Leveraging Controlled Information Sharing for Botnet Activity Detection. Ardi, C. & Heidemann, J. In Proceedings of the ACM SIGCOMM Workshop on Traffic Measurements for Cybersecurity, pages 14–20, Budapest, Hungary, August, 2018. ACM.
Leveraging Controlled Information Sharing for Botnet Activity Detection [link]Paper  doi  abstract   bibtex   
Today's malware often relies on DNS to enable communication with command-and-control (C&C). As defenses that block traffic improve, malware use sophisticated techniques to hide this traffic, including ``fast flux'' names and Domain-Generation Algorithms (DGAs). Detecting this kind of activity requires analysis of DNS queries in network traffic, yet these signals are sparse. As bot countermeasures grow in sophistication, detecting these signals increasingly requires the synthesis of information from multiple sites. Yet \emphsharing security information across organizational boundaries to date has been infrequent and ad hoc because of unknown risks and uncertain benefits. In this paper, we take steps towards formalizing cross-site information sharing and quantifying the benefits of data sharing. We use a case study on DGA-based botnet detection to evaluate how sharing cybersecurity data can improve detection sensitivity and allow the discovery of malicious activity with greater precision.
@InProceedings{Ardi18a,
	author          = "Calvin Ardi and John Heidemann",
	title           = "Leveraging Controlled Information Sharing for Botnet Activity Detection",
	booktitle       = "Proceedings of the " # "{ACM} SIGCOMM Workshop on Traffic Measurements for Cybersecurity",
	year            = 2018,
	sortdate        = "2018-08-19",
	project         = "ant, retrofuturebridge, lacanic",
	jsubject        = "network_observation",
	month           = aug,
	pages           = "14--20",
	address         = "Budapest, Hungary",
	publisher       = "ACM",
	location        = "johnh: pafile",
	keywords        = "retro-future, cross-organization data sharing",
	doi             = "https://doi.org/10.1145/3229598.3229602",
	url             = "https://ant.isi.edu/%7ejohnh/PAPERS/Ardi18a.html",
	pdfurl          = "https://ant.isi.edu/%7ejohnh/PAPERS/Ardi18a.pdf",
	blogurl         = "https://ant.isi.edu/blog/?p=1239",
	authorizeurl    = "https://dl.acm.org/authorize?N666558",
	copyrightholder = "authors",
	myorganization  = "USC/Information Sciences Institute",
	abstract        = "
Today's malware often relies on DNS to enable communication with
command-and-control (C&C). As defenses that block traffic improve, malware use
sophisticated techniques to hide this traffic, including ``fast flux'' names
and Domain-Generation Algorithms (DGAs). Detecting this kind of activity
requires analysis of DNS queries in network traffic, yet these signals are
sparse. As bot countermeasures grow in sophistication, detecting these signals
increasingly requires the synthesis of information from multiple sites. Yet
\emph{sharing security information across organizational boundaries} to date
has been infrequent and ad hoc because of unknown risks and uncertain benefits.
In this paper, we take steps towards formalizing cross-site information sharing
and quantifying the benefits of data sharing. We use a case study on DGA-based
botnet detection to evaluate how sharing cybersecurity data can improve
detection sensitivity and allow the discovery of malicious activity with
greater precision.",
}

Downloads: 0