Discovering and analyzing deviant communities: Methods and experiments

Napoleon C. Paxton; Dae Il Jang; Ira S. Moskowitz; Gail-Joon Ahn; Stephen Russell

doi:10.4108/icst.collaboratecom.2014.257262

Discovering and analyzing deviant communities: Methods and experiments

Napoleon C. Paxton, Dae Il Jang, Ira S. Moskowitz, Gail-Joon Ahn, Stephen Russell

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Botnets continue to threaten the security landscape of computer networks worldwide. This is due in part to the time lag present between discovery of botnet traffic and identification of actionable intelligence derived from the traffic analysis. In this article we present a novel method to fill such a gap by segmenting botnet traffic into communities and identifying the category of each community member. This information can be used to identify attack members (bot nodes), command and control members (Command and Control nodes), botnet controller members (botmaster nodes), and victim members (victim nodes). All of which can be used immediately in forensics or in defense of future attacks. The true novelty of our approach is the segmentation of the malicious network data into relational communities and not just spatially based clusters. The relational nature of the communities allows us to discover the community roles without a deep analysis of the entire network. We discuss the feasibility and practicality of our method through experiments with real-world botnet traffic. Our experimental results show a high detection rate with a low false positive rate, which gives encouragement that our approach can be a valuable addition to a defense in depth strategy.

Original language	English (US)
Title of host publication	CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing
Subtitle of host publication	Networking, Applications and Worksharing
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	163-170
Number of pages	8
ISBN (Electronic)	9781631900433
DOIs	https://doi.org/10.4108/icst.collaboratecom.2014.257262
State	Published - Jan 19 2015
Event	10th IEEE/EAI International Conference on Collaborative Computing, CollaborateCom 2014 - Miami, United States Duration: Oct 22 2014 → Oct 25 2014

Publication series

Name	CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing

Other

Other	10th IEEE/EAI International Conference on Collaborative Computing, CollaborateCom 2014
Country	United States
City	Miami
Period	10/22/14 → 10/25/14

Fingerprint

ASJC Scopus subject areas

Computer Networks and Communications
Computer Science Applications
Software

Cite this

Paxton, N. C., Jang, D. I., Moskowitz, I. S., Ahn, G-J., & Russell, S. (2015). Discovering and analyzing deviant communities: Methods and experiments. In CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing (pp. 163-170). [7014561] (CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.4108/icst.collaboratecom.2014.257262

Discovering and analyzing deviant communities : Methods and experiments. / Paxton, Napoleon C.; Jang, Dae Il; Moskowitz, Ira S.; Ahn, Gail-Joon; Russell, Stephen.

CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing. Institute of Electrical and Electronics Engineers Inc., 2015. p. 163-170 7014561 (CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Paxton, NC, Jang, DI, Moskowitz, IS, Ahn, G-J & Russell, S 2015, Discovering and analyzing deviant communities: Methods and experiments. in CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing., 7014561, CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing, Institute of Electrical and Electronics Engineers Inc., pp. 163-170, 10th IEEE/EAI International Conference on Collaborative Computing, CollaborateCom 2014, Miami, United States, 10/22/14. https://doi.org/10.4108/icst.collaboratecom.2014.257262

Paxton NC, Jang DI, Moskowitz IS, Ahn G-J, Russell S. Discovering and analyzing deviant communities: Methods and experiments. In CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing. Institute of Electrical and Electronics Engineers Inc. 2015. p. 163-170. 7014561. (CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing). https://doi.org/10.4108/icst.collaboratecom.2014.257262

Paxton, Napoleon C. ; Jang, Dae Il ; Moskowitz, Ira S. ; Ahn, Gail-Joon ; Russell, Stephen. / Discovering and analyzing deviant communities : Methods and experiments. CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing. Institute of Electrical and Electronics Engineers Inc., 2015. pp. 163-170 (CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing).

