4th International ICST Conference on Communication System Software and Middleware

Research Article

BotGAD: Detecting Botnets by Capturing Group Activities in Network Traffic

  • @INPROCEEDINGS{10.1145/1621890.1621893,
        author={Hyunsang Choi and Heejo Lee and Hyogon Kim},
        title={BotGAD: Detecting Botnets by Capturing Group Activities in Network Traffic},
        proceedings={4th International ICST Conference on Communication System Software and Middleware},
        publisher={ACM},
        proceedings_a={COMSWARE},
        year={2010},
        month={5},
        keywords={},
        doi={10.1145/1621890.1621893}
    }
    
  • Hyunsang Choi
    Heejo Lee
    Hyogon Kim
    Year: 2010
    BotGAD: Detecting Botnets by Capturing Group Activities in Network Traffic
    COMSWARE
    ACM
    DOI: 10.1145/1621890.1621893
Hyunsang Choi1,*, Heejo Lee1,*, Hyogon Kim1,*
  • 1: Div. of Computer & Communication Engineering Korea University Seoul, South KOREA
*Contact email: realchs@korea.ac.kr, heejo@korea.ac.kr, hyogon@korea.ac.kr

Abstract

Recent malicious attempts are intended to obtain financial benefits using a botnet which has become one of the major Internet security problems. Botnets can cause severe Internet threats such as DDoS attacks, identity theft, spamming, click fraud. In this paper, we define a group activity as an inherent property of the botnet. Based on the group activity model and metric, we develop a botnet detection mechanism, called BotGAD (Botnet Group Activity Detector). BotGAD enables to detect unknown botnets from large scale networks in real-time. Botnets frequently use DNS to rally infected hosts, launch attacks and update their codes. We implemented Bot- GAD using DNS traffic and showed the effectiveness by experiments on real-life network traces. BotGAD captured 20 unknown and 10 known botnets from two day campus network traces.