A graph-theoretic framework for isolating botnets in a network
Abstract
We present a new graph-theoretic approach to the detection and isolation of botnets in a computer network. Since our approach depends primarily on the temporal co-occurrences of malicious activities across the computers in a network, it is independent of botnet architectures and the means used for their command and control. As practically all aspects of how a botnet manifests itself in a network can be expected to vary significantly with time, our approach includes mechanisms that allow the graph representing the infected computers to evolve with time. With regard to how such a graph varies with time, of particular importance are the edge weights that are derived from the temporal co-occurrences of malicious activities at the end-points of the edges. A unique advantage of our graph-based representation of the infected computers is that it allows us to use graph partitioning algorithms to separate out the different botnets when a network is infected with multiple botnets at the same time. We have validated our approach by applying it to the isolation of simulated botnets, with the simulations based on a new unified temporal botnet model that incorporates the current-best understanding in the research community about how botnets behave, about the lifetimes of the bots, and about the growth and decay of the botnets. We additionally validate our algorithm on real traces. Our results indicate that our framework can isolate botnets in a network under varying conditions with a high degree of accuracy.
Degree
M.S.E.C.E.
Advisors
Kak, Purdue University.
Subject Area
Computer Engineering|Computer science
Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server.