Visible to the public Leveraging Controlled Information Sharing for Botnet Activity Detection

TitleLeveraging Controlled Information Sharing for Botnet Activity Detection
Publication TypeConference Paper
Year of Publication2018
AuthorsArdi, Calvin, Heidemann, John
Conference NameProceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity
PublisherACM
ISBN Number978-1-4503-5910-8
KeywordsBotnet detection, botnets, compositionality, cybersecurity, data sharing, information sharing, Metrics, pubcrawl, resilience, Resiliency
Abstract

Today's malware often relies on DNS to enable communication with command-and-control (C&C). As defenses that block C&C traffic improve, malware use sophisticated techniques to hide this traffic, including "fast flux" names and Domain-Generation Algorithms (DGAs). Detecting this kind of activity requires analysis of DNS queries in network traffic, yet these signals are sparse. As bot countermeasures grow in sophistication, detecting these signals increasingly requires the synthesis of information from multiple sites. Yet sharing security information across organizational boundaries to date has been infrequent and ad hoc because of unknown risks and uncertain benefits. In this paper, we take steps towards formalizing cross-site information sharing and quantifying the benefits of data sharing. We use a case study on DGA-based botnet detection to evaluate how sharing cybersecurity data can improve detection sensitivity and allow the discovery of malicious activity with greater precision.

URLhttps://dl.acm.org/citation.cfm?doid=3229598.3229602
DOI10.1145/3229598.3229602
Citation Keyardi_leveraging_2018