The objective of our research is to develop a botnet detection and identification framework using traffic identification techniques. A botnet is a collection of computers connected to the Internet which have been compromised and are being controlled remotely by an intruder via malicious software called bots. Botnets are created for many different reasons such as conducting a distributed denial of service (DDOS), spreading spam, conducting click- fraud scams, stealing personal user information (e.g. credit card numbers, social security numbers), or taking advantage of the powerful computational resources offered by the bots to carry some distributed computing tasks.
There are three main approaches for network traffic identification. The first approach and most trivial one is based on port analysis. The problem with port-based identification is the high false identification rates involved and the fact that today there are thousands of network applications that do not use registered TCP/UDP ports. The second approach is based on packets payload analysis. Payload analysis has minimum false identification rate compared to other approaches. However, two major issues limit this approach. First, it is computationally intensive and has a negative effect on the network performance. Second, it poses potentially significant threat to privacy. The third approach for traffic identification is based on detecting distinctive network traffic behaviors. Traffic behavior analysis methods do not depend on the packets payload, which means that they can work with encrypted protocols. Network traffic information can usually be easily retrieved from various network devices without affecting significantly network performance or service availability. For these reasons, we use in this work traffic behavior analysis coupled with suitable machine learning techniques to identify malicious botnet traffic.
People
- Dr. Issa Traore, Coordinator
- Mr. Bassam Sayed, Investigator
- Mr. Marcelo Luiz Brocardo, Investigator
- Mr. David Zhao, Investigator
- Mr. Erik Johnson, Investigator