HTTP botnet detection using hidden semi-Markov model with SNMP MIB variables

Authors:
G. Kirubavathi Venkatesh;V. Srihari;R. Veeramani;R. M. Karthikeyan;R. Anitha
Affiliations:
Department of Applied Mathematics and Computational Sciences, PSG College of Technology, Coimbatore, India;Department of Applied Mathematics and Computational Sciences, PSG College of Technology, Coimbatore, India;Department of Applied Mathematics and Computational Sciences, PSG College of Technology, Coimbatore, India;Department of Applied Mathematics and Computational Sciences, PSG College of Technology, Coimbatore, India;Department of Applied Mathematics and Computational Sciences, PSG College of Technology, Coimbatore, India
Venue:
International Journal of Electronic Security and Digital Forensics
Year:
2013

Citing 9
Cited 0

An algorithm for anomaly-based botnet detection

SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
Botnet Detection by Monitoring Group Activities in DNS Traffic

CIT '07 Proceedings of the 7th IEEE International Conference on Computer and Information Technology
Wide-scale botnet detection and characterization

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Rishi: identify bot contaminated hosts by IRC nickname evaluation

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
The Activity Analysis of Malicious HTTP-Based Botnets Using Degree of Periodic Repeatability

SECTECH '08 Proceedings of the 2008 International Conference on Security Technology
Monitoring the application-layer DDoS attacks for popular websites

IEEE/ACM Transactions on Networking (TON)
Botnet: classification, attacks, detection, tracing, and preventive measures

ICICIC '09 Proceedings of the 2009 Fourth International Conference on Innovative Computing, Information and Control
A Botnet Detection System Based on Neural Networks

ICDT '10 Proceedings of the 2010 Fifth International Conference on Digital Telecommunications
Identifying botnets by capturing group activities in DNS traffic

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

Botnet has become a prevalent platform for many malicious attacks and hence it is considered as a serious threat to internet security. A botmaster can control millions of compromised systems using command & control C&C infrastructure. At early time IRC protocol-based botnets were used by the attackers. Recently attackers have shifted their paradigm towards HTTP-based C&C server because of several advantages and in this situation, bots frequently request and download commands from web servers which are under the control of botmaster. Since web-based C&C bots try to blend into normal HTTP traffic, it is difficult to identify HTTP botnets. In this work, we propose a hidden semi-Markov model HsMM to characterise the normal network behaviour considering that most of the communications of web-based bots are based on TCP. We use TCP-based MIB variables as observed sequence and forward-backward algorithm for estimating model parameters to best account for an observed sequence. Several experiments are conducted to validate our model. The proposed system is lightweight and real time.