@inproceedings{da6ae2f25ede46b98f9927045043f78b,
title = "A novel IRC botnet detection method based on packet size sequence",
abstract = "Botnets have become a serious threat to Internet and are often deployed to control a large pool of zombies and perform notorious activities such as DDoS, information theft and spam sending. In this paper, a new method is developed for detecting IRC botnets by analyzing the characteristic of packet size sequence of the TCP conversation between IRC zombies and their command and control (C\&C) servers. In comparison with IRC chat, the TCP conversations within IRC botnets show a nature of approximate periodicity defined as quasi-periodicity in this paper. A simple yet effective detection method is presented to detect IRC botnets by measuring the quasi-periodicity degree and packet average size of IRC conversations based on ukkonen algorithm. We evaluated our method using real-world IRC botnet traces captured from honeynet. The results show that our method can detect real-world IRC botnets from IRC traffic with high accuracy and has a low false positive rate.",
keywords = "Botnet, IRC, Quasi-periodicity, Ukkonen",
author = "Xiaobo Ma and Xiaohong Guan and Jing Tao and Qinghua Zheng and Yun Guo and Lu Liu and Shuang Zhao",
year = "2010",
doi = "10.1109/ICC.2010.5502092",
language = "英语",
isbn = "9781424464043",
series = "IEEE International Conference on Communications",
booktitle = "2010 IEEE International Conference on Communications, ICC 2010",
note = "2010 IEEE International Conference on Communications, ICC 2010 ; Conference date: 23-05-2010 Through 27-05-2010",
}