Abstract:
Over the last decade, malicious software or malware has risen to become a primary source of most of the scanning, spamming, (distributed) denial-of-service (DOS) activities, and direct attacks, taking place across the Internet. These Internet malware keeps evolving in their forms, e.g., worms, botnets. Among the various forms of malware, botnets in particular have recently distinguished themselves to be among the premier threats to computing assets. Botnets are effectively a collection of slave computing and data assets to be sold or traded for a variety of illicit activities, including information and computing resource theft, spam production, hosting phishing attacks, or for mounting DDoS attacks. The magnitude of bot armies and the potency of attacks afforded by their combined bandwidth and processing power have led to a recognition of botnets as the largest threats to Internet security nowadays.

In this talk, I focus on addressing botnet detection in enterprise-like network environment. I present a correlation-based framework for botnet detection in the context of several systems (BotHunter, BotSniffer, BotMiner, and BotProbe) and several correlation techniques (vertical correlation, horizontal correlation, and cause-effect correlation). I will mainly discuss BotHunter, BotSniffer and their corresponding correlation techniques in this talk. All these four systems are evaluated in live networks and/or real-world traces, and they can detect real-world botnets with a very low false positive rate. As an example of my research impact, BotHunter is made available for public downloading and in the first five months after release, it already has more than 6,000 downloads. In addition, it is now being transitioned into several product companies.

Biography:
Guofei Gu is a Ph.D. candidate in the College of Computing at Georgia Tech, where he is affiliated with the Georgia Tech Information Security Center and the Center for Experimental Research in Computer Systems. His research interests are in network and system security; specifically intrusion detection and malware detection, defense and analysis.