HTTP botnet detection using adaptive learning rate multilayer feed-forward neural network
WISTP'12 Proceedings of the 6th IFIP WG 11.2 international conference on Information Security Theory and Practice: security, privacy and trust in computing systems and ambient intelligent ecosystems
HTTP botnet detection using hidden semi-Markov model with SNMP MIB variables
International Journal of Electronic Security and Digital Forensics
| Hi-index | 0.00 |
A concerted fight against botnets is needed in order to avoid them from becoming a serious threat to global security in the forthcoming years. Zombie detection is currently performed at the host and/or network levels, but these options have important drawbacks: antivirus, firewalls and anti-spyware are not effective against this threat because they are not able to detect hosts that are compromised via new or target specific malicious software and were not designed to protect the network from external attacks or vulnerabilities that are already present inside the local area network. To overcome these limitations, we propose a new botnet detection approach based on the identification of traffic patterns: since each network application, whether it is licit or illicit, has a characteristic traffic pattern that can uniquely identify it, the detection framework will rely on an Artificial Neural Network to identify the licit and illicit patterns. After the identification phase, the system will generate alarms to the system administrator, that can trigger the most appropriate security actions, like blocking the corresponding IP addresses, putting them under a deeper surveillance or acting over some suspicious network segment. A general detection framework was developed in order to incorporate the detection methodology itself, as well as the data collection and storage modules and all the necessary management functions. Some performance tests were already carried out on the proposed system and the results obtained show that the system is stable and fast and the detection approach is efficient, since it provides high detection rates with low computational overhead.