Efficient Detection of Bots in Subscribersapos; Computers
Brustoloni, J.; Farnan, N.; Villamarin-Salomon, R.; Kyle, D.
Communications, 2009. ICC apos;09. IEEE International Conference on
Volume , Issue , 14-18 June 2009 Page(s):1 - 6
Digital Object Identifier 10.1109/ICC.2009.5198970
Summary:We investigate how an ISP can efficiently detect bots in its subscribers' computers, possibly as a value-added service or to prevent collateral damage to its infrastructure. By causing an ISP's email servers and network links to get clogged or blacklisted, bots reduce the quality of service the ISP provides to its subscribers. We describe DNS Flagger, a novel device for ISP bot detection, and evaluate its efficiency. DNS flagger matches subscribers' DNS traffic against IP and DNS signatures. In real-time experiments, we found that, on average, major anti-virus programs (AVs) detected only 59% of freshly caught bots, while DNS Flagger detected 73.1% or 91% of those bots, respectively on hosts that do not or do also have a major AV. There were no false alarms. Because its processing involves only a small fraction of all network traffic and can be performed at very high speed, a single DNS flagger can handle hundreds of thousands of subscribers.
View citation and abstract |
Cart
