BotCop: An Online Botnet Traffic Classifier

Transcription

1 2009 Seventh Annual Communications Networks and Services Research Conerence BotCop: An Online Botnet Traic Classiier Wei Lu, Mahbod Tavallaee, Goaletsa Rammidi and Ali A. Ghorbani Faculty o Computer Science University o New Brunswick Fredericton, NB E3B 5A3, Canada {wlu,m.tavallaee, g.rammidi, ghorbani}@unb.ca Abstract A botnet is a network o compromised computers inected with malicious code that can be controlled remotely under a common command and control (C&C) channel. As one the most serious security threats to the Internet, a botnet cannot only be implemented with existing network applications (e.g. IRC, HTTP, or Peerto-Peer) but also can be constructed by unknown or creative applications, thus making the botnet detection a challenging problem. In this paper, we propose a new online botnet traic classiication system, called BotCop, in which the network traic are ully classiied into dierent application communities by using payload signatures and a novel decision tree model, and then on each obtained application community, the temporalrequent characteristic o lows is studied and analyzed to dierentiate the malicious communication traic created by bots rom normal traic generated by human beings. We evaluate our approach with about 30 million lows collected over one day on a large-scale WiFi ISP network and results show that the proposed approach successully detects an IRC botnet rom about 30 million lows with a high detection rate and a low alse alarm rate.. Introduction Over the past ew years botnets have dierentiated themselves as the main source o malicious activities such as distributed-denial-o-service (DDoS) attacks, phishing, spamming, keylogging, click raud, identity thet and inormation exiltration. Similar to the other malicious sotware, botnets use a sel-propagating application to inect vulnerable hosts. They, however, take advantage o a command and control (C&C) channel through which they can be updated and directed. According to the command and control (C&C) models, botnets are divided into two groups o centralized (e.g., IRC and HTTP) and distributed (e.g., P2P). Centralized botnets employ two mechanisms to receive the command rom the server, namely push and pull. In the push mechanism, bots are connected to the C&C server (e.g., IRC server) and wait or the commands rom the botmaster. In contrast, in the pull mechanism, the botmaster sets the commands in a ile at C&C server (e.g., HTTP server), and the bots requently connect to the server to read the latest commands. While in centralized structure all bots receive the commands rom a speciic server, in distributed structure the command iles will be shared over P2P networks by botmaster, and bots can use speciic search keys to ind the published command iles. In reality, detecting and blocking such an IRC botnet, however, is not a diicult task since the whole botnet can be put down by blacklisting the IRC server. To overcome this issue, botnets have evolved by allowing more lexibility in the applied protocols, and now they are even transorming rom centralized structure into the advanced distributed strategy to solve the weakness o having a single point o ailure. Compared to the traditional centralized C&C model, the distributed (Peer-to-Peer) botnet is much harder to be detected and destroyed because the bot s communication does not heavily depend on a ew selected servers, and thus shutting down a single or even a couple o bots cannot necessarily lead to the complete destruction o the whole botnet. Early research to detect botnets are mainly based on honeypots [,2,3]. Setting up and installing honeypots on the Internet is very helpul to capture malware and understand the basic behavior o botnets, and, as a result, makes it possible to create bot binaries or botnet signatures. However, this analysis is always based on the existing botnets and provides no solution or the new botnets. To overcome this issue, new methods are proposed to automatically detect the botnets. These approaches can be categorized into two major groups: () passive anomaly analysis [e.g. 4,5]; and (2) traic classiication [e.g. 6]. Botnet detection based on the passive anomaly analysis is usually independent o the traic content and has the potential to ind dierent types o botnets (e.g., HTTP, IRC and P2P). This approach is, however, limited to a speciic botnet structure (e.g. centralized only). In contrast, traic classiication ocuses on classiying network traic into the corresponding applications, and then distinguishing between normal and malicious activities. The biggest challenge o this approach is classiication o traic into appropriate application groups /09 $ IEEE DOI 0.09/CNSR Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.

