About | Contact Us | Register | Login
ProceedingsSeriesJournalsSearchEAI
sesa 15(4): e2

Research Article

Detection of Botnet Command and Control Traffic by the Multistage Trust Evaluation of Destination Identifiers

Download1193 downloads
Cite
BibTeX Plain Text
  • @ARTICLE{10.4108/eai.5-10-2015.150476,
        author={Pieter  Burghouwt and Marcel E.M.  Spruit and Henk J.  Sips},
        title={Detection of Botnet Command and Control Traffic by the Multistage Trust Evaluation of Destination Identifiers},
        journal={EAI Endorsed Transactions on Security and Safety},
        volume={2},
        number={4},
        publisher={EAI},
        journal_a={SESA},
        year={2015},
        month={10},
        keywords={Botnets, Network Intrusion Detection, Anomaly Detection},
        doi={10.4108/eai.5-10-2015.150476}
    }
    
  • Pieter Burghouwt
    Marcel E.M. Spruit
    Henk J. Sips
    Year: 2015
    Detection of Botnet Command and Control Traffic by the Multistage Trust Evaluation of Destination Identifiers
    SESA
    EAI
    DOI: 10.4108/eai.5-10-2015.150476
Pieter Burghouwt1,*, Marcel E.M. Spruit2, Henk J. Sips1
  • 1: Parallel and Distributed Systems Group, Delft University of Technology, Mekelweg 4, Delft 2628CD, The Netherlands
  • 2: Research Group Cyber Security and Safety, The Hague University of Applied Sciences, Johanna Westerdijkplein 75, The Hague 2521EN, The Netherlands
*Contact email: P.Burghouwt@hhs.nl

Abstract

Network-based detection of botnet Command and Control communication is a difficult task if the traffic has a relatively low volume and if popular protocols, such as HTTP, are used to resemble normal traffic. We present a new network-based detection approach that is capable of detecting this type of Command and Control traffic in an enterprise network by estimating the trustworthiness of the traffic destinations. If the destination identifier of a traffic flow origins directly from: human input, prior traffic from a trusted destination, or a defined set of legitimate applications, the destination is trusted and its associated traffic is classified as normal. Advantages of this approach are: the ability of zero day malicious traffic detection, low exposure to malware by passive host-external traffic monitoring, and the applicability for real-time filtering. Experimental evaluation demonstrates successful detection of diverse types of Command and Control Traffic.

Keywords
Botnets, Network Intrusion Detection, Anomaly Detection
Received
2014-08-20
Accepted
2014-12-22
Published
2015-10-05
Publisher
EAI
http://dx.doi.org/10.4108/eai.5-10-2015.150476

Copyright © 2015 P. Burghouwt et al., licensed to EAI. This is an open access article distributed under the terms of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/), which permits unlimited use, distribution and reproduction in any medium so long as the original work is properly cited.

EBSCOProQuestDBLPDOAJPortico
EAI Logo

About EAI

  • Who We Are
  • Leadership
  • Research Areas
  • Partners
  • Media Center

Community

  • Membership
  • Conference
  • Recognition
  • Sponsor Us

Publish with EAI

  • Publishing
  • Journals
  • Proceedings
  • Books
  • EUDL