BotGAD: Detecting botnets by capturing group activities in network traffic

Hyunsang Choi, Heejo Lee, Hyogon Kim

Research output: Chapter in Book/Report/Conference proceedingConference contribution

71 Citations (Scopus)

Abstract

Recent malicious attempts are intended to obtain financial benefits using a botnet which has become one of the major Internet security problems. Botnets can cause severe Internet threats such as DDoS attacks, identity theft, spamming, click fraud. In this paper, we define a group activity as an inherent property of the botnet. Based on the group activity model and metric, we develop a botnet detection mechanism, called BotGAD (Botnet Group Activity Detector). BotGAD enables to detect unknown botnets from large scale networks in real-time. Botnets frequently use DNS to rally infected hosts, launch attacks and update their codes. We implemented BotGAD using DNS traffic and showed the effectiveness by experiments on real-life network traces. BotGAD captured 20 unknown and 10 known botnets from two day campus network traces.

Original languageEnglish
Title of host publicationProceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09
DOIs
Publication statusPublished - 2009
Event4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09 - Dublin, Ireland
Duration: 2009 Jun 162009 Jun 19

Publication series

NameProceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09

Other

Other4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09
CountryIreland
CityDublin
Period09/6/1609/6/19

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software

Fingerprint Dive into the research topics of 'BotGAD: Detecting botnets by capturing group activities in network traffic'. Together they form a unique fingerprint.

  • Cite this

    Choi, H., Lee, H., & Kim, H. (2009). BotGAD: Detecting botnets by capturing group activities in network traffic. In Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09 [1621893] (Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, COMSWARE '09). https://doi.org/10.1145/1621890.1621893