Correlation-based HTTP Botnet detection using network communication histogram analysis

The latest generation of Botnets use HTTP protocol and port 80 as their communication medium to impersonate themselves as normal web users and avoid current security solutions. In addition, the Botmasters who control the infected devices employ several techniques, such as encryption, code obfuscation, anti-honeypot capabilities and random communication patterns to keep their Bots undetectable as long as possible. However, Bots are designed to be a coordinated form of organized cyberattack in which they conduct the synchronized attacks in the form of groups. Thus, the similarities of cooperative group activities can be used as an effective measure to distinguish Bots from normal users. In this paper, we propose a histogram based behaviour analysis approach to identify the number of web requests and their time gap diversity posed by HTTP Bots. Finally, a correlation based communication histogram analysis approach is designed to detect HTTP Botnets based on similarity and correlation of their group activities. The proposed correlation based HTTP Botnet detection model was successfully able to detect the HTTP Bots with high accuracy, along with a very low rate of false positive.

[1]  Hossein Rouhani Zeidanloo,et al.  Botnet Detection by Monitoring Similar Communication Patterns , 2010, ArXiv.

[2]  Maryam Var Naseri,et al.  Periodicity classification of HTTP traffic to detect HTTP Botnets , 2015, 2015 IEEE Symposium on Computer Applications & Industrial Electronics (ISCAIE).

[3]  Bhavik Thakar,et al.  Advance Persistent Threat: Botnet , 2016, ICTCS '16.

[4]  José M. F. Moura,et al.  An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic , 2013, Journal of advanced research.

[5]  Nen-Fu Huang,et al.  Automatic NIDS Rule Generating System for Detecting HTTP-like Malware Communication , 2015, 2015 International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP).

[6]  M. Eslahi,et al.  Bots and botnets: An overview of characteristics, detection and challenges , 2012, 2012 IEEE International Conference on Control System, Computing and Engineering.

[7]  Fengmao Lv,et al.  An Effective Conversation-Based Botnet Detection Method , 2017 .

[8]  Marcelo R. Campo,et al.  Survey on network-based botnet detection methods , 2014, Secur. Commun. Networks.

[9]  Pablo Torres,et al.  An analysis of Recurrent Neural Networks for Botnet detection behavior , 2016, 2016 IEEE Biennial Congress of Argentina (ARGENCON).

[10]  Tung-Ming Koo,et al.  Construction P2P firewall HTTP-Botnet defense mechanism , 2011, 2011 IEEE International Conference on Computer Science and Automation Engineering.

[11]  William H. Sanders,et al.  Secloud: A cloud-based comprehensive and lightweight security solution for smartphones , 2013, Comput. Secur..

[12]  Gao Jian,et al.  Review of the Research on Botnet , 2017 .

[13]  Safdar Tanveer,et al.  Reviewing Anatomy of Botnets and Botnet Detection Techniques , 2017 .

[14]  N. M. Tahir,et al.  An efficient false alarm reduction approach in HTTP-based botnet detection , 2013, 2013 IEEE Symposium on Computers & Informatics (ISCI).

[15]  D. Barroso,et al.  Botnets – The Silent Threat , 2007 .

[16]  Vijay P. Singh,et al.  Entropy Theory and its Application in Environmental and Water Engineering: Singh/Entropy Theory and its Application in Environmental and Water Engineering , 2013 .

[17]  R. Anitha,et al.  Botnet detection via mining of traffic flow characteristics , 2016, Comput. Electr. Eng..

[18]  Xindong Wu,et al.  The Top Ten Algorithms in Data Mining , 2009 .

[19]  Muttukrishnan Rajarajan,et al.  Survey of approaches and features for the identification of HTTP-based botnet traffic , 2016, J. Netw. Comput. Appl..

[20]  Mazdak Zamani,et al.  A Practical Procedure for Collecting More Volatile Information in Live Investigation of Botnet Attack , 2017 .

[21]  Maryam Var Naseri,et al.  Mobile botnet detection model based on retrospective pattern recognition , 2016 .

[22]  Liang Lu,et al.  C&C session detection using random forest , 2017, IMCOM.

[23]  Dae-il Jang,et al.  Evasion technique and detection of malicious botnet , 2010, 2010 International Conference for Internet Technology and Secured Transactions.

[24]  Babak Bashari Rad,et al.  Metamorphic Virus Variants Classification Using Opcode Frequency Histogram , 2011, ArXiv.