TY - CONF T1 - Boosting the scalability of botnet detection using adaptive traffic sampling T2 - Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security Y1 - 2011 A1 - Zhang,Junjie A1 - Luo,Xiapu A1 - Perdisci,Roberto A1 - Gu,Guofei A1 - Lee,Wenke A1 - Feamster, Nick KW - adaptive sampling KW - botnet KW - intrusion detection KW - NETWORK SECURITY AB - Botnets pose a serious threat to the health of the Internet. Most current network-based botnet detection systems require deep packet inspection (DPI) to detect bots. Because DPI is a computational costly process, such detection systems cannot handle large volumes of traffic typical of large enterprise and ISP networks. In this paper we propose a system that aims to efficiently and effectively identify a small number of suspicious hosts that are likely bots. Their traffic can then be forwarded to DPI-based botnet detection systems for fine-grained inspection and accurate botnet detection. By using a novel adaptive packet sampling algorithm and a scalable spatial-temporal flow correlation approach, our system is able to substantially reduce the volume of network traffic that goes through DPI, thereby boosting the scalability of existing botnet detection systems. We implemented a proof-of-concept version of our system, and evaluated it using real-world legitimate and botnet-related network traces. Our experimental results are very promising and suggest that our approach can enable the deployment of botnet-detection systems in large, high-speed networks. JA - Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security T3 - ASIACCS '11 PB - ACM CY - New York, NY, USA SN - 978-1-4503-0564-8 UR - http://doi.acm.org/10.1145/1966913.1966930 M3 - 10.1145/1966913.1966930 ER -