Exploiting Temporal Persistence to Detect Covert Botnet Channels

Abstract : We describe a method to detect botnet command and control traffic and individual end-hosts. We introduce the notion of destination traffic atoms which aggregate the destinations and services that are communicated with. We then compute the persistence, which is a measure of temporal regularity and that we propose in this paper, for individual destination atoms. Very persistent destination atoms are added to a host's whitelist during a training period. Subsequently, we track the persistence of new destination atoms not already whitelisted, to identify suspicious C&C destinations. A particularly novel aspect is that we track persistence at multiple timescales concurrently. Importantly, our method does not require any a-priori information about destinations, ports, or protocols used in the C&C, nor do we require payload inspection. We evaluate our system using extensive user traffic traces collected from an enterprise network, along with collected botnet traces. We demonstrate that our method correctly identifies a botnet's C&C traffic, even when it is very stealthy. We also show that filtering outgoing traffic with the constructed whitelists dramatically improves the performance of traditional anomaly detectors. Finally, we show that the C&C detection can be achieved with a very low false positive rate.
Type de document :
Communication dans un congrès
Springer. The 12th International Symposium on Recent Advances in Intrusion Detection (RAID'09), Sep 2009, Saint Malo, France. pp.326--345, 2009
Liste complète des métadonnées

https://hal.inria.fr/inria-00546874
Contributeur : Frédéric Giroire <>
Soumis le : mercredi 15 décembre 2010 - 08:16:01
Dernière modification le : mercredi 2 février 2011 - 15:10:48

Identifiants

  • HAL Id : inria-00546874, version 1

Collections

Citation

Frédéric Giroire, Jaideep Chandrashekar, Nina Taft, Eve Schooler, Konstantina Papagiannaki. Exploiting Temporal Persistence to Detect Covert Botnet Channels. Springer. The 12th International Symposium on Recent Advances in Intrusion Detection (RAID'09), Sep 2009, Saint Malo, France. pp.326--345, 2009. <inria-00546874>

Partager

Métriques

Consultations de la notice

48