Botnets have become one of the most significant cyber threats over the last decade. The diffusion of the "Internet of Things" and its for-profit exploitation, contributed to botnets spread and sophistication, thus providing real, efficient and profitable criminal cyber-services. Recent research on botnet detection focuses on traffic pattern-based detection, and on analyzing the network traffic generated by the infected hosts, in order to find behavioral patterns independent from the specific payloads, architectures and protocols. In this paper we address the periodic behavioral patterns of infected hosts communicating with their Command-and-Control servers. The main novelty introduced is related to the traffic analysis in the frequency domain without using the well-known Fast Fourier Transform. Moreover, the mentioned analysis is performed through the exploitation of the proxy logs, easily deployable on almost every real-world scenario, from enterprise networks to mobile devices.
Bottazzi, G., Italiano, G., Rutigliano, G. (2016). Frequency domain analysis of large-scale proxy logs for botnet traffic detection. In SECURITY OF INFORMATION AND NETWORKS (SIN'16) (pp.76-80). Association for Computing Machinery [10.1145/2947626.2947634].
Frequency domain analysis of large-scale proxy logs for botnet traffic detection
Bottazzi, G;Italiano, GF;Rutigliano, GG
2016-01-01
Abstract
Botnets have become one of the most significant cyber threats over the last decade. The diffusion of the "Internet of Things" and its for-profit exploitation, contributed to botnets spread and sophistication, thus providing real, efficient and profitable criminal cyber-services. Recent research on botnet detection focuses on traffic pattern-based detection, and on analyzing the network traffic generated by the infected hosts, in order to find behavioral patterns independent from the specific payloads, architectures and protocols. In this paper we address the periodic behavioral patterns of infected hosts communicating with their Command-and-Control servers. The main novelty introduced is related to the traffic analysis in the frequency domain without using the well-known Fast Fourier Transform. Moreover, the mentioned analysis is performed through the exploitation of the proxy logs, easily deployable on almost every real-world scenario, from enterprise networks to mobile devices.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