@inproceedings{4e4679cfe74a42bfbbc2dae2b361c518,

title = "Discovering and analyzing deviant communities: Methods and experiments",

abstract = "Botnets continue to threaten the security landscape of computer networks worldwide. This is due in part to the time lag present between discovery of botnet traffic and identification of actionable intelligence derived from the traffic analysis. In this article we present a novel method to fill such a gap by segmenting botnet traffic into communities and identifying the category of each community member. This information can be used to identify attack members (bot nodes), command and control members (Command and Control nodes), botnet controller members (botmaster nodes), and victim members (victim nodes). All of which can be used immediately in forensics or in defense of future attacks. The true novelty of our approach is the segmentation of the malicious network data into relational communities and not just spatially based clusters. The relational nature of the communities allows us to discover the community roles without a deep analysis of the entire network. We discuss the feasibility and practicality of our method through experiments with real-world botnet traffic. Our experimental results show a high detection rate with a low false positive rate, which gives encouragement that our approach can be a valuable addition to a defense in depth strategy.",

author = "Paxton, {Napoleon C.} and Jang, {Dae Il} and Moskowitz, {Ira S.} and Gail-Joon Ahn and Stephen Russell",

year = "2015",

month = jan

day = "19",

doi = "10.4108/icst.collaboratecom.2014.257262",

language = "English (US)",

series = "CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "163--170",

booktitle = "CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing",

note = "10th IEEE/EAI International Conference on Collaborative Computing, CollaborateCom 2014 ; Conference date: 22-10-2014 Through 25-10-2014",

}

TY - GEN

T1 - Discovering and analyzing deviant communities

T2 - 10th IEEE/EAI International Conference on Collaborative Computing, CollaborateCom 2014

AU - Paxton, Napoleon C.

AU - Jang, Dae Il

AU - Moskowitz, Ira S.

AU - Ahn, Gail-Joon

AU - Russell, Stephen

PY - 2015/1/19

Y1 - 2015/1/19

N2 - Botnets continue to threaten the security landscape of computer networks worldwide. This is due in part to the time lag present between discovery of botnet traffic and identification of actionable intelligence derived from the traffic analysis. In this article we present a novel method to fill such a gap by segmenting botnet traffic into communities and identifying the category of each community member. This information can be used to identify attack members (bot nodes), command and control members (Command and Control nodes), botnet controller members (botmaster nodes), and victim members (victim nodes). All of which can be used immediately in forensics or in defense of future attacks. The true novelty of our approach is the segmentation of the malicious network data into relational communities and not just spatially based clusters. The relational nature of the communities allows us to discover the community roles without a deep analysis of the entire network. We discuss the feasibility and practicality of our method through experiments with real-world botnet traffic. Our experimental results show a high detection rate with a low false positive rate, which gives encouragement that our approach can be a valuable addition to a defense in depth strategy.

AB - Botnets continue to threaten the security landscape of computer networks worldwide. This is due in part to the time lag present between discovery of botnet traffic and identification of actionable intelligence derived from the traffic analysis. In this article we present a novel method to fill such a gap by segmenting botnet traffic into communities and identifying the category of each community member. This information can be used to identify attack members (bot nodes), command and control members (Command and Control nodes), botnet controller members (botmaster nodes), and victim members (victim nodes). All of which can be used immediately in forensics or in defense of future attacks. The true novelty of our approach is the segmentation of the malicious network data into relational communities and not just spatially based clusters. The relational nature of the communities allows us to discover the community roles without a deep analysis of the entire network. We discuss the feasibility and practicality of our method through experiments with real-world botnet traffic. Our experimental results show a high detection rate with a low false positive rate, which gives encouragement that our approach can be a valuable addition to a defense in depth strategy.

UR - http://www.scopus.com/inward/record.url?scp=84923066233&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84923066233&partnerID=8YFLogxK

U2 - 10.4108/icst.collaboratecom.2014.257262

DO - 10.4108/icst.collaboratecom.2014.257262

M3 - Conference contribution

AN - SCOPUS:84923066233

T3 - CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing

SP - 163

EP - 170

BT - CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 22 October 2014 through 25 October 2014

ER -

Access to Document

10.4108/icst.collaboratecom.2014.257262