Ph.D. Defense of Dissertation Announcement

Title: Effective and Scalable Botnet Detection in Network Traffic

Junjie Zhang
School of Computer Science
College of Computing
Georgia Institute of Technology

Date: Monday, June 4th, 2012
Time: 10:00 AM - 12:00 PM
Location: Klaus 3126 (GTISC War Room)

Committee:

• Prof. Wenke Lee, School of Computer Science (Advisor)
• Prof. Mustaque Ahamad, School of Computer Science
• Prof. Nick Feamster, School of Computer Science
• Prof. Patrick Traynor, School of Computer Science
• Prof. John Copeland, School of Electrical and Computer Engineering

Abstract:
Botnets represent one of the most serious threats against Internet security since they serve as platforms that are responsible for the vast majority of large-scale and coordinated cyber attacks, such as distributed denial of service, spamming, and information stolen.
Detecting botnets is therefore of great importance and a number of network-based botnet detection systems have been proposed. However, as botnets perform attacks in an increasingly stealthy way and the volume of network traffic is rapidly growing, existing botnet detection systems are faced with significant challenges in terms of effectiveness and scalability.

The objective of this dissertation is to build novel network-based solutions that can boost both the effectiveness of existing botnet detection systems by detecting botnets whose attacks are very hard to be observed in network traffic, and their scalability by adaptively sampling network packets that are likely generated by botnets. To be specific, this dissertation describes three unique contributions.

First, we built a new system to detect drive-by download attacks, which represent one of the most significant and popular methods for botnet infection. The goal of our system is to boost the effectiveness of existing drive-by download detection systems by detecting a large number of drive-by download attacks that are missed by these existing detection efforts.

Second, we built a new system to detect botnets with peer-to-peer (P2P) command and control (C&C) channels (a.k.a. P2P botnets), where P2P C&Cs represent currently the most robust C&C structures against disruption efforts. Our system aims to boost the effectiveness of existing P2P botnet detection by detecting P2P botnets in two challenging scenarios: i) botnets perform stealthy attacks that are extremely hard to be observed in the network traffic; ii) bot-infected hosts are also running legitimate P2P applications (e.g., Bittorrent and Skype).

Finally, we built a novel traffic analysis framework to boost the scalability of existing botnet detection systems. Our framework can effectively and efficiently identify a small percentage of hosts that are likely to be bots, and then forward network traffic associated with these hosts to existing detection systems for fine-grained analysis, thereby boosting the scalability of existing detection systems. Our traffic analysis framework includes a novel botnet-aware and adaptive packet sampling algorithm, and a scalable flow-correlation technique.