2 Addressing the aorementioned challenges, we propose a hierarchical ramework or the next generation botnet detection, which consists o two levels: () in the higher level all unknown network traic are labeled and classiied into dierent network application communities, such as P2P community, HTTP Web community, Chat community, DataTranser community, Online Games community, Mail Communication community, Multimedia (streaming and VoIP) community and Remote Access community; (2) in the lower level ocusing on each application community, we investigate and apply the temporal-requent characteristics o network lows to dierentiate the malicious botnet behavior rom the normal application traic. The major contributions o this paper include: () we propose a novel application discovery approach or automatically classiying network applications on a largescale WiFi ISP network; and (2) we develop a generic algorithm to discriminate general botnet behavior rom the normal network traic on a speciic application community, which is based on n-gram (requent characteristics) o low payload over a time period (temporal characteristics). The rest o the paper is organized as ollows. Section 2 introduces related work, in which we discuss some typical literatures on the current botnet detection communities. The proposed online traic classiication method is discussed in Section 3. Section 4 presents the temporalrequent characteristic and then explains our botnet detection approach. Section 5 is the experimental evaluation or our detection model with a mixture o around 30 million lows collected on a large-scale WiFi ISP network and a botnet traic trace collected on a honeynet deployed on the public Internet. Finally, in Section 6 we make some concluding remarks and discuss the uture work. 2. Related work Previous attempts to detect botnets are mainly based on honeypots, passive anomaly analysis and traic classiication. In order to get a ull understanding o botnets behavior, honeypots are widely installed and setup on the Internet to capture the malware and consequently track and analyze the bots [,2,3,]. A typical example is the Nepenthes honeypot that is commonly used to collect the shell code or bot binaries by mimicking a reply that can be generated by a vulnerable service. Rajab et al. in [] deployed nepenthes to collect malware in their unused IP address space. A honeynet consisting o VMWare virtual machines running Windows XP is used to capture any exploits that may be missed by Nepenthes. Once all binaries are collected, they use greybox testing that runs the collected binary on a clean image o Windows XP virtual machine while logging all traic, to try and get details o how a compromised host will join that particular botnet in the wild. During this testing, network ingerprints are created to capture network inormation like DNS requests, Destinations IP addresses, contacted ports and presence o deault scanning behavior. IRCrelated eatures are also extracted by running an IRC server in the testing hosts and then any attempted connections are logged and an IRC ingerprint consisting o PASS, NICK, USER, MODE and JOIN values is created. Botnets are then tracked by joining a modiied IRC tracker to the actual IRC server and observing it, and also DNS cache probing. Although the honeypot based approach is quite helpul in creating bot binaries and bot signatures, it is always limited to the existing botnets and provides no solution or the new bots. To overcome this shortcoming two botnet detection approaches have been proposed recently, namely traic classiication and passive anomaly analysis. A typical work o traic classiication based botnet detection using machine learning algorithms is illustrated at [6], in which Strayer et al. propose an approach or detecting botnets by examining low characteristics such as bandwidth, duration, and packet timing in order to look or the evidence o the botnet command and control activities. They propose an architecture that irst eliminates traic that is unlikely to be a part o a botnet, then classiies the remaining traic into a group that is likely to be part o a botnet, and inally correlates the likely traic to ind common communications patterns that would suggest the activity o a botnet. Typical approaches o passive anomaly based botnet detection are discussed in [4,5]. In [4], Karasaridis et al. study network lows and detect IRC botnet controllers in a ashion o our steps, in which the most important one is to identiy hosts with suspicious behavior and isolate low records to/rom those hosts. In [5], Gu et al. investigate the spatial-temporal correlation and similarity in network traic and implement a prototype system, BotSnier, to detect botnets. All the above mentioned botnet detection techniques are either limited to the speciic C&C protocols or limited to the speciic botnet structures. 3. Traic classiication Early common techniques or identiying network application rely on the association o a particular port with a particular protocol. Such a port number based traic classiication approach has been proved to be ineective due to: () the constant emergence o new peer-to-peer networking applications that IANA does not deine the corresponding port numbers [7], (2) the dynamic port number assignment or some applications (e.g. FTP or data transer), and (3) the encapsulation o dierent 7 Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.

