Botnet Detection 

		Botnets have become the platform of choice for launching attacks and committing fraud on the Internet. A better understanding of Botnets will help to coordinate and develop new technologies to counter this serious security threat.
Current Members:		Ali Shiravi
Previous Members:		Wei Lu	Goaletsa Rammidi

Overview 

The recent growth of botnet activity in cyberspace has attracted in a significant way the attention of the research community. Botnets have become one of the biggest security threats, responsible for a large volume of malicious activities from distributed-denial-of-service (DDoS) attacks to spamming and phishing.

The concept of botnet refers to a collection of infected computers, bots, that interact to accomplish some distributed task for illegal purposes, such as keylogging passwords or personal account information, spamming emails, DDoS etc. The bots are controlled by an attacker, also known as botmaster, through various command and control (C&C) channels. These channels can operate on different communication protocols (e.g. HTTP, IRC) and use various botnet topologies: centralized, distributed (P2P) or randomized.

In our research on botnet detection, we explored the centralized IRC C&C botnet behavior and developed a generic signature-based approach for discriminating botnet behavior from normal network traffic for a specific application community. Specifically, we developed a technique that allows constructing a payload signature for a given application type based on n-grams extracted from the flow payload,  accompanied with the temporal characteristics. Although the preliminary results showed the potential of the approach, they also revealed several areas requiring further research.

One of the open challenges is related to the use of coarse-grained classification of application communities, e.g., web-based applications, P2P-based applications, etc. Although such high-level definition of communities improves the accuracy of network traffic classification, it hinders the detection of botnet traffic. However, defining more fine-grained categorization of applications is not always possible due to the large amounts of encrypted traffic, the deployment of new applications, the variability of P2P traffic, etc. In fact, our preliminary experimental study showed that extracting accurate payload signature for network traffic of P2P applications, although possible, is challenging and might require additional information.

The focus of our current research is  a generic system for botnet detection, independent of the botnet structure and employed C&C protocols.

Related Publications

Wei Lu, Mahbod Tavallaee and Ali. A. Ghorbani. "Automatic Discovery of Botnet Communities on Large-Scale Communication Networks." In Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, Sydney, Australia, March 10-12, 2009. ACM 2009, pp. 1-10. [PDF]

Wei Lu and Ali A. Ghorbani. "Botnets Detection Based on IRC-Community." In Proceedigns of the IEEE Global Communications Conference(GLOBECOM 2008), Nov. 30 - Dec. 4, New Orleans, LA, USA. pp. 2067-2071. [PDF]

Wei Lu, Mahbod Tavallaee, Goaletsa Rammidi and Ali A. Ghorbani. "BotCop: An Online Botnets Traffic Classifier." In Proceedings of the 7th Annual Conference on Communication Networks and Services Research (CNSR 2009), Moncton, New Brunswick, Canada, May 11 - 13, 2009. pp. 70-77. [PDF]

Wei Lu and Ali A. Ghorbani. "Bots Behaviors vs. Human Behaviors on Large-Scale Communication Networks (Extended Abstract)." In Proceedings of 11th International Symposium on Recent Advances in Intrusion Detection (RAID 2008), R. Lippmann, E. Kirda, and A. Trachtenberg (Eds.): RAID 2008, LNCS 5230, pp. 415-416, MIT, Boston, USA 2008. [PDF]