Characterizing Roles and Spatio-Temporal Relations of C&C Servers in Large-Scale Networks
| Title | Characterizing Roles and Spatio-Temporal Relations of C&C Servers in Large-Scale Networks |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Fontugne, Romain, Mazel, Johan, Fukuda, Kensuke |
| Conference Name | Proceedings of the 2016 ACM International on Workshop on Traffic Measurements for Cybersecurity |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-4284-1 |
| Keywords | Botnet, botnets, C&C server, Human Behavior, Internet traffic, pubcrawl, traffic monitoring |
| Abstract | Botnets are accountable for numerous cybersecurity threats. A lot of efforts have been dedicated to botnet intelligence, but botnets versatility and rapid adaptation make them particularly difficult to outwit. Prompt countermeasures require effective tools to monitor the evolution of botnets. Therefore, in this paper we analyze 5 months of traffic from different botnet families, and propose an unsupervised clustering technique to identify the different roles assigned to C&C servers. This technique allows us to classify servers with similar behavior and effectively identify bots contacting several servers. We also present a temporal analysis method that uncovers synchronously activated servers. Our results characterize 6 C&C server roles that are common to various botnet families. In the monitored traffic we found that servers are usually involved in a specific role, and we observed a significant number of C&C servers scanning the Internet. |
| URL | http://doi.acm.org/10.1145/2903185.2903192 |
| DOI | 10.1145/2903185.2903192 |
| Citation Key | fontugne_characterizing_2016 |