Bots Behaviors vs. Human Behaviors on Large-Scale Communication Networks (Extended Abstract)

In this paper we propose a hierarchical framework for detecting and characterizing any types of botnets on a large-scale WiFi ISP network. In particular, we first analyze and classify the network traffic into different applications by using payload signatures and the cross-associations for IP addresses and ports. Then based on specific application community (e.g. IRC, HTTP, or Peer-to-Peer), we present a novel temporal-frequent characteristic of flows that leads the differentiation of malicious behaviors created by bots from normal network traffic generated by human beings. We evaluate our approach with over 160 million flows collected over five consecutive days on a large-scale network and preliminary results show the proposed approach successfully detects the IRC botnet flows from over 160 million flows with a high detection rate and an acceptable low false alarm rate. 1 Problem Statement, State of the Art and Contributions Detecting botnets behaviors on large-scale networks is a very challenging problem. This is because: (1) botnets are often hidden in existing applications, and thus their traffic volume is not that big and is very similar with normal traffic behaviors; (2) identifying network traffic into different applications becomes more challenging and is still an issue yet to be solved due to traffic content encryption and the unreliable destination port labeling method. The observation on a large-scale WiFi ISP network over a half year period showed that even exploring the flow content examination method, there are still about 40% network flows that cannot be classified into specific applications. Investigating such a huge number of unknown traffic is very important since they might stand for the abnormalities in the traffic, malicious behaviors or simply the identification of novel applications. Current attempts on detecting botnets are mainly based on honeypots, passive anomaly analysis and traffic application classification. The anomaly analysis for detecting botnets on network traffic is usually independent of the traffic content and has the potential to find different types of botnets. However, anomaly R. Lippmann, E. Kirda, and A. Trachtenberg (Eds.): RAID 2008, LNCS 5230, pp. 415–416, 2008. c © Springer-Verlag Berlin Heidelberg 2008