Summary
This paper looks for correlations in bot activity to detect and stop botnet account registrations. The design uses two methods for detecting botnets: aggressive signup detection and login across different AS detection.
The aggressive signup detection uses an exponentially weighted moving average of signups. If the the number of signups jumps unexpectedly the system assumes it may be due to bot activity. This assumes that bot owners cannot slowly ramp up the signup rate due to high churn of bot machines.
BotGraph, also detects "stealthy bot-accounts." These are groups of bots that operate in a collaborative way. They authors assume that collaborative bots will login to a small number of accounts in many locations. This is justified by the fact that aggressive signup detection limits the number of available accounts. The proposed technique create a graph of users with an edge weight equal to the number of ASes both users have logged in from. They use this to look for clusters of users with high edge weights - these usually indicate bot accounts.
Thoughts
This paper makes many assumptions about the limitation of botnets. For example, I am not convinced that it is impossible to ramp up account creation from one node slowly enough to avoid the EWMA limit. Similarly, bot owners could simply assign one account per bot or one account per AS to defeat the stealthy bot detection algorithm. While the proposed techniques probably work well now, I suspect that when deployed widely botnets well adapt and overcome these protections.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment