Detecting Web-Based Botnets Using Bot Communication Traffic Features

الملخص EN

Web-based botnets are popular nowadays.

A Web-based botnet is a botnet whose C&C server and bots use HTTP protocol, the most universal and supported network protocol, to communicate with each other.

Because the botnet communication can be hidden easily by attackers behind the relatively massive HTTP traffic, administrators of network equipment, such as routers and switches, cannot block such suspicious traffic directly regardless of costs.

Based on the clients constituent of a Web server and characteristics of HTTP responses sent to clients from the server, this paper proposes a traffic inspection solution, called Web-based Botnet Detector (WBD).

WBD is able to detect suspicious C&C (Command-and-Control) servers of HTTP botnets regardless of whether the botnet commands are encrypted or hidden in normal Web pages.

More than 500 GB real network traces collected from 11 backbone routers are used to evaluate our method.

Experimental results show that the false positive rate of WBD is 0.42%.