ABSTRACT:
Most of the attacks and fraudulent activities on the Internet are
carried by malware. In particular, botnets have become the primary
"platforms" for attacks on the Internet. A botnet is a network of
compromised computers (or, bots) that are under the control of an
attacker (or, botmaster). A botnet typically has tens to hundreds of
thousands of bots, but some had several millions of bots. Botnets are
now used for distributed denial-of-service attacks, spam, phishing,
information theft, etc. With the magnitude and the potency of attacks
afforded by their combined bandwidth and processing power, botnets are
now considered as the largest threat to Internet security.
In this talk, I focus on addressing the botnet detection problem in an
enterprise-like network environment. I present a correlation-based
framework for botnet detection that consists of detection technologies
already demonstrated in several systems (BotHunter, BotSniffer,
BotMiner, and BotProber). The common thread of these systems is
correlation analysis (vertical correlation, horizontal correlation,
and cause-effect correlation). I will mainly discuss BotHunter,
BotSniffer, BotMiner and their corresponding correlation
techniques/algorithms in this talk. These systems have been evaluated
in live networks and/or real-world network traces, and the results
show that they can detect real-world botnets with a very low false
positive rate.
BIO:
Guofei Gu is an assistant professor in the Department of Computer
Science & Engineering at Texas A&M University. Before coming to Texas
A&M, he received his Ph.D. degree in Computer Science from the College
of Computing, Georgia Tech. His research interests are in network and
system security; specifically intrusion detection, web security, and
malware detection, defense and analysis. Further information is
available at http://faculty.cse.tamu.edu/guofei.
|
