Bayesian Bot Detection Based on DNS Traffic Similarity

Bots often are detected by their communication with a Command & Control (C&C) infrastructure. To evade detection, botmasters are increasingly obfuscating C&C communications, e.g., by using fastflux or peer-to-peer protocols. However, commands tend to elicit similar actions in bots of a same botnet. The authors propose and evaluate a Bayesian approach for detecting bots based on the similarity of their DNS traffic to that of known bots. Experimental results and sensitivity analysis suggest that the proposed method is effective and robust.

Provided by: University of Pitesti Topic: Security Date Added: Mar 2009 Format: PDF

Find By Topic