International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part I

Research Article

Detection of Botnet Command and Control Traffic by the Identification of Untrusted Destinations

Download
309 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-23829-6_13,
        author={Pieter Burghouwt and Marcel Spruit and Henk Sips},
        title={Detection of Botnet Command and Control Traffic by the Identification of Untrusted Destinations},
        proceedings={International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part I},
        proceedings_a={SECURECOMM},
        year={2015},
        month={11},
        keywords={Botnets Network intrusion detection Anomaly detection},
        doi={10.1007/978-3-319-23829-6_13}
    }
    
  • Pieter Burghouwt
    Marcel Spruit
    Henk Sips
    Year: 2015
    Detection of Botnet Command and Control Traffic by the Identification of Untrusted Destinations
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-23829-6_13
Pieter Burghouwt1,*, Marcel Spruit1,*, Henk Sips1,*
  • 1: Delft University of Technology
*Contact email: P.Burghouwt@tudelft.nl, M.E.M.Spruit@hhs.nl, H.J.Sips@tudelft.nl

Abstract

We present a novel anomaly-based detection approach capable of detecting botnet Command and Control traffic in an enterprise network by estimating the trustworthiness of the traffic destinations. A traffic flow is classified as anomalous if its destination identifier does not origin from: human input, prior traffic from a trusted destination, or a defined set of legitimate applications. This allows for real-time detection of diverse types of Command and Control traffic. The detection approach and its accuracy are evaluated by experiments in a controlled environment.