm for anomaly-based botnet detection conference on steps to reducing unwanted traffic on internet. pp. 7- 7 ,(2006)
Farnam Jahanian, Danny McPherson, Evan Cooke, The Zombie roundup: understanding, detecting, and disrupting botnets conference on steps to reducing unwanted traffic on internet. pp. 6- 6 ,(2005)
K. G. Anagnostakis, K. Xinidis, A. D. Keromytis, E. Markatos, S. Sidiroglou, P. Akritidis, Detecting targeted attacks using shadow honeypots usenix security symposium. pp. 9- 9 ,(2005) , 10.7916/D8WM1PS8
Jiahai Yang, Peng Ning, X. Sean Wang, Sushil Jajodia, CARDS: A Distributed System for Detecting Coordinated Attacks information security. pp. 171- 180 ,(2000) , 10.1007/978-0-387-35515-3_18
Ke Wang, Gabriela Cretu, Salvatore J. Stolfo, Anomalous Payload-Based Worm Detection and Signature Generation Lecture Notes in Computer Science. pp. 227- 246 ,(2006) , 10.1007/11663812_12
Brian Rexroad, Anestis Karasaridis, David Hoeflin, Wide-scale botnet detection and characterization conference on workshop on hot topics in understanding botnets. pp. 7- 7 ,(2007)
Geoffrey M. Voelker, Stefan Savage, David Moore, Inferring internet denial-of-service activity usenix security symposium. pp. 2- 2 ,(2001)