Botnet Detection Using Stream Processing

Project Goal:
Analyze large distributed network traffic streams in real-time to detect advanced Botnets.

Botnets represent a huge threat with millions of internet-connected machines involved. The use of Botnets extends well beyond SPAM and DDoS – and their use as a major component in cyber-crime, corporate espionage, and even modern cyber warfare is foreseeable.

An underground economy exists providing per-pay access to Botnets for criminal activity. At the same time, Botnets are evolving to make detection of nodes much more difficult (Fast flux networks, P2P, encryption) Our initial research projects involved examining netflow logs to look for possible signatures of Botnet activity. Ongoing work explores analytics to detect Fast Flux and P2P-based Botnets.

The example below shows a screenshot of our initial prototype based on NetFlow data to detect conventional CC-based Botnets and the 1st and 2nd degree nodes that they control.

Last updated 9 Feb 2009

Research labs involved

Watson Research Center (Hawthorne)

Botnet Detection Using Stream Processing

Research labs involved

Content navigation

Related links