Lightweight C&C based botnet detection using Aho-Corasick NFA
Udhayan J1, Anitha R2 and Hamsapriya T3
1Department of Information Technology, Karunya University, Coimbatore, India
2Department of Mathematics and Computer Applications, PSG College of Technology,Coimbatore, India
3Department of Information Technology, PSG College of Technology, Coimbatore,India
ABSTRACT
Botnet distinguishes itself from the previous malware by having the characteristics of a C&C channel, using which a Botmaster can control the constituents of the botnet. Even though protocols like IRC, HTTP and DNS are exploited to incorporate C&C channels, previous analysis have shown that the majority of the botnets are usually based on IRC. Consequently in this paper the Aho-Corasick NFA based detection is proposed to detect the C&C instructions which is exchanged in IRC run botnets. However the ability to detect botnet is limited to the existing bot commands. Therefore a counting process which analyses every IRC messages is introduced to detect the existence of malicious codes. This detection method and various existing methods have been evaluated using real-world network traces. The results show that the proposed C&C Instruction based IRC detection method can detect real-world botnets with high accuracy.
KEYWORDS
Botnet; IRC, C&C, Flow based detection, Behaviour based detection, Signature based Detection
Original Source Link : http://airccse.org/journal/nsa/1010ijnsa13.pdf
No comments:
Post a Comment