Detection of Botnet Command and Control Traffic in Enterprise Networks

Abstract

Botnets play an important role in modern Internet-related cybercrime. A botnet consists of a group of infected computers, referred to as bots. The bots are remotely controlled and deployed in malicious activities, such as DDoS attacks, spam, and espionage. Clever design of the botnet C&C (Command and Control) infrastructure, combined with the adaptability of the bot and its attacks make botnets a universal cybercrime tool. This is reflected in the large number of discovered botnets and botnet-related incidents. This doctoral thesis aims to explore new and specialized C&C detection approaches for enterprise networks. Three new detection approaches are proposed. The first detection approach, referred to as TFC detection (TFC=Traffic Flow Causality), detects C&C traffic by the direct causes of egress traffic. The second approach, referred to as UDI-detection (UDI =Untrusted Destination Identification), detects C&C traffic by the estimation of the trustworthiness of egress traffic destinations. The third approach detects DNS-based C&C traffic by the degree distribution of resolved DNS domains. The ability of all three approaches to detect botnet C&C traffic differently from existing techniques allows for implementation in intrusion detection systems of enterprise networks alongside existing anomaly-based and signature based detection approaches, to improve diversity