A novel HTTP botnet traffic detection method

Tyagi, Rohit; Paul, Tuhin; Manoj, B. S.; Thanudas, B.

doi:10.1109/indicon.2015.7443675

Cited by 9 publications

(3 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The challenge of this approach is how to differentiate entropy produces by encrypted Botnet with other traffic that produces high entropy, for instance, media, executable, and compressed files. Tyagi et al (2015) [28] also implement deep packet inspection (DPI) in their approach and proposed N-gram based HTTP bot traffic detection. The proposed technique detects encrypted and regular Botnet.…”

Section: Related Workmentioning

confidence: 99%

A Framework for Detecting Botnet Command and Control Communication over an Encrypted Channel

Ismail¹,

Jantan²,

Najwadi³

2020

IJACSA

View full text Add to dashboard Cite

Botnet employs advanced evasion techniques to avoid detection. One of the Botnet evasion techniques is by hiding their command and control communication over an encrypted channel like SSL and TLS. This paper provides a Botnet Analysis and Detection System (BADS) framework for detecting Botnet. The BADS framework has been used as a guideline to devise the methodology, and we divided this methodology into six phases: i. data collection, customization, and conversion, ii. feature extraction and feature selection, iii. Botnet prediction and classification, iv. Botnet detection, v. attack notification, and vi. testing and evaluation. We tend to use the machine learning algorithm for Botnet prediction and classification. We also found several challenges in implementing this work. This research aims to detect Botnet over an encrypted channel with high accuracy, fast detection time, and provides autonomous management to the network manager.

show abstract

Section: Related Workmentioning

confidence: 99%

A Framework for Detecting Botnet Command and Control Communication over an Encrypted Channel

Ismail¹,

Jantan²,

Najwadi³

2020

IJACSA

View full text Add to dashboard Cite

show abstract

“…The value of plus/minus 2 seconds is used to determine if a cell is close to the next as it is a fair interval to account for separate activities while making room for network lags especially in the case of chat protocols that could have constant cells. For example, [10,11,12,13,20,21,22,23,30,31,32,33] become [11.5, 21.5, 31.5]; the cells with timestamps 10, 11, 12 and 13 were clustered as a unique cell with timestamp 11.5 and a unique cell count of 4. Cell aggregation is done to group events together and ease the extraction of features.…”

Section: Cell Aggregation Grouping and Time Segregationmentioning

confidence: 99%

TorBot Stalker: Detecting Tor Botnets Through Intelligent Circuit Data Analysis

Fajana

Owenson

Cocea

2018

2018 IEEE 17th International Symposium on Network Computing and Applications (NCA)

View full text Add to dashboard Cite

Botnets are collections of infected computers that are controlled centrally by a botmaster, often for sending spam or launching denial of service attacks. The task to take down these botnets is often a cat and mouse game with operators frequently changing domains for their control infrastructure. More recently, operators have moved to using Tor, a pseudoanonymous network for hosting services whereby identification is difficult. Additionally, because connections to the Tor network are encrypted, we cannot use traditional methods like Domain Name System (DNS) and traffic signatures to detect infected hosts. In this paper, we introduce TorBot Stalker: the first mechanism for detecting, de-anonymizing, and destroying Tor botnets. We use machine learning to analyse and fingerprint the timings and frequency of Tor network circuit data when routing botnet traffic, and build a detection mechanism that is able to identify infected hosts at the Tor network border, in real-time, while preserving the privacy of legitimate users. TorBot Stalker can be implemented at any node in the Tor network and can differentiate between botnets and legitimate applications like Internet Relay Chat (IRC) coming from the same host. Experimental data demonstrates an accuracy of 99% with few false positives. We then apply the technique at the entry to the Tor network to measure the fraction of traffic which is for botnet. We observed that Torbot Stalker is able to de-anonymize real botnets in the Tor network and further identify infected hosts and control servers.

show abstract

“…Botnets utilize Peer-to-Peer (P2P) networks, open file sharing frameworks, and even "hit lists" to detect vulnerable IP addresses for infection among many other network propagation methods [22]. Tyagi et al [23] focused on detecting periodicity of similar contents in a particular flow using N-Gram analysis and Deep Packet Inspection (DPI). The study clustered the similar flows and checked the similarity score using a distance metric.…”

Section: Malicious Botnet Detectionmentioning

confidence: 99%

Analysis of Periodicity in Botnets

Nagarajan

View full text Add to dashboard Cite

Analysis of Periodicity in Botnets by Prathiba Nagarajan A botnet consists of a network of infected computers which are controlled remotely via a command and control (C&C) server. A typical botnet requires frequent communication between the C&C server and the infected nodes. Previous approaches to detecting botnets have employed various machine learning techniques, based on features extracted from network traffic. In this research, we carefully analyze the periodicity of traffic as a means for detecting a variety of botnets by applying machine learning to publicly available datasets. ACKNOWLEDGMENTS I would like to express gratitude to my advisor Prof. Mark Stamp for his patience, motivation and knowledge to guide this thesis and project. My thanks to the committee members Prof. Thomas Austin and Prof. Melody Moh for their encouragement. I would also like to thank Mr. Kevin Ross for sharing his knowledge about network concepts. I will forever be thankful to the Almighty, my parents, my husband, and friends for the immense support and guidance received throughout my journey. v

show abstract

A novel HTTP botnet traffic detection method

Cited by 9 publications

References 9 publications

A Framework for Detecting Botnet Command and Control Communication over an Encrypted Channel

A Framework for Detecting Botnet Command and Control Communication over an Encrypted Channel

TorBot Stalker: Detecting Tor Botnets Through Intelligent Circuit Data Analysis

Analysis of Periodicity in Botnets

Contact Info

Product

Resources

About