BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection

Guofei Gu, Roberto Perdisci, Junjie Zhang, Wenke Lee

Research output: Contribution to conferencePaperpeer-review

Abstract

Botnets are now the key platform for many Internet attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. Most of the current botnet detection approaches work only on specific botnet command and control (C&C) protocols (e.g., IRC) and structures (e.g., centralized), and can become ineffective as botnets change their C&C techniques. In this paper, we present a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C&C server names/addresses). We start from the definition and essential properties of botnets. We define a botnet as a coordinated group of malware instances that are controlled via C&C communication channels. The essential properties of a botnet are that the bots communicate with some C&C servers/peers, perform malicious activities, and do so in a similar or correlated way. Accordingly, our detection framework clusters similar communication traffic and similar malicious traffic, and performs cross cluster correlation to identify the hosts that share both similar communication patterns and similar malicious activity patterns. These hosts are thus bots in the monitored network. We have implemented our BotMiner prototype system and evaluated it using many real network traces. The results show that it can detect real-world botnets (IRC-based, HTTP-based, and P2P botnets including Nugache and Storm worm), and has a very low false positive rate.

Original languageEnglish
Pages139-154
Number of pages16
StatePublished - 2008
Externally publishedYes
Event17th USENIX Security Symposium - San Jose, United States
Duration: Jul 28 2008Aug 1 2008

Conference

Conference17th USENIX Security Symposium
Country/TerritoryUnited States
CitySan Jose
Period7/28/088/1/08

ASJC Scopus Subject Areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Keywords

  • BotMiner
  • Botnet detection
  • clustering analysis
  • network traffic
  • protocol-independent
  • structure-independent

Disciplines

  • Computer Sciences
  • Engineering

Cite this