CABD: A Content Agnostic Botnet Detection System

A botnet is a network of compromised hosts controlled by a single entity, called the botmaster. These compromised hosts can be utilized for malicious activities such as Distributed Denial of Service (DDoS) attacks, SPAM, and information extraction such as the extraction of user authentication via key-logging each of which nets profits to the botmaster. Research in the detection of botnets is extensive and ongoing. Previous techniques looked at packet contents to determine botnet command and control (C&C) traffic, however botnets are evolving and as such are encrypting their traffic. Therefore content agnostic botnet detection mechanisms are needed. This paper presents CABD a content agnostic botnet detection system to detect bot infected hosts inside a network. CABD should work independent of the underlying botnet structure, be able to detect infected hosts without the correlation of network events between two or more hosts, and, as “content agnostic” implies, perform detection in spite of encryption. Furthermore CABD should not depend on noisy malicious activities, such as SPAM and DDoS traffic, and finally CABD should have an acceptably low false positive rate. CABD should generate content agnostic botnet traffic signatures in a three step process. First CABD will summarize known botnet traffic flows collected from long running instances of Anubis [2]. Second CABD will cluster similar flows together, and finally CABD will extract unique information from each cluster to produce a signature usable in an system similar to a network intrusion detection system (NIDS). When complete, CABD will be evaluated using various large-scale, real-world network traffic traces that will hopefully verify that CABD does indeed produce an acceptably low number of false positives.