tailieunhanh - An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic

Botnets are large networks of bots (compromised machines) that are under the control of a small number of bot masters. They pose a significant threat to Internet’s communications and applications. A botnet relies on command and control (C2) communications channels traffic between its members for its attack execution. C2 traffic occurs prior to any attack; hence, the detection of botnet’s C2 traffic enables the detection of members of the botnet before any real harm happens. We analyze C2 traffic and find that it exhibits a periodic behavior. This is due to the pre-programmed behavior of bots that check for updates to download them every T seconds. We exploit this periodic behavior to detect C2 traffic. The detection involves evaluating the periodogram of the monitored traffic. Then applying Walker’s large sample test to the periodogram’s maximum ordinate in order to determine if it is due to a periodic component or not. If the periodogram of the monitored traffic contains a periodic component, then it is highly likely that it is due to a bot’s C2 traffic. The test looks only at aggregate control plane traffic behavior, which makes it more scalable than techniques that involve deep packet inspection (DPI) or tracking the communication flows of different hosts. We apply the test to two types of botnet, tinyP2P and IRC that are generated by SLINGbot. We verify the periodic behavior of their C2 traffic and compare it to the results we get on real traffic that is obtained from a secured enterprise network. We further study the characteristics of the test in the presence of injected HTTP background traffic and the effect of the duty cycle on the periodic behavior. | An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic

• Cơ khí - Chế tạo máy
• Botnet detection
• Control plane traffic
• Discrete time series analysis
• Walker large sample test
• Summary of Computer dotoral thesis
• Hệ thống thông tin
• Luận án Tiến sĩ Máy tính
• IoT devices
• Proposing PSI
• Journal of Computer science
• Iot botnet detection
• Various one class classifiers
• One class classifiers support vector machine
• Elliptic envelope
• Local outlier factor
• báo cáo khoa học
• báo cáo hóa học
• công trình nghiên cứu về hóa học
• tài liệu về hóa học
• cách trình bày báo cáo
• Bi LSTM deep learning network
• Deep learning
• Malicious URL detection
• Attention mechanism in deep learning
• Micro average