diff --git a/bibliography.bib b/bibliography.bib index 6213d583..586b25b8 100644 --- a/bibliography.bib +++ b/bibliography.bib @@ -24,6 +24,35 @@ file = {Full Text:/home/me/Zotero/storage/PFXP8NLV/Zhang et al. - 2014 - Building a Scalable System for Stealthy P2P-Botnet.pdf:application/pdf} } +@inproceedings{bib:botgrep2010, + author = {Nagaraja, Shishir and Mittal, Prateek and Hong, Chi-Yao and Caesar, Matthew and Borisov, Nikita}, + title = {BotGrep: Finding P2P Bots with Structured Graph Analysis}, + year = {2010}, + isbn = {8887666655554}, + publisher = {USENIX Association}, + address = {USA}, + abstract = {A key feature that distinguishes modern botnets from earlier counterparts is their increasing use of structured overlay topologies. This lets them carry out sophisticated coordinated activities while being resilient to churn, but it can also be used as a point of detection. In this work, we devise techniques to localize botnet members based on the unique communication patterns arising from their overlay topologies used for command and control. Experimental results on synthetic topologies embedded within Internet traffic traces from an ISP's backbone network indicate that our techniques (i) can localize the majority of bots with low false positive rate, and (ii) are resilient to incomplete visibility arising from partial deployment of monitoring systems and measurement inaccuracies from dynamics of background traffic.}, + booktitle = {Proceedings of the 19th USENIX Conference on Security}, + pages = {7}, + numpages = {1}, + location = {Washington, DC}, + series = {USENIX Security'10}, +} + +@inproceedings{bib:botminer2008, + author = {Gu, Guofei and Perdisci, Roberto and Zhang, Junjie and Lee, Wenke}, + title = {BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection}, + year = {2008}, + publisher = {USENIX Association}, + address = {USA}, + abstract = {Botnets are now the key platform for many Internet attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. Most of the current botnet detection approaches work only on specific botnet command and control (C&C) protocols (e.g., IRC) and structures (e.g., centralized), and can become ineffective as botnets change their C&C techniques. In this paper, we present a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C&C server names/addresses). We start from the definition and essential properties of botnets. We define a botnet as a coordinated group of malware instances that are controlled via C&C communication channels. The essential properties of a botnet are that the bots communicate with some C&C servers/peers, perform malicious activities, and do so in a similar or correlated way. Accordingly, our detection framework clusters similar communication traffic and similar malicious traffic, and performs cross cluster correlation to identify the hosts that share both similar communication patterns and similar malicious activity patterns. These hosts are thus bots in the monitored network. We have implemented our BotMiner prototype system and evaluated it using many real network traces. The results show that it can detect real-world botnets (IRC-based, HTTP-based, and P2P botnets including Nugache and Storm worm), and has a very low false positive rate.}, + booktitle = {Proceedings of the 17th Conference on Security Symposium}, + pages = {139–154}, + numpages = {16}, + location = {San Jose, CA}, + series = {SS'08}, +} + @incollection{bib:kim_survey_2012, location = {Dordrecht}, title = {A Survey on P2P Botnet Detection}, @@ -53,7 +82,7 @@ archivedate = {2021-10-25} } -@online{bib:fbi_takedown_2014, +@online{bib:fbiTakedown2014, title = {Taking Down Botnets}, organization = {Federal Bureau of Investigation}, author = {Joseph Demarest}, diff --git a/references/2008-botminer.pdf b/references/2008-botminer.pdf new file mode 100644 index 00000000..32bb0af2 Binary files /dev/null and b/references/2008-botminer.pdf differ diff --git a/references/2010-botgrep.pdf b/references/2010-botgrep.pdf new file mode 100644 index 00000000..92688656 Binary files /dev/null and b/references/2010-botgrep.pdf differ