Botnets Detection Based on IRC-Community

Botnets are networks of compromised computers controlled under a common command and control (C&C) channel. Recognized as one the most serious security threats on current Internet infrastructure, botnets are often hidden in existing applications, e.g. IRC, HTTP, or Peer-to-Peer, which makes the botnet detection a challenging problem. Previous attempts for detecting botnets are to examine traffic content for IRC command on selected network links or by setting up honeypots. In this paper, we propose a new approach for detecting and characterizing botnets on a large-scale WiFi ISP network, in which we first classify the network traffic into different applications by using payload signatures and a novel clustering algorithm and then analyze the specific IRC application community based on the temporal-frequent characteristics of flows that leads the differentiation of malicious IRC channels created by bots from normal IRC traffic generated by human beings. We evaluate our approach with over 160 million flows collected over five consecutive days on a large scale network and results show the proposed approach successfully detects the botnet flows from over 160 million flows with a high detection rate and an acceptable low false alarm rate.