Periodicity classification of HTTP traffic to detect HTTP Botnets

• 发表在: ISCAIE 2015 - 2015 IEEE Symposium on Computer Applications and Industrial Electronics
• 主要作者: Eslahi M.; Rohmad M.S.; Nilsaz H.; Naseri M.V.; Tahir N.M.; Hashim H.
• 格式: Conference paper
• 语言: English
• 出版: Institute of Electrical and Electronics Engineers Inc. 2015
• 在线阅读: https://www.scopus.com/inward/record.uri?eid=2-s2.0-84959056190&doi=10.1109%2fISCAIE.2015.7298339&partnerID=40&md5=ef0faf3ebc16f8a936d5d7a7316b728f

Recently, the HTTP based Botnet threat has become a serious challenge for security experts as Bots can be distributed quickly and stealthily. With the HTTP protocol, Bots hide their communication flows within the normal HTTP flows making them more stealthy and difficult to detect. Furthermore, since the HTTP service is being widely used by the Internet applications, it is not easy to block this service as a precautionary measure and other techniques are required to detect and deter the Bot menace. The HTTP Bots periodically connect to particular web pages or URLs to get commands and updates from the Botmaster. In fact, this identifiable periodic connection pattern has been used in several studies as a feature to detect HTTP Botnets. In this paper, we review the current studies on detection of periodic communications in HTTP Botnets as well as the shortcomings of these methods. Consequently, we propose three metrics to be used in identifying the types of communication patterns according to their periodicity. Test results show that in addition to detecting HTTP Botnet communication patterns with 80% accuracy, the proposed method is able to efficiently classify communication patterns into several periodicity categories. © 2015 IEEE.