The Command and Control communication of a botnet is evolving into sophisticated covert communication. Techniques as encryption, steganography, and recently the use of social network websites as a proxy, impede conventional detection of botnet communication. In this paper we propose detection of covert communication by passive host-external analysis of causal relationships between traffic flows and prior traffic or user activity. Identifying the direct causes of traffic flows, allows for real-time bot detection with a low exposure to malware, and offline forensic analysis of traffic. The proposed causal analysis of traffic is experimentally evaluated by a self-developed tool called CITRIC with various types of real Command and Control traffic. © Springer International Publishing Switzerland 2013.
CITATION STYLE
Burghouwt, P., Spruit, M., & Sips, H. (2013). Detection of covert botnet command and control channels by causal analysis of traffic flows. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8300 LNCS, pp. 117–131). https://doi.org/10.1007/978-3-319-03584-0_10
Mendeley helps you to discover research relevant for your work.