USENIX Conference Policies
An Algorithm for Anomaly-based Botnet Detection
We present an anomaly-based algorithm for detecting IRC-based botnet meshes. The algorithm combines an IRC mesh detection component with a TCP scan detection heuristic called the TCP work weight. The IRC component produces two tuples, one for determining the IRC mesh based on IP channel names, and a sub-tuple which collects statistics (including the TCP work weight) on individual IRC hosts in channels. We sort the channels by the number of scanners producing a sorted list of potential botnets. This algorithm has been deployed in PSU’s DMZ for over a year and has proven effective in reducing the number of botnet clients.
BibTeX
@inproceedings {268936,
author = {James R. Binkley and Suresh Singh},
title = {An Algorithm for Anomaly-based Botnet Detection},
booktitle = {2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 06)},
year = {2006},
address = {San Jose, CA},
url = {https://www.usenix.org/conference/sruti-06/algorithm-anomaly-based-botnet-detection},
publisher = {USENIX Association},
month = jul
}
author = {James R. Binkley and Suresh Singh},
title = {An Algorithm for Anomaly-based Botnet Detection},
booktitle = {2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 06)},
year = {2006},
address = {San Jose, CA},
url = {https://www.usenix.org/conference/sruti-06/algorithm-anomaly-based-botnet-detection},
publisher = {USENIX Association},
month = jul
}