Early detection of in-the-wild botnet attacks by exploiting network communication uniformity

an empirical study

Zainab Abaid*, Mohamed Ali Kaafar, Sanjay Jha

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contribution

2 Citations (Scopus)

Abstract

Distributed attacks originating from botnet-infected machines (bots) such as large-scale malware propagation campaigns orchestrated via spam emails can quickly affect other network infrastructures. As these attacks are made successful only by the fact that hundreds of infected machines engage in them collectively, their damage can be avoided if machines infected with a common botnet can be detected early rather than after an attack is launched. Prior studies have suggested that outgoing bot attacks are often preceded by other 'tell-tale' malicious behaviour, such as communication with botnet controllers (C&C servers) that command botnets to carry out attacks. We postulate that observing similar behaviour occuring in a synchronised manner across multiple machines is an early indicator of a widespread infection of a single botnet, leading potentially to a large-scale, distributed attack. Intuitively, if we can detect such synchronised behaviour early enough on a few machines in the network, we can quickly contain the threat before an attack does any serious damage. In this work we present a measurement-driven analysis to validate this intuition. We empirically analyse the various stages of malicious behaviour that are observed in real botnet traffic, and carry out the first systematic study of the network behaviour that typically precedes outgoing bot attacks and is synchronised across multiple infected machines. We then implement as a proof-of-concept a set of analysers that monitor synchronisation in botnet communication to generate early infection and attack alerts. We show that with this approach, we can quickly detect nearly 80% of real-world spamming and port scanning attacks, and even demonstrate a novel capability of preventing these attacks altogether by predicting them before they are launched.

Original languageEnglish
Title of host publication2017 IFIP Networking Conference (IFIP Networking) and Workshops
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Pages1-9
Number of pages9
Volume2018-January
ISBN (Electronic)9783901882944
ISBN (Print)9781538628294
DOIs
Publication statusPublished - 2017
Externally publishedYes
Event2017 IFIP Networking Conference and Workshops, IFIP Networking 2017 - Stockholm, Sweden
Duration: 12 Jun 201716 Jun 2017

Conference

Conference2017 IFIP Networking Conference and Workshops, IFIP Networking 2017
CountrySweden
CityStockholm
Period12/06/1716/06/17

Fingerprint Dive into the research topics of 'Early detection of in-the-wild botnet attacks by exploiting network communication uniformity: an empirical study'. Together they form a unique fingerprint.

  • Cite this

    Abaid, Z., Kaafar, M. A., & Jha, S. (2017). Early detection of in-the-wild botnet attacks by exploiting network communication uniformity: an empirical study. In 2017 IFIP Networking Conference (IFIP Networking) and Workshops (Vol. 2018-January, pp. 1-9). Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.23919/IFIPNetworking.2017.8264866