Abstract
Botnets continue to threaten the security landscape of computer networks worldwide. This is due in part to the time lag present between discovery of botnet traffic and identification of actionable intelligence derived from the traffic analysis. In this article we present a novel method to fill such a gap by segmenting botnet traffic into communities and identifying the category of each community member. This information can be used to identify attack members (bot nodes), command and control members (Command and Control nodes), botnet controller members (botmaster nodes), and victim members (victim nodes). All of which can be used immediately in forensics or in defense of future attacks. The true novelty of our approach is the segmentation of the malicious network data into relational communities and not just spatially based clusters. The relational nature of the communities allows us to discover the community roles without a deep analysis of the entire network. We discuss the feasibility and practicality of our method through experiments with real-world botnet traffic. Our experimental results show a high detection rate with a low false positive rate, which gives encouragement that our approach can be a valuable addition to a defense in depth strategy.
| Original language | English (US) |
|---|---|
| Title of host publication | CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing |
| Publisher | Institute of Electrical and Electronics Engineers Inc. |
| Pages | 163-170 |
| Number of pages | 8 |
| ISBN (Print) | 9781631900433 |
| DOIs | |
| State | Published - Jan 19 2015 |
| Event | 10th IEEE/EAI International Conference on Collaborative Computing, CollaborateCom 2014 - Miami, United States Duration: Oct 22 2014 → Oct 25 2014 |
Other
| Other | 10th IEEE/EAI International Conference on Collaborative Computing, CollaborateCom 2014 |
|---|---|
| Country | United States |
| City | Miami |
| Period | 10/22/14 → 10/25/14 |
Fingerprint
ASJC Scopus subject areas
- Computer Networks and Communications
- Computer Science Applications
- Software
Cite this
Discovering and analyzing deviant communities : Methods and experiments. / Paxton, Napoleon C.; Jang, Dae Il; Moskowitz, Ira S.; Ahn, Gail-Joon; Russell, Stephen.
CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing. Institute of Electrical and Electronics Engineers Inc., 2015. p. 163-170 7014561.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - Discovering and analyzing deviant communities
T2 - Methods and experiments
AU - Paxton, Napoleon C.
AU - Jang, Dae Il
AU - Moskowitz, Ira S.
AU - Ahn, Gail-Joon
AU - Russell, Stephen
PY - 2015/1/19
Y1 - 2015/1/19
N2 - Botnets continue to threaten the security landscape of computer networks worldwide. This is due in part to the time lag present between discovery of botnet traffic and identification of actionable intelligence derived from the traffic analysis. In this article we present a novel method to fill such a gap by segmenting botnet traffic into communities and identifying the category of each community member. This information can be used to identify attack members (bot nodes), command and control members (Command and Control nodes), botnet controller members (botmaster nodes), and victim members (victim nodes). All of which can be used immediately in forensics or in defense of future attacks. The true novelty of our approach is the segmentation of the malicious network data into relational communities and not just spatially based clusters. The relational nature of the communities allows us to discover the community roles without a deep analysis of the entire network. We discuss the feasibility and practicality of our method through experiments with real-world botnet traffic. Our experimental results show a high detection rate with a low false positive rate, which gives encouragement that our approach can be a valuable addition to a defense in depth strategy.
AB - Botnets continue to threaten the security landscape of computer networks worldwide. This is due in part to the time lag present between discovery of botnet traffic and identification of actionable intelligence derived from the traffic analysis. In this article we present a novel method to fill such a gap by segmenting botnet traffic into communities and identifying the category of each community member. This information can be used to identify attack members (bot nodes), command and control members (Command and Control nodes), botnet controller members (botmaster nodes), and victim members (victim nodes). All of which can be used immediately in forensics or in defense of future attacks. The true novelty of our approach is the segmentation of the malicious network data into relational communities and not just spatially based clusters. The relational nature of the communities allows us to discover the community roles without a deep analysis of the entire network. We discuss the feasibility and practicality of our method through experiments with real-world botnet traffic. Our experimental results show a high detection rate with a low false positive rate, which gives encouragement that our approach can be a valuable addition to a defense in depth strategy.
UR - http://www.scopus.com/inward/record.url?scp=84923066233&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84923066233&partnerID=8YFLogxK
U2 - 10.4108/icst.collaboratecom.2014.257262
DO - 10.4108/icst.collaboratecom.2014.257262
M3 - Conference contribution
AN - SCOPUS:84923066233
SN - 9781631900433
SP - 163
EP - 170
BT - CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing
PB - Institute of Electrical and Electronics Engineers Inc.
ER -