Using Anomaly Detection Based Techniques to Detect HTTP-based Botnet C&C Traffic

被引:17
|
作者
Sakib, Muhammad N. [1 ]
Huang, Chin-Tser [1 ]
机构
[1] Univ South Carolina, Dept Comp Sci & Engn, Columbia, SC 29208 USA
来源
2016 IEEE INTERNATIONAL CONFERENCE ON COMMUNICATIONS (ICC) | 2016年
关键词
botnet; HTTP; C&C; detection; anomaly; DNS;
D O I
10.1109/ICC.2016.7510883
中图分类号
TM [电工技术]; TN [电子技术、通信技术];
学科分类号
0808 ; 0809 ;
摘要
HTTP is becoming the most preferred channel for command and control (C&C) communication of botnets. One of the main reasons is that it is very easy to hide the C&C traffic in the massive amount of browser generated Web traffic. However, detecting these HTTP-based C&C packets which constitute only a minuscule portion of the overall everyday HTTP traffic is a formidable task. In this paper, we present an anomaly detection based approach to detect HTTP-based C&C traffic using statistical features based on client generated HTTP request packets and DNS server generated response packets. We use three different unsupervised anomaly detection techniques to isolate suspicious communications that have a high probability of being part of a botnet's C&C communication. Results indicate that our method can achieve more than 90% detection rate while maintaining a reasonably low false positive rate.
引用
收藏
页数:6
相关论文
共 50 条
  • [1] Detecting HTTP-based Botnet based on Characteristic of the C&C session using by SVM
    Yamauchi, Kazumasa
    Hori, Yoshiaki
    Sakurai, Kouichi
    [J]. 2013 EIGHTH ASIA JOINT CONFERENCE ON INFORMATION SECURITY (ASIAJCIS), 2013, : 63 - 68
  • [2] Botnet traffic detection techniques by C&C session classification using SVM
    Kondo, Satoshi
    Sato, Naoshi
    [J]. ADVANCES IN INFORMATION AND COMPUTER SECURITY, PROCEEDINGS, 2007, 4752 : 91 - +
  • [3] HAS-Analyzer: Detecting HTTP-based C&C based on the Analysis of HTTP Activity Sets
    Kim, Sung-Jin
    Lee, Sungryoul
    Bae, Byungchul
    [J]. KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS, 2014, 8 (05): : 1801 - 1816
  • [4] Survey of approaches and features for the identification of HTTP-based botnet traffic
    Acarali, Dilara
    Rajarajan, Muttukrishnan
    Komninos, Nikos
    Herwono, Ian
    [J]. JOURNAL OF NETWORK AND COMPUTER APPLICATIONS, 2016, 76 : 1 - 15
  • [5] C&C Techniques in Botnet Development
    Brezo, Felix
    Gaviria de la Puerta, Jose
    Santos, Igor
    Barroso, David
    Garcia Bringas, Pablo
    [J]. INTERNATIONAL JOINT CONFERENCE CISIS'12 - ICEUTE'12 - SOCO'12 SPECIAL SESSIONS, 2013, 189 : 97 - +
  • [6] An Efficient False Alarm Reduction Approach in HTTP-based Botnet Detection
    Eslahi, Meisam
    Hashim, H.
    Tahir, N. M.
    [J]. 2013 IEEE SYMPOSIUM ON COMPUTERS AND INFORMATICS (ISCI 2013), 2013,
  • [7] Modeling Botnet C&C Traffic Lifespans from NetFlow Using Survival Analysis
    Oujezsky, Vaclav
    Horvath, Tomas
    Skorpil, Vladislav
    [J]. 2016 39TH INTERNATIONAL CONFERENCE ON TELECOMMUNICATIONS AND SIGNAL PROCESSING (TSP), 2016, : 50 - 55
  • [8] Design, Deployment and use of HTTP-based Botnet (HBB) Testbed
    Alomari, Esraa
    Manickam, Selvakumar
    Gupta, B. B.
    Singh, Parminder
    Anbar, Mohammed
    [J]. 2014 16TH INTERNATIONAL CONFERENCE ON ADVANCED COMMUNICATION TECHNOLOGY (ICACT), 2014, : 1265 - 1269
  • [9] A critical review of the techniques used for anomaly detection of HTTP-based attacks: taxonomy, limitations and open challenges
    Diaz-Verdejo, Jesus E.
    Estepa Alonso, Rafael
    Estepa Alonso, Antonio
    Madinabeitia, German
    [J]. COMPUTERS & SECURITY, 2023, 124
  • [10] Analysis of Aggregated HTTP-based Video Traffic
    Biernacki, Arkadiusz
    [J]. JOURNAL OF COMMUNICATIONS AND NETWORKS, 2016, 18 (05) : 826 - 836
12345