BotSpot: Anonymous and Distributed Malware Detection

Abstract

Widespread usage of broadband Internet connections has allowed the birth of a new threat against service providers and subscribers as well. Botnets are vast networks of compromised hosts under the control of single masters who possess the ability to launch crippling denial of service attacks, send vast quantities of unsolicited e-mail messages and infect thousands of vulnerable systems with privacy-violating spyware and other forms of malicious software. Our goal is to propose a distributed architecture and introduce novel algorithms for malicious (potential botnet) activity recognition based on network traffic statistics generated by NetFlow. Scalability and robustness were the main principles during the design of the architecture. In this paper, we demonstrate that we are able to reduce the number of NetFlow records significantly with an own aggregation scheme. Furthermore, we are able to detect botnet participant computers (zombies) with the help of aggregated samples originating from various local networks, while the algorithms provide utmost anonymity to network operators. © Springer-Verlag Berlin Heidelberg 2010.