A New Hybrid Approach for C&C Channel Detection

• Published in: 2019 IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems (HPCC/SmartCity/DSS) pp. 583 - 590
• Main Authors: Jiang, Jianguo, Yin, Qilei, Shi, Zhixin, Wang, Qiwen, Zhou, Wei
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.08.2019
• Subjects: Anomaly detection; Botnet; Botnet Detection; C&C Channel; Correlation; Detectors; Feature extraction; Monitoring; Network Security; Traffic Analysis; Training
• DOI: 10.1109/HPCC/SmartCity/DSS.2019.00090

A great many of botnet detection researches focus on recognizing and blocking its significant C&C channel. And they typically require a certain number of C&C training instances to build a behavior detection model. However, when lacking the C&C training instances for new or even unknown botnets, these methods may become inefficient or even invalid. To overcome it, we propose a new hybrid approach for network based C&C channel detection. It neither needs us to prepare the C&C training instances, nor requires deploying malicious activities monitors. It utilizes two heuristic rules to filter the non C&C traffic disobeying common C&C characteristics, and then makes the final C&C detection through a behavior based anomaly detecting model, which only requires normal traffic for training. Our approach achieved the average C&C F-measure of above 0.9 for most evaluation datasets. Moreover, the comparison result not only demonstrates our approach has significant performance advantages than the pure heuristic rule based methods, but also shows that our behavior model can profile network traffic in detail, mine more useful behavior differences than the anomaly models using traditional statistical features, and then achieve a better detection result.