Visible to the public Early Detection of In-the-Wild Botnet Attacks by Exploiting Network Communication Uniformity: An Empirical Study

TitleEarly Detection of In-the-Wild Botnet Attacks by Exploiting Network Communication Uniformity: An Empirical Study
Publication TypeConference Paper
Year of Publication2017
AuthorsAbaid, Z., Kaafar, M. A., Jha, S.
Conference Name2017 IFIP Networking Conference (IFIP Networking) and Workshops
ISBN Number 978-3-901882-94-4
Keywordsbotnet communication, botnet controllers, botnet traffic, botnet-infected machines, command botnets, composability, Computer crime, computer network security, cyber physical systems, distributed attack, early detection, early infection, in-the-wild botnet attacks, invasive software, large-scale malware propagation campaigns, malicious behaviour, Monitoring, multiple infected machines, network behaviour, network communication uniformity, outgoing bot attacks, port scanning attacks, pubcrawl, real-world spamming, resilience, Resiliency, Servers, synchronised behaviour, Synchronization, trojan horse detection, Trojan horses, unsolicited e-mail, widespread infection

Distributed attacks originating from botnet-infected machines (bots) such as large-scale malware propagation campaigns orchestrated via spam emails can quickly affect other network infrastructures. As these attacks are made successful only by the fact that hundreds of infected machines engage in them collectively, their damage can be avoided if machines infected with a common botnet can be detected early rather than after an attack is launched. Prior studies have suggested that outgoing bot attacks are often preceded by other ``tell-tale'' malicious behaviour, such as communication with botnet controllers (C&C servers) that command botnets to carry out attacks. We postulate that observing similar behaviour occuring in a synchronised manner across multiple machines is an early indicator of a widespread infection of a single botnet, leading potentially to a large-scale, distributed attack. Intuitively, if we can detect such synchronised behaviour early enough on a few machines in the network, we can quickly contain the threat before an attack does any serious damage. In this work we present a measurement-driven analysis to validate this intuition. We empirically analyse the various stages of malicious behaviour that are observed in real botnet traffic, and carry out the first systematic study of the network behaviour that typically precedes outgoing bot attacks and is synchronised across multiple infected machines. We then implement as a proof-of-concept a set of analysers that monitor synchronisation in botnet communication to generate early infection and attack alerts. We show that with this approach, we can quickly detect nearly 80% of real-world spamming and port scanning attacks, and even demonstrate a novel capability of preventing these attacks altogether by predicting them before they are launched.

Citation Keyabaid_early_2017