Guilt by Association-Based Discovery of Botnet Footprints

Abstract : In this paper, we describe a Guilt-by-Association approach to determining botnet footprint starting from a subset of known domains belonging to a specific botnet, and demonstrate our approach using recent botnets. Our empirical results leverage the botnet database that we have collected over a period of 12 months with our real-time fast flux network detection algorithm [1]. Botnets exploit a network of compromised machines (zombies) for illegal activities such as Distributed Denial of Service (DDoS) attacks, spam campaigns, phishing scams and malware delivery using DNS record manipulation techniques. Our results, which build upon our behaviour [2] and social network analysis [3] results, show that it is possible to identify a large portion of a botnet once a small segment of that botnet is identified through manual means, and to explain the differences in botnet footprint prediction using our proposed connectivity metric.