Leveraging Controlled Information Sharing for Botnet Activity Detection

Ardi, Calvin and Heidemann, John
USC/Information Sciences Institute

citation

Calvin Ardi and John Heidemann 2018. Leveraging Controlled Information Sharing for Botnet Activity Detection. Proceedings of the ACM SIGCOMM Workshop on Traffic Measurements for Cybersecurity (Budapest, Hungary, Aug. 2018), 14–20. [DOI] [PDF]

abstract

Today’s malware often relies on DNS to enable communication with command-and-control (C&C). As defenses that block traffic improve, malware use sophisticated techniques to hide this traffic, including “fast flux” names and Domain-Generation Algorithms (DGAs). Detecting this kind of activity requires analysis of DNS queries in network traffic, yet these signals are sparse. As bot countermeasures grow in sophistication, detecting these signals increasingly requires the synthesis of information from multiple sites. Yet sharing security information across organizational boundaries to date has been infrequent and ad hoc because of unknown risks and uncertain benefits. In this paper, we take steps towards formalizing cross-site information sharing and quantifying the benefits of data sharing. We use a case study on DGA-based botnet detection to evaluate how sharing cybersecurity data can improve detection sensitivity and allow the discovery of malicious activity with greater precision.

reference

@inproceedings{Ardi18a,
  author = {Ardi, Calvin and Heidemann, John},
  title = {Leveraging Controlled Information Sharing for Botnet Activity Detection},
  booktitle = {Proceedings of the {ACM} SIGCOMM Workshop on Traffic Measurements for Cybersecurity},
  year = {2018},
  sortdate = {2018-08-19},
  project = {ant, retrofuturebridge, lacanic},
  jsubject = {network_observation},
  month = aug,
  pages = {14--20},
  address = {Budapest, Hungary},
  publisher = {ACM},
  location = {johnh: pafile},
  keywords = {retro-future, cross-organization data sharing},
  doi = {https://doi.org/10.1145/3229598.3229602},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Ardi18a.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Ardi18a.pdf},
  blogurl = {https://ant.isi.edu/blog/?p=1239},
  authorizeurl = {https://dl.acm.org/authorize?N666558},
  copyrightholder = {authors},
  myorganization = {USC/Information Sciences Institute}
}