3 services into same application (e.g. chat or steaming can be encapsulated into the same HTTP protocol). Recent studies on network traic application classiication include "applying machine learning algorithm or clustering and classiying traic lows based on a set o statistical eatures" [8,9], "modeling payload content signatures or traic application classiication "[0,] and "identiying traic based on heuristics derived rom analysis o communication patterns o hosts" [2,3]. Although existing traic classiication mechanisms generate a number o good ideas, they are ar rom completed yet due to the limited number o applications they can identiy and the rough application scopes (e.g. BLINC in [3] attempts to identiy the general P2P traic instead o the speciic underlying P2P applications like edonkey or BitTorrent). Moreover comparing all above mentioned methods is diicult because o the lack o sharable dataset and appropriate metrics [4]. Addressing these limitations, we propose in this paper a hybrid mechanism or classiying low applications on the ly, in which we irst model and generate signatures or more than 470 applications according to port numbers and protocol speciications o these applications and then concentrating on unknown lows that cannot be identiied by signatures, we investigate their temporal-requent characteristics in order to dierentiate them into the already labeled applications based on a decision tree trained by corresponding temporal-requent characteristics o known lows. Next we discuss the online traic classiication system in more detailed. 3.. Signatures based classiier The payload signature based classiier is to investigate the characteristics o bit strings in the packet payload. For most applications, their initial protocol handshake steps are usually dierent and thus can be used or classiication. Moreover, the protocol signatures can be modeled through either public documents like RFC or empirical analysis or deriving the distinct bit strings on both TCP and UDP traic. The signatures based classiier is deployed on Fred-eZone, a ree wireless idelity (WiFi) network service provider being operated by the City o Fredericton [5]. Table lists the general workload dimensions or the Fred-eZone network capacity. From Table, we see, or example, that the unique number o source IP addresses (SrcIP) appeared over one day is about,055 thousands and the total number o packets is about 944 millions. All the lows are bi-directional and we clean all unidirectional lows beore applying the classiier. Table 2 lists the classiication results over one hour traic collected on Fred-eZone. From Table 2, we see that about 249,000 lows can be identiied by the application payload signatures and about 25,000 lows cannot be identiied. A general result is that about 40% lows cannot be classiied by the current payload signatures based classiication method. In next section we build a module that works in parallel with the signatures based application detection engine. The new module ocuses only on those applications that the signature-based detector could not identiy and that appear to the signatures-based classiier as unknown. Table. Workload o Fred-eZone WiFi network over day SrcIP DstIP Packets Bytes 055K 228K 30783K 994M 500G Table 2. Classiication results with one hour traic on FredeZone Known Applications Unknown Applications ScrIPs DstIPs App. SrcIPs DstIPs 249K 02K 202K 82 25K 00K 055K 3.2. Decision tree based classiier N-gram bytes distribution has proven its eiciency on detecting network anomalies. Wang et al. examine -gram byte distribution o the packet payload, represent each packet into a -dimenational vector describing the occurrence requency o one o the ASCII characters in the payload and then construct the normal packet proile through calculating the statistical average and deviation value o normal packets to a speciic application service (e.g. HTTP) [6]. Anomalies will be alerted once a Mahalanobis distance deviation o the testing data to the normal proiles exceeds a predeined threshold. Gu et al. improve this approach and apply it or detecting malware inection in their recent work [7]. Dierent with previous n-gram based approaches or network intrusion detection, we extend in this paper n-gram requency into a temporal domain and generate a set o -dimentional vector representing the temporal-requent characteristics o the ASCII binary bytes on the payload over a predeined time interval. By observing and analyzing the known network traic applications, labeled by the signatures based classiier, over a long period on a large-scale WiFi ISP network, we ound that the n-gram (i.e. n = in particular) over a one second time interval or both source low payload and destination low payload is a strong enough eature that can be applied to dierentiate traic applications. As an example, Figures to 5 illustrate this novel temporal-requent metric or the application BitTorrent (P2P), Gnutella (P2P), LimeWire (P2P), HTTPWeb (WEB) and SecureWeb (WEB), respectively. Axis X in all these 5 Figures is the ASCII characters rom 0 to 255 on the source low payload. Axis Y stands or the 72 Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.

