Various types of malicious software, such as viruses, worms and Trojan horses, are used for conducting illegitimate operations in computer systems. Malicious software may be used, for example, for causing damage to data or equipment, or for extracting or modifying data. Some types of malicious software communicate with a remote host, for example for Command and Control (C&C) purposes.
Various techniques for detecting malicious software are known in the art. For example, Rieck et al. describe methods for detecting malicious software at a point when it initiates contact with its maintainer, in “Botzilla: Detecting the ‘Phoning Home’ of Malicious Software,” Proceedings of the ACM Symposium on Applied Computing (SAC), Sierre, Switzerland, Mar. 22-26, 2010, which is incorporated herein by reference.
Jacob et al. describes a system for identifying C&C connections, in “JACKSTRAWS: Picking Command and Control Connections from Bot Traffic,” Proceedings of the 20th Usenix Security Symposium, San Francisco, Calif., Aug. 8-12, 2011, which is incorporated herein by reference.
Gu et al. describe a method that uses network-based anomaly detection to identify botnet C&C channels in a local area network, in “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic,” Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), San Diego, Calif., February, 2008, which is incorporated herein by reference.
Gu et al. describe a C&C detection framework that is independent of botnet C&C protocol and structure, in “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection,” Proceedings of the 17th USENIX Security Symposium, San Jose, Calif., 2008, which is incorporated herein by reference.
Eslahi describes methods for detecting HTTP-based Botnets based on network behaviour analysis, in “botAnalytics: Improving HTTP-Based Botnet Detection by Using Network Behavior Analysis System,” Faculty of Computer Science and Information Technology, University of Malaya, 2010, which is incorporated herein by reference.
Wang et al. describe a tool that automatically generates network-level signatures for spyware, in “NetSpy: Automatic Generation of Spyware Signatures for NIDS,” Proceedings of the 22nd Annual Computer Security Applications Conference, Miami Beach, Fla., December, 2006, which is incorporated herein by reference.