An Algorithm for Anomaly-based Botnet Detection

James R. Binkley; Suresh Singh

An Algorithm for Anomaly-based Botnet Detection

Abstract:

We present an anomaly-based algorithm for detecting IRC-based botnet meshes. The algorithm combines an IRC mesh detection component with a TCP scan detection heuristic called the TCP work weight. The IRC component produces two tuples, one for determining the IRC mesh based on IP channel names, and a sub-tuple which collects statistics (including the TCP work weight) on individual IRC hosts in channels. We sort the channels by the number of scanners producing a sorted list of potential botnets. This algorithm has been deployed in PSU’s DMZ for over a year and has proven effective in reducing the number of botnet clients.

James R. Binkley, Portland State University

Suresh Singh, Portland State University

BibTeX

@inproceedings {268936,
author = {James R. Binkley and Suresh Singh},
title = {An Algorithm for Anomaly-based Botnet Detection},
booktitle = {2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 06)},
year = {2006},
address = {San Jose, CA},
url = {https://www.usenix.org/conference/sruti-06/algorithm-anomaly-based-botnet-detection},
publisher = {USENIX Association},
month = jul
}

Download

Links

Paper:

http://usenix.org/event/sruti06/tech/full_papers/binkley/binkley.pdf

Paper (HTML):

http://usenix.org/event/sruti06/tech/full_papers/binkley/binkley_html/index.html

connect with us

twitter

usenix conference policies

An Algorithm for Anomaly-based Botnet Detection

James R. Binkley, Portland State University

Suresh Singh, Portland State University

Links

connect with us

twitter

usenix conference policies

You are here

connect with us

An Algorithm for Anomaly-based Botnet Detection

James R. Binkley, Portland State University

Suresh Singh, Portland State University

Links