Correlation-based HTTP Botnet detection using network communication histogram analysis

• Published in: 2017 IEEE Conference on Application, Information and Network Security (AINS) pp. 7 - 12
• Main Authors: Naseri, Maryam Var, Abidin, Wardah Zainal, Eslahi, Meisam
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.11.2017
• Subjects: Botnet; Botnet Detection; Command and Control Mechanism; Command and control systems; Correlation; Correlation-based Detection; Feature extraction; Histograms; HTTP Botnets; Information Security; Ports (Computers); Protocols
• DOI: 10.1109/AINS.2017.8270416

The latest generation of Botnets use HTTP protocol and port 80 as their communication medium to impersonate themselves as normal web users and avoid current security solutions. In addition, the Botmasters who control the infected devices employ several techniques, such as encryption, code obfuscation, anti-honeypot capabilities and random communication patterns to keep their Bots undetectable as long as possible. However, Bots are designed to be a coordinated form of organized cyberattack in which they conduct the synchronized attacks in the form of groups. Thus, the similarities of cooperative group activities can be used as an effective measure to distinguish Bots from normal users. In this paper, we propose a histogram based behaviour analysis approach to identify the number of web requests and their time gap diversity posed by HTTP Bots. Finally, a correlation based communication histogram analysis approach is designed to detect HTTP Botnets based on similarity and correlation of their group activities. The proposed correlation based HTTP Botnet detection model was successfully able to detect the HTTP Bots with high accuracy, along with a very low rate of false positive.