SRUTI '06 Abstract
Pp. 43–48 of the Proceedings
An Algorithm for Anomaly-based Botnet Detection
James R. Binkley, Portland State University and Suresh Singh, Portland State University
Abstract
We present an anomaly-based algorithm for detecting IRC-based botnet meshes. The algorithm combines an IRC mesh detection component with a TCP scan detection heuristic called the TCP work weight. The IRC component produces two tuples, one for determining the IRC mesh based on IP channel names, and a sub-tuple which collects statistics (including the TCP work weight) on individual IRC hosts in channels. We sort the channels by the number of scanners producing a sorted list of potential botnets. This algorithm has been deployed in PSU’s DMZ for over a year and has proven effective in reducing the number of botnet clients.
- View the full text of this paper in HTML and PDF.
The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
|
