Abstract
Botnets are collections of infected computers that are controlled centrally by a botmaster, often for sending spam or launching denial of service attacks. The task to take down these botnets is often a cat and mouse game with operators frequently changing domains for their control infrastructure. More recently, operators have moved to using Tor, a pseudo-anonymous network for hosting services whereby identification is difficult. Additionally, because connections to the Tor network are encrypted, we cannot use traditional methods like Domain Name System (DNS) and traffic signatures to detect infected hosts. In this paper, we introduce TorBot Stalker: the first mechanism for detecting, de-anonymizing, and destroying Tor botnets. We use machine learning to analyse and fingerprint the timings and frequency of Tor network circuit data when routing botnet traffic, and build a detection mechanism that is able to identify infected hosts at the Tor network border, in real-time, while preserving the privacy of legitimate users. TorBot Stalker can be implemented at any node in the Tor network and can differentiate between botnets and legitimate applications like Internet Relay Chat (IRC) coming from the same host. Experimental data demonstrates an accuracy of 99% with few false positives. We then apply the technique at the entry to the Tor network to measure the fraction of traffic which is for botnet. We observed that Torbot Stalker is able to de-anonymize real botnets in the Tor network and further identify infected hosts and control servers.
Original language | English |
---|---|
Title of host publication | 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA) |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 1-8 |
Number of pages | 8 |
ISBN (Electronic) | 978-1-5386-7659-2, 978-1-5386-7658-5 |
ISBN (Print) | 978-1-5386-7660-8 |
DOIs | |
Publication status | Published - 29 Nov 2018 |
Event | 17th IEEE Networking and Computing Applications Conference 2018 - Cambridge, United States Duration: 1 Nov 2018 → 3 Nov 2018 http://www.ieee-nca.org/2018/ |
Conference
Conference | 17th IEEE Networking and Computing Applications Conference 2018 |
---|---|
Abbreviated title | IEEE NCA |
Country/Territory | United States |
City | Cambridge |
Period | 1/11/18 → 3/11/18 |
Internet address |
Keywords
- Tor
- botnet
- Machine Learning
- malware
- Intrusion Detection
- noissn
Fingerprint
Dive into the research topics of 'TorBot Stalker: detecting Tor botnets through intelligent circuit data analysis'. Together they form a unique fingerprint.Prizes
-
Best Paper Award at the 17th IEEE Networking and Computing Applications Conference (IEEE NCA) 2018
Fajana, Oluwatobi (Recipient), Owenson, Gareth (Recipient) & Haig, Ella (Recipient), 2018
Prize: Prize (including medals and awards)