JACKSTRAWS: picking command and control connections from bot traffic
作者: Christopher Kruegel , Ralf Hund , Thorsten Holz , Gregoire Jacob
DOI:
关键词:
摘要: A distinguishing characteristic of bots is their ability to establish a command and control (C&C) channel. The typical approach build detection models for C&C traffic identify endpoints (IP addresses domains servers) execute bot in controlled environment monitor its outgoing network connections. Using the traffic, one can then craft signatures that match connections or blacklist IP packets are sent to. Unfortunately, this process not as easy it seems. For example, often open large number additional legitimate sites (to perform click fraud query current time), deliberately produce "noise" - bogus make analysis more difficult. Thus, before model domains, first has pick among all produces. In paper, we present JACKSTRAWS, system accurately identifies To end, leverage host-based information provides insights into which data over each connection well ways processes receives. More precisely, associate with behavior graph captures calls lead connection, operate on returned. By using machine learning techniques training set graphs associated known connections, automatically extract generalize templates capture core different types activity. Later, use these against produced by other bots. Our results show JACKSTRAWS detect even novel families were used template generation.
参考文章(48)
Jan Goebel, Thorsten Holz, Rishi: identify bot contaminated hosts by IRC nickname evaluation conference on workshop on hot topics in understanding botnets. pp. 8- 8 ,(2007)
Brad Karp, Hyang-Ah Kim, Autograph: toward automated, distributed worm signature detection usenix security symposium. pp. 19- 19 ,(2004)
George Karypis, CLUTO - A Clustering Toolkit Defense Technical Information Center. ,(2002) , 10.21236/ADA439508
Vinod Yegneswaran, Guofei Gu, Wenke Lee, Martin Fong, Phillip Porras, BotHunter: detecting malware infection through IDS-driven dialog correlation usenix security symposium. pp. 12- ,(2007)
Alexander Moshchuk, Steven D. Gribble, Arvind Krishnamurthy, John P. John, Studying spamming botnets using Botlab networked systems design and implementation. pp. 291- 306 ,(2009)
Farnam Jahanian, Danny McPherson, Evan Cooke, The Zombie roundup: understanding, detecting, and disrupting botnets conference on steps to reducing unwanted traffic on internet. pp. 6- 6 ,(2005)
Guofei Gu, Wenke Lee, Junjie Zhang, BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic network and distributed system security symposium. ,(2008)
Peter Szor, The Art of Computer Virus Research and Defense ,(2005)
Cristian Estan, George Varghese, Stefan Savage, Sumeet Singh, Automated worm fingerprinting operating systems design and implementation. pp. 4- 4 ,(2004)
Felix C. Freiling, Thorsten Holz, Georg Wicherski, Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks Computer Security – ESORICS 2005. pp. 319- 335 ,(2005) , 10.1007/11555827_19