Extracting Probable Command and Control Signatures for Detecting Botnets


Ali Zand, Giovanni Vigna, Xifeng Yan, Christopher Kruegel


Proceedings of the 29th Annual ACM Symposium on Applied Computing (SAC), March 2014


Botnets, which are networks of compromised machines under the control of a single malicious entity, are a serious threat to online security. The fact that botnets, by definition, receive their commands from a single entity can be leveraged to fight them. To this end, one requires techniques that can detect command and control (C&C) traffic, as well as the servers that host C&C services. Given the knowledge of a C&C server's IP address, one can use this information to detect all hosts that attempt to contact such a server, and subsequently disinfect, disable, or block the infected machines. This information can also be used by law enforcement to take down the C&C server. In this paper, we present a new botnet C&C signature extraction approach that can be used to find C&C communication in traffic generated by executing malware samples in a dynamic analysis system. This approach works in two steps. First, we extract all frequent strings seen in the network traffic. Second, we use a function that assigns a score to each string. This score represents the likelihood that the string is indicative of C&C traffic. This function allows us to rank strings and focus our attention on those that likely represent good C&C signatures. We apply our technique to almost 2.6 million network connections produced by running more than 1.4 million malware samples. Using our technique, we were able to automatically extract a set of signatures that are able to identify C&C traffic. Furthermore, we compared our signatures with those used by existing tools, such as Snort and BotHunter.


  title     = {{Extracting Probable Command and Control Signatures for Detecting Botnets}},
  author    = {Zand, Ali and Vigna, Giovanni and Yan, Xifeng and Kruegel, Christopher},
  booktitle = {Proceedings of the 29th Annual ACM Symposium on Applied Computing},
  series    = {SAC},
  year      = {2014},
  address   = {New York, NY, USA},
  doi       = {10.1145/2554850.2554896},
  isbn      = {978-1-4503-2469-4},
  pages     = {1657--1662},
  publisher = {ACM},
  url       = {http://dx.doi.org/10.1145/2554850.2554896}