Botnet fingerprinting method based on anomaly detection in SMTP conversations
This addresses the problem of botnet detection for network security professionals, but it appears incremental as it builds on existing traffic analysis methods.
The paper tackled the problem of detecting unsolicited emails sent by botnets by analyzing the sequence and syntax of SMTP commands in network traffic, resulting in several improvements for fingerprinting botnet sources that can aid in network forensic investigations.
The paper presents the results obtained during research on detection of unsolicited e-mails which are sent by botnets. The distinction from most of the existing solutions is the fact that the presented approach is based on the analysis of network traffic - the sequence and syntax of SMTP commands observed during email delivery process. The paper presents several improvements for detection of unsolicited email sources from different botnets (fingerprinting), which can be used during network forensic investigation.