Periodicity classification of HTTP traffic to detect HTTP Botnets

Recently, the HTTP based Botnet threat has become a serious challenge for security experts as Bots can be distributed quickly and stealthily. With the HTTP protocol, Bots hide their communication flows within the normal HTTP flows making them more stealthy and difficult to detect. Furthermore, since the HTTP service is being widely used by the Internet applications, it is not easy to block this service as a precautionary measure and other techniques are required to detect and deter the Bot menace. The HTTP Bots periodically connect to particular web pages or URLs to get commands and updates from the Botmaster. In fact, this identifiable periodic connection pattern has been used in several studies as a feature to detect HTTP Botnets. In this paper, we review the current studies on detection of periodic communications in HTTP Botnets as well as the shortcomings of these methods. Consequently, we propose three metrics to be used in identifying the types of communication patterns according to their periodicity. Test results show that in addition to detecting HTTP Botnet communication patterns with 80% accuracy, the proposed method is able to efficiently classify communication patterns into several periodicity categories.

[1]  N. M. Tahir,et al.  An efficient false alarm reduction approach in HTTP-based botnet detection , 2013, 2013 IEEE Symposium on Computers & Informatics (ISCI).

[2]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[3]  Dae-il Jang,et al.  Evasion technique and detection of malicious botnet , 2010, 2010 International Conference for Internet Technology and Secured Transactions.

[4]  M. Eslahi,et al.  MoBots: A new generation of botnets on mobile devices and networks , 2012, 2012 International Symposium on Computer Applications and Industrial Electronics (ISCAIE).

[5]  Ali A. Ghorbani,et al.  BotCop: An Online Botnet Traffic Classifier , 2009, 2009 Seventh Annual Communication Networks and Services Research Conference.

[6]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[7]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..

[8]  Chun-Ying Huang,et al.  A fuzzy pattern-based filtering algorithm for botnet detection , 2011, Comput. Networks.

[9]  Tung-Ming Koo,et al.  Construction P2P firewall HTTP-Botnet defense mechanism , 2011, 2011 IEEE International Conference on Computer Science and Automation Engineering.

[10]  David J. Darling The Universal Book of Mathematics: From Abracadabra to Zeno's Paradoxes , 2004 .

[11]  Maryam Var Naseri,et al.  A data collection approach for Mobile Botnet analysis and detection , 2014, 2014 IEEE Symposium on Wireless Technology and Applications (ISWTA).

[12]  Wei Jiang,et al.  Botnet: Survey and Case Study , 2009, 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC).

[13]  W. Timothy Strayer,et al.  Detecting Botnets with Tight Command and Control , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[14]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.

[15]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[16]  José M. F. Moura,et al.  Periodic Behavior in Botnet Command and Control Channels Traffic , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[17]  Futai Zou,et al.  Detecting HTTP Botnet with Clustering Network Traffic , 2012, 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing.

[18]  Feng Liu,et al.  Modeling Connections Behavior for Web-Based Bots Detection , 2010, 2010 2nd International Conference on E-business and Information System Security.

[19]  Basheer Al-Duwairi,et al.  BotDigger: A Fuzzy Inference System for Botnet Detection , 2010, 2010 Fifth International Conference on Internet Monitoring and Protection.

[20]  M. Eslahi,et al.  Bots and botnets: An overview of characteristics, detection and challenges , 2012, 2012 IEEE International Conference on Control System, Computing and Engineering.

[21]  Bong-Nam Noh,et al.  The Activity Analysis of Malicious HTTP-Based Botnets Using Degree of Periodic Repeatability , 2008, 2008 International Conference on Security Technology.

[22]  José M. F. Moura,et al.  An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic , 2013, Journal of advanced research.

[23]  Xiao-Bai Li,et al.  A scalable decision tree system and its application in pattern recognition and intrusion detection , 2005, Decis. Support Syst..