Analysis of P2P, IRC and HTTP traffic for botnets detection

Botnets are widespread and have become a major threat to network security. A botnet is a group of infected computers that are controlled by a botmaster. Botnet’s members use command and control (C&C) channels to communicate with their C&C server. In this paper, we study the detection of botnets by monitoring and analyzing botnets’ C&C channels communication traffic. As bots are preprogramed to communicate every T seconds, we exploit this periodic behavior of C&C traffic to detect the botnet. The botnet detection approach we use is based on evaluating the periodogram of several count-feature sequences of the traffic and testing the significance of the peak of each periodogram. We apply this approach to real traffic that we captured from King Saud University’s (KSU) network. The captured traffic contains more than 11 TB of traffic that spans 50 days during 2012 and 2013 from different locations inside KSU. We apply the detection approach to KSU’s traffic to detect botnet C&C traffic that uses P2P, IRC, or HTTP as its communication protocols. The results show that the botnet detection approach can efficiently detect botnet members in recent traffic datasets. The period values of the detected bots ranged between 31 and 49 min.

[1]  Wei Zou,et al.  Characterizing the IRC-based Botnet Phenomenon , 2007 .

[2]  Hossein Rouhani Zeidanloo,et al.  A taxonomy of Botnet detection techniques , 2010, 2010 3rd International Conference on Computer Science and Information Technology.

[3]  Xiuli Shao,et al.  Detecting P2P botnets by discovering flow dependency in C&C traffic , 2014, Peer-to-Peer Netw. Appl..

[4]  Heejo Lee,et al.  Identifying botnets by capturing group activities in DNS traffic , 2012, Comput. Networks.

[5]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[6]  Moritz Steiner,et al.  Resource monitoring for the detection of parasite P2P botnets , 2014, Comput. Networks.

[7]  Jing Tao,et al.  A Novel IRC Botnet Detection Method Based on Packet Size Sequence , 2010, 2010 IEEE International Conference on Communications.

[8]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[9]  José M. F. Moura,et al.  An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic , 2013, Journal of advanced research.

[10]  M. Eslahi,et al.  Bots and botnets: An overview of characteristics, detection and challenges , 2012, 2012 IEEE International Conference on Control System, Computing and Engineering.

[11]  Mingteh Chen,et al.  The Analysis and Identification of P2P Botnet's Traffic Flows , 2011, Int. J. Commun. Networks Inf. Secur..

[12]  Basil Abdullah AsSadhan,et al.  Network traffic analysis through statistical signal processing methods , 2009 .

[13]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.

[14]  W. Timothy Strayer,et al.  SLINGbot: A System for Live Investigation of Next Generation Botnets , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[15]  Richard Lippmann,et al.  Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation , 2000, Recent Advances in Intrusion Detection.

[16]  Pei Zhang,et al.  Fast restorable prefix-preserving IP address anonymization for IPv4/IPv6 , 2010 .

[17]  Petre Stoica,et al.  Spectral Analysis of Signals , 2009 .

[18]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[19]  Futai Zou,et al.  Detecting HTTP Botnet with Clustering Network Traffic , 2012, 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing.

[20]  Maghsoud Abbaspour,et al.  An anomaly-based botnet detection approach for identifying stealthy botnets , 2011, 2011 IEEE International Conference on Computer Applications and Industrial Electronics (ICCAIE).

[21]  Guanhua Yan,et al.  On the effectiveness of structural detection and defense against P2P-based botnets , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[22]  Vinod Yegneswaran,et al.  Active Botnet Probing to Identify Obscure Command and Control Channels , 2009, 2009 Annual Computer Security Applications Conference.

[23]  Ge Yu,et al.  Online Botnet Detection Based on Incremental Discrete Fourier Transform , 2010, J. Networks.

[24]  Sateesh Kumar Peddoju,et al.  Scalable P2P bot detection system based on network data stream , 2016, Peer Peer Netw. Appl..