4 requent value or each ASCII character appeared over a predeined time interval (i.e. second). Figure. Temporal-requent metric or source low payload o BitTorrent application. By comparing Figures to 3 with the Figures 4 and 5, we see that the temporal-requent metric o low payload are very dierent or P2P and WEB applications. In more ine-grained level, we see that the temporal-requent metric o low payload or applications BitTorrent, Gnutella and LimeWire are dierent as well by comparing Figures to 3. Similar results also apply to dierentiate the two applications (i.e. HTTPWeb and SecureWeb) in the same application group (i.e. WEB). We denote the -dimensional n-gram byte i i i distribution as a vector < t, t 2,..., t >, where t i j stands or the requency o the th j ASCII character on the low payload over a time window ti ( j =, 2...; i = 0,, 2,...) (i.e. the temporal-requent metric o the low payload). Given n historical known lows or each speciic application, we deine a n app matrix, p, or proiling applications, which are illustrated as ollows: Figure 2. Temporal-requent metric or source low payload o Gnutella application. p a p p n t t t t 2 t 2 t = t n t n t n Figure 3. Temporal-requent metric or source low payload o LimeWire application. Figure 4. Temporal-requent metric or source low payload o HTTPWeb application. Figure 5. Temporal-requent metric or source low payload o SecureWeb application. We create over 470 application proiling matrix or all the applications on the signatures base. Unknown lows that cannot be identiied by signatures based classiier, thereore, could be labeled by the new application proiling matrix because unknown lows with payload, even though no signature is ound to match the signature base, their temporal-requent characteristics can always be modeled and thus can be used or unknown traic classiication. The decision tree technique is a good candidate to achieve the unknown traic classiication in this case due to its low computational complexity and the training capability or large-size dataset. A typical decision tree is represented in a orm o a tree structure (e.g. Figure 6), in which each node is either a lea node or a decision node. A lea node indicates the value o the target class, such as Application = Gnutella in the Figure 6 and a decision node speciies some test to be carried out on a single attribute value, with one branch and sub-tree or each possible outcome o the test, or instance a decision 5 with a branch test in Figure 6. A decision tree can be used to classiy an example by starting at the root o the tree and moving through it until a lea node, which provides the classiication o the instance. Suppose Figure 6 is the decision tree or application classiication trained by the -dimensional 73 Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.

5 attribute <, 2,..., >, an unknown low with a new -dimensional vector will be compared starting rom root node to see i it is bigger than 0. or not, and i the testing result is 0., then 5 is selected to see i it is bigger than 0.3 or not, i it is bigger than 0.3, the unknown low will be labeled as Gnutella application. The training o the decision tree or obtaining a decision model is based on the historical 470 application proiling matrix and each application proiling matrix includes at least 0,00 instances (i.e. the size o the matrix is000 ). The decision tree algorithm we apply is the C4.5 proposed by Quinlan [8] since it is well known and requently used over the years. 0. > 0. speciic time period or botnet IRC traic. Figure 7. Average byte requency over ASCIIs or normal IRC lows > > 0.45 App=Gnutella App=BitTorrent 64 App=Secureweb 64 < App=LimeWire App=Httpweb Figure 6. A typical decision tree or traic classiication 4. Botnet detection The temporal-requent characteristic based on n-gram over a time period cannot only be applied to train the decision tree model or traic classiication, but also can discriminate the malicious traic by bots rom the normal traic created by human-beings. The temporal eature is important in botnet detection due to two empirical observations o botnets behavior: () the response time o bots is usually immediate and accurate once they receive commands rom botmaster, while normal human behavior might perorm an action with various possibilities ater a reasonable thinking time, and (2) bots basically have preprogrammed activities based on botmaster's commands, and thus all bots might be synchronized with each other. These two observations have been conirmed by a preliminary experiment conducted in [9]. As an example, Figures 7 and 8 illustrate the average byte requency over the normal IRC lows and IRC botnet lows, respectively. By comparing Figures 7 and 8, we see the average byte requency over a speciic time period or normal IRC traic is much smaller than average byte requency over a Figure 8. Average byte requency over ASCIIs or botnet IRC lows Ater obtaining the n-gram (n = in this case) eatures or lows over a time window, we then apply an agglomerative hierarchical clustering algorithm to cluster the data objects with eatures. We do not construct the normal proiles because normal traic is sensitive to the practical