John Heidemann / Papers / Leveraging Controlled Information Sharing for Botnet Activity Detection

Leveraging Controlled Information Sharing for Botnet Activity Detection
Calvin Ardi and John Heidemann
USC/Information Sciences Institute

Citation

Calvin Ardi and John Heidemann. Leveraging Controlled Information Sharing for Botnet Activity Detection. Proceedings of the ACM SIGCOMM Workshop on Traffic Measurements for Cybersecurity (Budapest, Hungary, Aug. 2018), 14–20. [DOI] [PDF] [alt PDF]

Bibtex Citation

@inproceedings{Ardi18a,
  author = {Ardi, Calvin and Heidemann, John},
  title = {Leveraging Controlled Information Sharing for
                    Botnet Activity Detection},
  booktitle = {Proceedings of the  {ACM} SIGCOMM Workshop on Traffic Measurements for Cybersecurity },
  year = {2018},
  sortdate = {2018-08-19},
  project = {ant, retrofuturebridge, lacanic},
  jsubject = {network_observation},
  month = aug,
  pages = {14--20},
  address = {Budapest, Hungary},
  publisher = {ACM},
  jlocation = {johnh: pafile},
  keywords = {retro-future, cross-organization data sharing},
  doi = {10.1145/3229598.3229602},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Ardi18a.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Ardi18a.pdf},
  blogurl = {https://ant.isi.edu/blog/?p=1239},
  authorizeurl = {https://dl.acm.org/authorize?N666558},
  copyrightholder = {authors},
  myorganization = {USC/Information Sciences Institute},
  xabstract = {Today's malware often relies on DNS to enable communication with command-and-control (C&C). As defenses that block traffic improve, malware use sophisticated techniques to hide this traffic, including ``fast flux'' names and Domain-Generation Algorithms (DGAs). Detecting this kind of activity requires analysis of DNS queries in network traffic, yet these signals are sparse. As bot countermeasures grow in sophistication, detecting these signals increasingly requires the synthesis of information from multiple sites. Yet \emph{sharing security information across organizational boundaries} to date has been infrequent and ad hoc because of unknown risks and uncertain benefits. In this paper, we take steps towards formalizing cross-site information sharing and quantifying the benefits of data sharing. We use a case study on DGA-based botnet detection to evaluate how sharing cybersecurity data can improve detection sensitivity and allow the discovery of malicious activity with greater precision.}
}
Copyright © by John Heidemann