Survey of approaches and features for the identification of HTTP-based botnet traffic

Acarali, Dilara; Rajarajan, Muttukrishnan; Komninos, Nikos; Herwono, Ian

doi:10.1016/j.jnca.2016.10.007

Cited by 46 publications

(26 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

Section: Related Workmentioning

confidence: 99%

“…In Section 4, we compare our experimental results with these works to show the advantages of our approach in terms of accuracy. For more references on Botnet identification, we recommend Silva et al 36 and Acarali et al 1 Livadas et al 26 propose a two-stage method to detect IRC-based C&C channels using 10 features extracted from network flows. In the first stage, a classifier detects the IRC connections and the second stage is used to classify the IRC connections into "normal" and "C&C."…”

Section: Related Workmentioning

confidence: 99%

“…The most commons are Internet Relay Chat (IRC), Hypertext Transfer Protocol (HTTP), Transmission Control Protocol (TCP) (pure TCP for raw transmissions), Peer‐to‐Peer (P2P), social media, and cloud services . The Botnet lifecycle can be structured in four phases: (1) propagation, which includes the proliferation and infection of bots; (2) rally, identified by the establishment of C&C connections; (3) interaction, compound of execution of commands submitted by the botmaster, malware updates and download of additional malicious code; and (4) attack, which is the final goal, identified by attacks executed by bots.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

HTTP and contact‐based features for Botnet detection

Resende

Drummond

2018

Security and Privacy

View full text Add to dashboard Cite

Over the past decade, Botnets have been prevailing as a relevant threat on the Internet. A Botnet is compound by many infected computers connected to the global network and subdued to a controller, which uses the computational resources for malicious purposes. Many techniques are used to make difficult the identification of Botnet communications on networks. However, these communications are automated and usually have typical behavioral patterns, which have been used by detection approaches. In this context, we noted that HTTP connections established as command and control (C&C) channels of Botnets commonly have specific implementations, which deviate from the patterns used by legitimate HTTP accesses. Also, C&C channels over other protocols, such as IRC or TCP, typically are compound by similar chunks of data transmission interleaved with times with negligible traffic. We used both particularities to propose new features to distinguish C&C channels from benign traffic. The proposed detection method uses a random forest classifier implemented over Apache Spark, a Big Data processing framework. In the presented experiments, the approach achieved more than 99% of accuracy with virtually zero false positives, which are good results when compared with other available similar approaches. Also, the proposed features can be extracted before the communication end, which enables a premature response.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

HTTP and contact‐based features for Botnet detection

Resende

Drummond

2018

Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Consequently, DGA can now be regarded as a feature of financial botnets based on HTTP. The majority of botnets based on HTTP [14,15], such as Shylock, Carberp, and Zeus, utilize DGA to empower their C and C communication channels; therefore, it is more complex to fingerprint the C and C servers. The DGA implementation in Zeus and Carberp botnets will provide attackers a safe fallback mechanism in case P2P communication fails.…”

Section: Future Internetmentioning

confidence: 99%

Botnet Detection Technology Based on DNS

Wang

Zhang

2017

Future Internet

View full text Add to dashboard Cite

With the help of botnets, intruders can implement a remote control on infected machines and perform various malicious actions. Domain Name System (DNS) is very famous for botnets to locate command and control (C and C) servers, which enormously strengthens a botnet's survivability to evade detection. This paper focuses on evasion and detection techniques of DNS-based botnets and gives a review of this field for a general summary of all these contributions. Some important topics, including technological background, evasion and detection, and alleviation of botnets, are discussed. We also point out the future research direction of detecting and mitigating DNS-based botnets. To the best of our knowledge, this topic gives a specialized and systematic study of the DNS-based botnet evading and detecting techniques in a new era and is useful for researchers in related fields.

show abstract

“…1,2 A botnet is a coordinated group of infected bots that receive orders from an attacker (ie, botmaster), via various command and control (C&C) channels. The formidable spread of botnets and their growing ability to resist being detected have motivated research community to explore more intelligent techniques for detecting botnets.…”

Section: Introductionmentioning

confidence: 99%

A self‐learning stream classifier for flow‐based botnet detection

Gelian

Mashayekhi

2019

Int J Communication

View full text Add to dashboard Cite

Botnets have been recently recognized as one of the most formidable threats on the Internet. Different approaches have been designed to detect these types of attacks. However, as botnets evolve their behavior to mislead the signaturebased detection systems, learning-based methods may be deployed to provide a generalization capacity in identifying unknown botnets. Developing an adaptable botnet detection system, which incrementally evolves with the incoming flow stream, remains as a challenge. In this paper, a self-learning botnet detection system is proposed, which uses an adaptable classification model. The system uses an ensemble classifier and, in order to enhance its generalization capacity, updates its model continuously on receiving new unlabeled traffic flows. The system is evaluated with a comprehensive data set, which contains a wide variety of botnets. The experiments demonstrate that the proposed system can successfully adapt in a dynamic environment where new botnet types are observed during the system operation. We also compare the system performance with other methods.

show abstract

Survey of approaches and features for the identification of HTTP-based botnet traffic

Cited by 46 publications

References 29 publications

HTTP and contact‐based features for Botnet detection

HTTP and contact‐based features for Botnet detection

Botnet Detection Technology Based on DNS

A self‐learning stream classifier for flow‐based botnet detection

Contact Info

Product

Resources

About