networking environment and a high alse positive rate might be generated when deploying the training model on a new environment. In contrast, the agglomerative hierarchical clustering is unsupervised and does not deine threshold that needs to be tuned in dierent cases. In our approach, the inal number o clusters is set to 2. Given a set o N data objects F ~ { F i =, 2,..., N}, F =<,,..., >, the detection approach is ti ti ti where i 2 described in Algorithm. In practice, labeling clusters is always a challenging problem when applying unsupervised algorithm or intrusion detection. Previous intrusive cluster labeling methods are based on two assumptions: () there are two clusters only, one is normal and the other is intrusive, and i 74 Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.

6 (2) the number o instances in normal cluster is much bigger than the number o instances in intrusive cluster [20] and thus the cluster with small number o instances is usually labeled as intrusive cluster. We apply the same labeling strategy in this paper. Algorithm. Implementation o Botnet detection approach Function BotDel (F) returns botnet cluster t Inputs: Collection o data objects i t, 2 i t Fi =<,..., i >, i =,2,..., N Initialization: initialize number o clusters k (i.e. k = N ) by assigning each data instance to a cluster so that each cluster contains only one data instance Repeat: k k ind the closest pair o clusters and then merge them into a single cluster compute distance between new clusters and each data o old clusters Until: k = 2 calculate number o instances in each cluster, g,., g m, m k I gb = min( g, g2,..., gm) then cluster b is labeled as botnet cluster Return the botnet cluster b with g. 5. Experimental evaluation We implement a prototype system or the approach and then evaluate it on a large-scale WiFi ISP network over one day. The botnet traic is collected on a honeypot deployed on a real network, aggregated them into 243 lows. The time interval or low aggregation is second. When evaluating the prototype system, we randomly insert and replay botnet traic lows on the normal daily traic. Since our approach is a two-stage process (i.e. unknown traic classiication irst and botnet detection on application communities next), the evaluation is accordingly divided into two parts: () the perormance testing or unknown traic classiication, not only ocusing on the capability o our approach to classiy the unknown IRC traic, we also concentrate on the classiication accuracy or other unknown applications (e.g. new P2P) since we expect the algorithm could be extended to detect any new appeared decentralized botnet; (2) the perormance evaluation or system to discriminate malicious IRC bonnet traic rom normal human being IRC traic. 5.. Evaluation on traic classiication The data set or traic trace used in the experimental evaluation is collected over three consecutive days on a large-scale WiFi ISP network, in which we achieve a 60% classiication rate over 00 millions lows. The workload or Fred-eZone network is illustrated in Table. In order b to create the training dataset or learning the decision tree based classiier, typical applications belonging to 8 typical application groups are modeled rom known labeled lows, which are illustrated in Table 3. The size o input data or training decision tree is 000. In order to validate the decision tree model we conduct a realtime classiication evaluation in which traic trace collected over 2 days are used or training and the realtime traic lows collect on the 3 rd day are used or testing. Table 3. Applications in training dataset Application ID Application Name Application Group Size o Matrix 2006 BitTorrent P2P Gnutella P2P LimeWire P2P HTTPWeb WEB SecureWeb WEB POP MAIL SMTP MAIL FTP DataTranser MSN CHAT SSH RemoteAccess WindowsMediaPlayer Streaming 000 During the online evaluation, the decision tree based classiier is deployed on a large-scale WiFi ISP network and works in parallel with the signature based classiier. More than 90,000 lows are collected over the testing day on the network and are enorced to be identiied as unknown, o which the real labels are illustrated in Table 4. Tables 5 and 6 describe the detailed classiication accuracy or each speciic application using source low based classiier and destination low based classiier, respectively. The general classiying accuracy is illustrated in Table 7 or both classiiers. The online evaluation results show that the decision tree classiier based on destination lows achieves a 92.6% classiication accuracy which is higher than 89.4% accuracy obtained by the source lows based classiier. All unknown lows are identiied to speciic applications and no unclassiied lows happen due to the deterministic mechanism o decision tree structure Evaluation on botnet detection During the evaluation o botnet detection, the proposed approach is evaluated with one day traic. Table 8 shows the low distribution or the application community with bot lows and the total number o lows ater the traic classiication step. As illustrated in Table 8, the total number o lows is 32,693K and the number o lows 75 Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.

