Using anomaly detection based techniques to detect HTTP-based botnet C&C traffic

HTTP is becoming the most preferred channel for command and control (C&C) communication of botnets. One of the main reasons is that it is very easy to hide the C&C traffic in the massive amount of browser generated Web traffic. However, detecting these HTTP-based C&C packets which constitute only a minuscule portion of the overall everyday HTTP traffic is a formidable task. In this paper, we present an anomaly detection based approach to detect HTTP-based C&C traffic using statistical features based on client generated HTTP request packets and DNS server generated response packets. We use three different unsupervised anomaly detection techniques to isolate suspicious communications that have a high probability of being part of a botnet's C&C communication. Results indicate that our method can achieve more than 90% detection rate while maintaining a reasonably low false positive rate.

[1]  Hans-Peter Kriegel,et al.  LOF: identifying density-based local outliers , 2000, SIGMOD '00.

[2]  Igor Santos,et al.  A Supervised Classification Approach for Detecting Packets Originated in a HTTP-based Botnet , 2013 .

[3]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[4]  T. Ferryman,et al.  Data outlier detection using the Chebyshev theorem , 2005, 2005 IEEE Aerospace Conference.

[5]  Hans-Peter Kriegel,et al.  LOF: identifying density-based local outliers , 2000, SIGMOD 2000.

[6]  Slim Abdennadher,et al.  Enhancing one-class support vector machines for unsupervised anomaly detection , 2013, ODD '13.

[7]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[8]  Apostolis Zarras,et al.  Automated generation of models for fast and precise detection of HTTP-based malware , 2014, 2014 Twelfth Annual International Conference on Privacy, Security and Trust.

[9]  W. Timothy Strayer,et al.  Detecting Botnets with Tight Command and Control , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[10]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[11]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[12]  Richard R. Brooks,et al.  Deceiving entropy based DoS detection , 2015, Comput. Secur..

[13]  Chia-Mei Chen,et al.  Detecting Web-Based Botnets with Fast-Flux Domains , 2013 .

[14]  Seena Mathew,et al.  Genetic Algorithm based Layered Detection and Defense of HTTP Botnet , 2014 .

[15]  Futai Zou,et al.  Detecting HTTP Botnet with Clustering Network Traffic , 2012, 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing.

[16]  Juan M. Est,et al.  Measuring normality in HTTP traffic for anomaly-based intrusion detection , 2004 .

[17]  R. Karthikeyan,et al.  HTTP botnet detection using hidden semi-Markov model with SNMP MIB variables , 2013, Int. J. Electron. Secur. Digit. Forensics.

[18]  Yi Xie,et al.  Modeling Web Session for Detecting Pseudo HTTP Traffic , 2013, J. Comput..

[19]  Ali A. Ghorbani,et al.  Clustering botnet communication traffic based on n-gram feature selection , 2011, Comput. Commun..

[20]  Leyla Bilge,et al.  Automatically Generating Models for Botnet Detection , 2009, ESORICS.

[21]  Kouichi Sakurai,et al.  Detecting HTTP-Based Botnet Based on Characteristic of the C & C Session Using by SVM , 2013, 2013 Eighth Asia Joint Conference on Information Security.

[22]  Salvatore J. Stolfo,et al.  Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic , 2009, NDSS.