HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

Exploiting Temporal Persistence to Detect Covert Botnet Channels

Frédéric Giroire 1 Jaideep Chandrashekar 2 Nina Taft 2 Eve Schooler 2 Konstantina Papagiannaki 3
1 MASCOTTE - Algorithms, simulation, combinatorics and optimization for telecommunications
CRISAM - Inria Sophia Antipolis - Méditerranée , Laboratoire I3S - COMRED - COMmunications, Réseaux, systèmes Embarqués et Distribués
Abstract : We describe a method to detect botnet command and control traffic and individual end-hosts. We introduce the notion of destination traffic atoms which aggregate the destinations and services that are communicated with. We then compute the persistence, which is a measure of temporal regularity and that we propose in this paper, for individual destination atoms. Very persistent destination atoms are added to a host's whitelist during a training period. Subsequently, we track the persistence of new destination atoms not already whitelisted, to identify suspicious C&C destinations. A particularly novel aspect is that we track persistence at multiple timescales concurrently. Importantly, our method does not require any a-priori information about destinations, ports, or protocols used in the C&C, nor do we require payload inspection. We evaluate our system using extensive user traffic traces collected from an enterprise network, along with collected botnet traces. We demonstrate that our method correctly identifies a botnet's C&C traffic, even when it is very stealthy. We also show that filtering outgoing traffic with the constructed whitelists dramatically improves the performance of traditional anomaly detectors. Finally, we show that the C&C detection can be achieved with a very low false positive rate.
Document type :
Conference papers
Complete list of metadata

Contributor : Frédéric Giroire Connect in order to contact the contributor
Submitted on : Wednesday, December 15, 2010 - 8:16:01 AM
Last modification on : Friday, February 4, 2022 - 3:20:13 AM


  • HAL Id : inria-00546874, version 1



Frédéric Giroire, Jaideep Chandrashekar, Nina Taft, Eve Schooler, Konstantina Papagiannaki. Exploiting Temporal Persistence to Detect Covert Botnet Channels. The 12th International Symposium on Recent Advances in Intrusion Detection (RAID'09), Sep 2009, Saint Malo, France. pp.326--345. ⟨inria-00546874⟩



Record views