Full Program »
DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis
Accordingly, a great deal of research has focused on methods for
detecting and mitigating the effects of botnets. Two of the primary
factors preventing the development of effective large-scale,
wide-area botnet detection systems are seemingly contradictory. On
the one hand, technical and administrative restrictions result in a
general unavailability of raw network data that would facilitate
botnet detection on a large scale. On the other hand, were this data
available, real-time processing at that scale would be a formidable
challenge. In contrast to raw network data, netflow data is widely
available. However, netflow data imposes several challenges for
performing accurate botnet detection.
In this paper, we present disclosure, a large-scale, wide-area botnet
detection system that incorporates a combination of novel techniques to
overcome the challenges imposed by the use of netflow data. In particular,
we identify several groups of features that allow disclosure to reliably
distinguish C&C channels from benign traffic using netflow records (i.e.,
flow sizes, client access patterns, and temporal behavior). To reduce
disclosure's false positive rate, we incorporate a number of external
reputation scores into our system's detection procedure. Finally, we provide
an extensive evaluation of disclosure over two large, real-world networks.
Our evaluation demonstrates that disclosure is able to perform real-time
detection of botnet C&C channels over datasets on the order of billions of
flows per day.
Author(s):
Leyla Bilge
Symantec Research Labs
France
Davide Balzarotti
Eurecom
France
William Robertson
Northeastern University
United States
Engin Kirda
Northeastern University
United States
Christopher Kruegel
University of California, Santa Barbara
United States