7 labeled by the payload signature based classiier is 20,596. The rest unknown lows are 2,097, in which 243 unknown lows are classiied into known IRC community (i.e. they actually represent the IRC C&C bot lows). Since we know all these unknown lows are actually belong to IRC, our approach obtains 00% accuracy or classiying these malicious bot C&C lows into their own application community. Next, we evaluate the capability o our approach or discriminating the bot generated traic rom normal traic in the same application community. As illustrated in Table 9, we show the detection results in terms o number o correctly detected bot C&C lows and the number o alsely detected bot lows over the actual number o bot lows and normal lows on the speciic community. From Table 8, we see that the total number o lows we collect or one day is over 30 millions and the total number o known lows which can be labeled by the payload signatures is over 20 millions. The number o IRC C&C lows is a very small part o the total lows. Our traic classiication approach can classiy the unknown (malicious) IRC lows to the IRC application communities with a 00% classiication rate on the evaluation. All the IRC C&C lows are dierentiated rom the normal traic with a low alse alarm rate, i.e. only 4 alse alarms on the evaluation. Table 4. Distribution o "unknown" application lows Applications Number o BitTorrent FTP 224 Gnutella 509 HTTPWeb 626 LimeWire 4 MSN 4049 POP 26 SecureWeb 2886 SMTP 522 SSH 297 WindowsMediaPlayer 722 Table 6. Classiication results with destination low based decision tree classiier Applications Number o Unknown BitTorrent FTP Gnutella HTTPWeb LimeWire 4 08 MSN POP SecureWeb SMTP SSH WindowsMediaPlayer Number o Labeled Table 7. General classiication accuracy or both classiiers Decision Tree Classiier Based on Source Total Classiication Number o Accuracy (%) Indentiied Table 8. Description o application community Total Known 32693K K Table 9. Detection perormance Normal IRC Bot C&C in Botnet Communities 264 IRC {2 normal} detected Bot C&C Decision Tree Classiier Based on Destination Total Classiication Number o Accuracy (%) Indentiied Number o Falsely Identiied Bot C&C Table 5. Classiication results with source low based decision tree classiier Applications Number o Unknown BitTorrent FTP Gnutella HTTPWeb LimeWire 4 3 MSN POP SecureWeb SMTP SSH WindowsMediaPlayer Number o Labeled 6. Conclusions In this paper, we present a novel generic botnet traic classiication ramework, in which unknown applications on the current network are irstly classiied into dierent application communities, such as Chat (or more speciic IRC) community, P2P community, Web community, to name a ew, and then ocusing on each application community, a novel temporal-requent characteristic is applied or discriminating network traic by bots rom normal network traic by human-beings. Since botnets are usually exploring existing application protocols, our approach can be extended to ind dierent types o 76 Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.

