CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis |
| |
| Authors: | Christian J Dietrich Christian Rossow Norbert Pohlmann |
| |
| Affiliation: | 1. Institute for Internet Security, University of Applied Sciences Gelsenkirchen, Neidenburger Str. 43, 45877 Gelsenkirchen, Germany;2. VU University Amsterdam, The Network Institute, The Netherlands;3. Department of Computer Science, Friedrich-Alexander University, Erlangen, Germany;1. Barcelona Digital Technology Centre, eSecurity Research Group, Roc Boronat 117, 5th Floor, 08018 Barcelona, Spain;2. Università di Roma Tre, Maths Dept., L.go S. L. Murialdo 1, 00146 Roma, Italy;3. CaixaBank, CSIRT, Av. Diagonal, 621, 08028 Barcelona, Spain;1. Key Laboratory of Big Data Mining and Knowledge Management, University of Chinese Academy of Sciences, Beijing 10090, China;2. School of Economics and Management, University of Chinese Academy of Sciences, Beijing 10090, China;3. College of Information Science and Technology, University of Nebraska at Omaha, 68182 NE, USA;1. Department of Computer Science and Engineering, Pohang University of Science and Technology (POSTECH), Pohang, Republic of Korea;2. Division of IT Convergence Engineering, Pohang University of Science and Technology (POSTECH), Pohang, Republic of Korea;1. IMDEA Software Institute, Madrid, Spain;2. University of California, Berkeley, CA, USA |
| |
| Abstract: | We present CoCoSpot, a novel approach to recognize botnet command and control channels solely based on traffic analysis features, namely carrier protocol distinction, message length sequences and encoding differences. Thus, CoCoSpot can deal with obfuscated and encrypted C&C protocols and complements current methods to fingerprint and recognize botnet C&C channels. Using average-linkage hierarchical clustering of labeled C&C flows, we show that for more than 20 recent botnets and over 87,000 C&C flows, CoCoSpot can recognize more than 88% of the C&C flows at a false positive rate below 0.1%. |
| |
| Keywords: | |
| 本文献已被 ScienceDirect 等数据库收录! |
|
