Implementation and evaluation of bot detection scheme based on data transmission intervals

Seiichiro Mizoguchi, Yuji Kugisaki, Yoshiaki Kasahara, Yoshiaki Hori, Kouichi Sakurai

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Botnet is one of the most considerable issues in the world. A host infected with a bot is used for collecting personal information, launching DoS attacks, sending spam e-mail and so on. If such a machine exists in an organizational network, that organization will lose its reputation. We have to detect these bots existing in organizational networks immediately. Several network-based bot detection methods have been proposed; however, some traditional methods using payload analysis or signature-based detection scheme are undesirable in large amount of traffic. Also there is a privacy issue with looking into payloads, so we have to develop another scheme that is independent of payload analysis. In this paper, we propose a bot detection method which focuses on data transmission intervals. We distinguish human-operated clients and bots by their network behaviors. We assumed that a bot communicates with C&C server periodically and each interval of data transmission will be the same. We found that we can detect such behaviors by using clustering analysis to these intervals. We implemented our proposed algorithm and evaluated by testing normal IRC traffic and bot traffic captured in our campus network. We found that our method could detect IRC-based bots with low false positives.

Original languageEnglish
Title of host publication2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010
Pages73-78
Number of pages6
DOIs
Publication statusPublished - Dec 1 2010
Event2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010 - Kyoto, Japan
Duration: Oct 5 2010Oct 5 2010

Publication series

Name2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010

Other

Other2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010
CountryJapan
CityKyoto
Period10/5/1010/5/10

Fingerprint

Data communication systems
Launching
Servers
Testing
Denial-of-service attack
Botnet

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Cite this

Mizoguchi, S., Kugisaki, Y., Kasahara, Y., Hori, Y., & Sakurai, K. (2010). Implementation and evaluation of bot detection scheme based on data transmission intervals. In 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010 (pp. 73-78). [5634446] (2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010). https://doi.org/10.1109/NPSEC.2010.5634446

Implementation and evaluation of bot detection scheme based on data transmission intervals. / Mizoguchi, Seiichiro; Kugisaki, Yuji; Kasahara, Yoshiaki; Hori, Yoshiaki; Sakurai, Kouichi.

2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010. 2010. p. 73-78 5634446 (2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Mizoguchi, S, Kugisaki, Y, Kasahara, Y, Hori, Y & Sakurai, K 2010, Implementation and evaluation of bot detection scheme based on data transmission intervals. in 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010., 5634446, 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010, pp. 73-78, 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010, Kyoto, Japan, 10/5/10. https://doi.org/10.1109/NPSEC.2010.5634446
Mizoguchi S, Kugisaki Y, Kasahara Y, Hori Y, Sakurai K. Implementation and evaluation of bot detection scheme based on data transmission intervals. In 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010. 2010. p. 73-78. 5634446. (2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010). https://doi.org/10.1109/NPSEC.2010.5634446
Mizoguchi, Seiichiro ; Kugisaki, Yuji ; Kasahara, Yoshiaki ; Hori, Yoshiaki ; Sakurai, Kouichi. / Implementation and evaluation of bot detection scheme based on data transmission intervals. 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010. 2010. pp. 73-78 (2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010).
@inproceedings{c2563351c3f7416b8f5307d9dd802ea1,
title = "Implementation and evaluation of bot detection scheme based on data transmission intervals",
abstract = "Botnet is one of the most considerable issues in the world. A host infected with a bot is used for collecting personal information, launching DoS attacks, sending spam e-mail and so on. If such a machine exists in an organizational network, that organization will lose its reputation. We have to detect these bots existing in organizational networks immediately. Several network-based bot detection methods have been proposed; however, some traditional methods using payload analysis or signature-based detection scheme are undesirable in large amount of traffic. Also there is a privacy issue with looking into payloads, so we have to develop another scheme that is independent of payload analysis. In this paper, we propose a bot detection method which focuses on data transmission intervals. We distinguish human-operated clients and bots by their network behaviors. We assumed that a bot communicates with C&C server periodically and each interval of data transmission will be the same. We found that we can detect such behaviors by using clustering analysis to these intervals. We implemented our proposed algorithm and evaluated by testing normal IRC traffic and bot traffic captured in our campus network. We found that our method could detect IRC-based bots with low false positives.",
author = "Seiichiro Mizoguchi and Yuji Kugisaki and Yoshiaki Kasahara and Yoshiaki Hori and Kouichi Sakurai",
year = "2010",
month = "12",
day = "1",
doi = "10.1109/NPSEC.2010.5634446",
language = "English",
isbn = "9781424489152",
series = "2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010",
pages = "73--78",
booktitle = "2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010",

}

TY - GEN

T1 - Implementation and evaluation of bot detection scheme based on data transmission intervals

AU - Mizoguchi, Seiichiro

AU - Kugisaki, Yuji

AU - Kasahara, Yoshiaki

AU - Hori, Yoshiaki

AU - Sakurai, Kouichi

PY - 2010/12/1

Y1 - 2010/12/1

N2 - Botnet is one of the most considerable issues in the world. A host infected with a bot is used for collecting personal information, launching DoS attacks, sending spam e-mail and so on. If such a machine exists in an organizational network, that organization will lose its reputation. We have to detect these bots existing in organizational networks immediately. Several network-based bot detection methods have been proposed; however, some traditional methods using payload analysis or signature-based detection scheme are undesirable in large amount of traffic. Also there is a privacy issue with looking into payloads, so we have to develop another scheme that is independent of payload analysis. In this paper, we propose a bot detection method which focuses on data transmission intervals. We distinguish human-operated clients and bots by their network behaviors. We assumed that a bot communicates with C&C server periodically and each interval of data transmission will be the same. We found that we can detect such behaviors by using clustering analysis to these intervals. We implemented our proposed algorithm and evaluated by testing normal IRC traffic and bot traffic captured in our campus network. We found that our method could detect IRC-based bots with low false positives.

AB - Botnet is one of the most considerable issues in the world. A host infected with a bot is used for collecting personal information, launching DoS attacks, sending spam e-mail and so on. If such a machine exists in an organizational network, that organization will lose its reputation. We have to detect these bots existing in organizational networks immediately. Several network-based bot detection methods have been proposed; however, some traditional methods using payload analysis or signature-based detection scheme are undesirable in large amount of traffic. Also there is a privacy issue with looking into payloads, so we have to develop another scheme that is independent of payload analysis. In this paper, we propose a bot detection method which focuses on data transmission intervals. We distinguish human-operated clients and bots by their network behaviors. We assumed that a bot communicates with C&C server periodically and each interval of data transmission will be the same. We found that we can detect such behaviors by using clustering analysis to these intervals. We implemented our proposed algorithm and evaluated by testing normal IRC traffic and bot traffic captured in our campus network. We found that our method could detect IRC-based bots with low false positives.

UR - http://www.scopus.com/inward/record.url?scp=79952064485&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79952064485&partnerID=8YFLogxK

U2 - 10.1109/NPSEC.2010.5634446

DO - 10.1109/NPSEC.2010.5634446

M3 - Conference contribution

AN - SCOPUS:79952064485

SN - 9781424489152

T3 - 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010

SP - 73

EP - 78

BT - 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010

ER -