Detection of Covert Botnet Command and Control Channels by Causal Analysis of Traffic Flows
The Command and Control communication of a botnet is evolving into sophisticated covert communication.Techniques as encryp tion, steganography, and recently the use of social network websites as a proxy, impede conventional detection of botnet communication.In this paper we propose detection of covert communication by passive host external analysis of causal relationships between traffic flows and prior traffic or user activity.Identifying the direct causes of traffic flows, al lows for real-time bot detection with a low exposure to malware, and offiine forensic analysis of traffic.The proposed causal analysis of traffic is experimentally evaluated by a self-developed tool called CITRIC with various types of real Command and Control traffic.
Botnets Network Intrusion Detection Computer Networks
Pieter Burghouwt Marcel Spruit Henk Sips
Parallel and Distributed Systems Group,Delft University of Technology,Mekelweg 4,Delft 2628CD,The Netherlands
国际会议
The 5th International Symposium on Cyberspace Safety and Security ( CSS2013)(第五届国际网络空间安全和安保研讨会)
张家界
英文
117-131
2013-11-13(万方平台首次上网日期,不代表论文的发表时间)