Detection of Botnet Command and Control Traffic by the Multistage Trust Evaluation of Destination Identifiers

Burghouwt, Pieter and Spruit, Marcel E.M. and Sips, Henk J. (2015) Detection of Botnet Command and Control Traffic by the Multistage Trust Evaluation of Destination Identifiers. EAI Endorsed Transactions on Security and Safety, 2 (4). e2. ISSN 2032-9393

[img]
Preview
Text
eai.5-10-2015.150476.pdf
Available under License Creative Commons Attribution No Derivatives.

Download (1MB) | Preview

Abstract

Network-based detection of botnet Command and Control communication is a difficult task if the traffic has a relatively low volume and if popular protocols, such as HTTP, are used to resemble normal traffic. We present a new network-based detection approach that is capable of detecting this type of Command and Control traffic in an enterprise network by estimating the trustworthiness of the traffic destinations. If the destination identifier of a traffic flow origins directly from: human input, prior traffic from a trusted destination, or a defined set of legitimate applications, the destination is trusted and its associated traffic is classified as normal. Advantages of this approach are: the ability of zero day malicious traffic detection, low exposure to malware by passive host-external traffic monitoring, and the applicability for real-time filtering. Experimental evaluation demonstrates successful detection of diverse types of Command and Control Traffic.

Item Type: Article
Uncontrolled Keywords: Botnets, Network Intrusion Detection, Anomaly Detection
Subjects: H Social Sciences > H Social Sciences (General)
Q Science > QA Mathematics > QA75 Electronic computers. Computer science
QA75 Electronic computers. Computer science
Depositing User: EAI Editor IV
Date Deposited: 26 Mar 2021 13:50
Last Modified: 26 Mar 2021 13:50
URI: https://eprints.eudl.eu/id/eprint/2030

Actions (login required)

View Item View Item