8 botnets and has the potential to ind the new botnets when exploring speciically the traic on the "unknown" community. In particular, we evaluate our ramework on IRC chat community and evaluation results show that our approach obtains a very high detection rate (approaching 00% or IRC bot) with a low alse alarm rate when detecting IRC botnet traic. In the immediate uture, we will evaluate our approach on the P2P community and measure its perormance on P2P based botnets. Acknowledgement The authors graciously acknowledge the unding rom the Atlantic Canada Opportunity Agency (ACOA) through the Atlantic Innovation Fund (AIF) to Dr. Ali Ghorbani. Reerences [] M.A. Rajab, J. Zaross, F. Monrose, and A. Terzis, "A multiaceted approach to understanding the botnet phenomenon," In Proceedings o the 6 th ACM SIGCOMM Conerence on Internet measurement, pp. 4-52, [2] V. Yegneswaran, P. Barord, and V. Paxson, "Using honeynets or internet situational awareness," In Proceedings o the 4 th Workshop on Hot Topics in Networks, College Park, MD, [3] F. Freiling, T. Holz, and G. Wicherski. "Botnet tracking: exploring a root-cause methodology to prevent Denial o Service attacks". In Proceedings o 0 th European Symposium on Research in Computer Security (ESORICS 05), [4] A. Karasaridis, B. Rexroad, and D. Hoelin, "Widescale botnet detection and characterization," In Proceedings o the st Conerence on st Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, [5] G.F. Gu, J.J. Zhang, and W.K. Lee, "BotSnier: detecting botnet command and control channels in network traic," In Proceedings o the 5 th Annual Network and Distributed System Security Symposium, San Diego, CA, February [6] T. Strayer, D. Lapsley, R. Walsh, and C. Livadas, "Botnet detection based on network behavior," Botnet Detection: Countering the Largest Security Threat, in Series: Advances in Inormation Security, Vol. 36, W. K. Lee, C. Wang, D. Dagon, (Eds.), Springer, [7] IANA port numbers, available and retrieved in Dec [8] J. Erman, A. Mahanti, M. Arlitt,, I. Cohen, and C. Williamson, "Oline/realtime traic classiication using semi-supervised learning", Perormance Evaluation, Vol. 64, No. 9-2., 94-23, [9] L. Bernaille, R. Teixeira, I. Akodkenou, A. Soule, and K. Salamatian, "Traic classiication on the ly", ACM SIGCOMM Computer Communication Review, Vol. 36, Issue 2, 23-26,2006. [0] L. Bernaille and R. Teixeira, "Early recognition o encrypted applications". In Proceedings o Passive and Active Measurement Conerence (PAM 2007), Louvain-la-neuve, Belgium, 65-75, [] S. Sen, and J. Wang, "Analyzing peer-to-peer traic across large networks". In Proceedings o ACM SIGCOMM Internet Measurement Workshop, Marseilles, France, [2] A. Moore and K. Papagiannaki, "Toward the accurate identiication o network applications", In Proceedings o 6th Passive and Active Measurement Workshop (PAM 2005), [3] T. Karagiannis, K. Papagiannaki, and M. Faloutsos. "BLINC: multilevel traic classiication in the dark", In Proceedings o the 2005 Conerence on Applications, Technologies, Architectures, and Protocols or Computer Communications, Philadelphia, Pennsylvania, , [4] L. Salgarelli, F. Gringoli, and T. Karagiannis, "Comparing traic classiiers", ACM SIGCOMM Computer Communication Review, Volume 37, Issue 3, 65-68, [5] Fred-eZone WiFi ISP, available and retrieved in December2008, [6] K. Wang, and S. Stolo, "Anomalous payload-based network intrusion detection", In Proceedings o the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, France, [7] G.. F. Gu, P. Porras, V. Yegneswaran, M. Fong, and W.K. Lee, "BotHunter: detecting malware inection through IDS-Driven dialog correlation". In Proceedings o the 6th USENIX Security Symposium, Boston, MA, [8] J. R. Quinlan, C4.5: Programs or Machine Learning. Morgan Kaumann Publishers, 993. [9] M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, and S. Yamaguchi, "A proposal o metrics or botnet detection based on its cooperative behavior," In Proceedings o the 2007 International Symposium on Applications and the Internet Workshops, pp , [20] E. Eskin, "Anomaly detection over noisy data using learned probability distributions," In Proceedings o 7 th International Conerence on Machine Learning, pp , Palo Alto, Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.