16th USENIX Security Symposium – Abstract
Pp. 167–182 of the Proceedings
BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation
Guofei Gu, Georgia Institute of Technology; Phillip Porras, Vinod Yegneswaran, and Martin Fong, SRI International; Wenke Lee, Georgia Institute of Technology
We present a new kind of network perimeter monitoring strategy, which
focuses on recognizing the infection and coordination dialog that
occurs during a successful malware infection. BotHunter is an
application designed to track the two-way communication flows between
internal assets and external entities, developing an evidence trail of
data exchanges that match a state-based infection sequence model.
BotHunter consists of a correlation engine that is driven by three
malware-focused network packet sensors, each charged with detecting
specific stages of the malware infection process, including inbound
scanning, exploit usage, egg downloading, outbound bot coordination
dialog, and outbound attack propagation. The BotHunter correlator
then ties together the dialog trail of inbound intrusion alarms with
those outbound communication patterns that are highly indicative
of successful local host infection. When a sequence of evidence is
found to match BotHunter's infection dialog model, a consolidated
report is produced to capture all the relevant events and event
sources that played a role during the infection process. We refer to
this analytical strategy of matching the dialog flows between internal
assets and the broader Internet as dialog-based correlation, and
contrast this strategy to other intrusion detection and alert
correlation methods. We present our experimental results using
BotHunter in both virtual and live testing environments, and discuss
our Internet release of the BotHunter prototype. BotHunter is made
available both for operational use and to help stimulate research in
understanding the life cycle of malware infections.
- View the full text of this paper in HTML and PDF. Listen to the presentation in MP3 format.
Until August 2008, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2007 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.