BotGAD: Detecting botnets by capturing group activities in network traffic

Hyunsang Choi; Heejo Lee; Hyogon Kim

doi:10.1145/1621890.1621893

BotGAD: Detecting botnets by capturing group activities in network traffic

Hyunsang Choi, Heejo Lee, Hyogon Kim

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

93 Citations (Scopus)

Abstract

Recent malicious attempts are intended to obtain financial benefits using a botnet which has become one of the major Internet security problems. Botnets can cause severe Internet threats such as DDoS attacks, identity theft, spamming, click fraud. In this paper, we define a group activity as an inherent property of the botnet. Based on the group activity model and metric, we develop a botnet detection mechanism, called BotGAD (Botnet Group Activity Detector). BotGAD enables to detect unknown botnets from large scale networks in real-time. Botnets frequently use DNS to rally infected hosts, launch attacks and update their codes. We implemented BotGAD using DNS traffic and showed the effectiveness by experiments on real-life network traces. BotGAD captured 20 unknown and 10 known botnets from two day campus network traces.

Original language	English
Title of host publication	Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09
DOIs	https://doi.org/10.1145/1621890.1621893
Publication status	Published - 2009
Event	4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09 - Dublin, Ireland Duration: 2009 Jun 16 → 2009 Jun 19

Publication series

Name	Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09

Other

Other	4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09
Country/Territory	Ireland
City	Dublin
Period	09/6/16 → 09/6/19

ASJC Scopus subject areas

Computer Networks and Communications
Software

Access to Document

10.1145/1621890.1621893

Cite this

Choi, H., Lee, H., & Kim, H. (2009). BotGAD: Detecting botnets by capturing group activities in network traffic. In Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09 [1621893] (Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09). https://doi.org/10.1145/1621890.1621893

BotGAD: Detecting botnets by capturing group activities in network traffic. / Choi, Hyunsang; Lee, Heejo ; Kim, Hyogon.
Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09. 2009. 1621893 (Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Choi, H, Lee, H & Kim, H 2009, BotGAD: Detecting botnets by capturing group activities in network traffic. in Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09., 1621893, Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09, 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09, Dublin, Ireland, 09/6/16. https://doi.org/10.1145/1621890.1621893

Choi H, Lee H , Kim H. BotGAD: Detecting botnets by capturing group activities in network traffic. In Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09. 2009. 1621893. (Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09). doi: 10.1145/1621890.1621893

@inproceedings{d6ad0ee27bf344f585224827b0f394c7,

title = "BotGAD: Detecting botnets by capturing group activities in network traffic",

abstract = "Recent malicious attempts are intended to obtain financial benefits using a botnet which has become one of the major Internet security problems. Botnets can cause severe Internet threats such as DDoS attacks, identity theft, spamming, click fraud. In this paper, we define a group activity as an inherent property of the botnet. Based on the group activity model and metric, we develop a botnet detection mechanism, called BotGAD (Botnet Group Activity Detector). BotGAD enables to detect unknown botnets from large scale networks in real-time. Botnets frequently use DNS to rally infected hosts, launch attacks and update their codes. We implemented BotGAD using DNS traffic and showed the effectiveness by experiments on real-life network traces. BotGAD captured 20 unknown and 10 known botnets from two day campus network traces.",

author = "Hyunsang Choi and Heejo Lee and Hyogon Kim",

year = "2009",

doi = "10.1145/1621890.1621893",

language = "English",

isbn = "9781605583532",

series = "Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09",

booktitle = "Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09",

note = "4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09 ; Conference date: 16-06-2009 Through 19-06-2009",

}

TY - GEN

T1 - BotGAD

T2 - 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09

AU - Choi, Hyunsang

AU - Lee, Heejo

AU - Kim, Hyogon

PY - 2009

Y1 - 2009

N2 - Recent malicious attempts are intended to obtain financial benefits using a botnet which has become one of the major Internet security problems. Botnets can cause severe Internet threats such as DDoS attacks, identity theft, spamming, click fraud. In this paper, we define a group activity as an inherent property of the botnet. Based on the group activity model and metric, we develop a botnet detection mechanism, called BotGAD (Botnet Group Activity Detector). BotGAD enables to detect unknown botnets from large scale networks in real-time. Botnets frequently use DNS to rally infected hosts, launch attacks and update their codes. We implemented BotGAD using DNS traffic and showed the effectiveness by experiments on real-life network traces. BotGAD captured 20 unknown and 10 known botnets from two day campus network traces.

AB - Recent malicious attempts are intended to obtain financial benefits using a botnet which has become one of the major Internet security problems. Botnets can cause severe Internet threats such as DDoS attacks, identity theft, spamming, click fraud. In this paper, we define a group activity as an inherent property of the botnet. Based on the group activity model and metric, we develop a botnet detection mechanism, called BotGAD (Botnet Group Activity Detector). BotGAD enables to detect unknown botnets from large scale networks in real-time. Botnets frequently use DNS to rally infected hosts, launch attacks and update their codes. We implemented BotGAD using DNS traffic and showed the effectiveness by experiments on real-life network traces. BotGAD captured 20 unknown and 10 known botnets from two day campus network traces.

UR - http://www.scopus.com/inward/record.url?scp=72249092936&partnerID=8YFLogxK

U2 - 10.1145/1621890.1621893

DO - 10.1145/1621890.1621893

M3 - Conference contribution

AN - SCOPUS:72249092936

SN - 9781605583532

T3 - Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09

BT - Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09

Y2 - 16 June 2009 through 19 June 2009

ER -

BotGAD: Detecting botnets by capturing group activities in network traffic

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this