Unfortunately, cyber crime has become a business today. In contrast to the Internet security situation ten years ago, most of the significant Internet attacks today aim to make a financial profit. A popular and effective choice of criminals today for sending spam, stealing data, and launching attacks are so called bots -- a type of malware that is written with the intent of compromising and taking control of hosts on the Internet. The main distinguishing characteristic of a bot compared to other types of malware is that a bot is able to establish a command and control (C&C) channel.
The goal of this project is to develop novel techniques and tools to detect malicious connections from compromised machines to the C&C servers of botnets. The key insight is that when looking at very large volumes of netflow and DNS data over an extended period of time, connection attempts to benign and malicious addresses should exhibit enough differences in behavior so that they can be automatically distinguished. A key challenge in this project is to identify behavioral features that will allow the detection of connections that exhibit botnet-like behavior.
The ability to identify malicious C&C connections and to potentially block and disrupt the communication of the attackers with their bots presents rich opportunities for industrial and societal impact. Furthermore, the research will have a broad effect though education and outreach. The PI will seek broad dissemination of research results through both top publications and industry connections.
