Dessani, LeoWendzel, SteffenWressnegger, ChristianHartmann, LauraFreiling, FelixArmknecht, FrederikReinfelder, Lena2024-04-192024-04-192024978-3-88579-739-5https://dl.gi.de/handle/20.500.12116/43963Detecting communication with command and control (C2) servers and outbound attacks from internal bots (botnet traffic) is critical for network operators. Detection of botnet traffic is typically done by analyzing communication patterns in their own networks. We hypothesise that cooperation between different network operators can improve the detection of botnet traffic, as a larger amount of traffic can be examined. However, network operators do normally not want to share their traffic with others for privacy reasons. We therefore present a privacy-preserving architecture for collaborative botnet detection. To this end, network operators interested in detecting botnet traffic share traffic from their own networks by using a Threshold Multi-Party Private Set Intersection (T-MP-PSI) protocol to ensure that shared traffic details, such as IP addresses, are only disclosed if they occur on a minimum number of networks. We present the main results from a preliminary evaluation of the architecture based on publicly available benchmark data sets. The evaluation shows that our architecture contributes to the detection of botnet traffic, but that a high number of false positives also occur. However, this high number can be reduced by pre-processing measures. We also present further options for evaluating the architecture.enbotnet detectionanomaly detectionText/Conference Paper10.18420/sicherheit2024_0221617-5468