DeBot: A novel network‐based mechanism to detect exfiltration by architectural stealthy botnets

Abstract

Malicious actors use networks of compromised and remotely controlled hosts, known as botnets, to execute different classes of cyberattacks, including exfiltration of sensitive data. Recently, we have observed a trend toward more resilient botnet architectures, departing from traditional centralized architectures and enabling botnets to evade detection and persist in a system indefinitely. Botnets can achieve resilience through architectural stealth, by establishing overlay networks that minimize exposure of malicious traffic to detectors. To address this problem, we propose a novel network‐based detection scheme, called DeBot, which identifies traffic flows associated with exfiltration attempts. The proposed solution intercepts traffic from different monitoring points and leverages differences in the network behavior of botnets and benign users to identify suspicious flows. To this aim, we first develop a mechanism to identify monitoring points that are likely to intercept a significant volume of malicious traffic. Then, we analyze flow characteristics to identify suspicious hosts and use periodogram analysis to identify malicious flows originating from those hosts. We evaluate the proposed approach against different botnets in the CyberVAN testbed and compare its performance against state‐of‐the‐art detection techniques. The results indicate that DeBot is effective in detecting botnet activity, thus enabling the identification and removal of bots.