Escolar Documentos
Profissional Documentos
Cultura Documentos
H. Hashim
N.M. Tahir
I. INTRODUCTION
A botnet threat comes from three main elements - the bots,
the command and control (C&C) servers, and the botmasters.
A bot is a small application which is designed to infect
computers and use them as part of a botnet without their
owners knowledge. The infected computers or zombies are
controlled by skilful remote attackers called botmasters. They
use C&C servers as interface to send orders to all the bots and
control the entire botnet [1]. In general, there are different
types of botnet command and control models based on the
communication style (i.e. PUSH or PULL), architecture (e.g.
centralised and decentralised) and protocols (e.g. IRC, HTTP
and P2P) [2].
The Internet Relay Chat (IRC) protocol is used in the first
generation of botnets where the IRC servers and the relevant
channels are employed to establish a central C&C server to
distribute botmasters commands [3]. The IRC bots follow the
PUSH approach as they connect to selected channels and
remain in the connect mode [4]. Although the IRC botnets are
easy to use, control and manage, they suffer from a central
point of failure [5]. To overcome this issue, in the P2P model,
201
To overcome this issue, they propose a fuzzy crossassociation classifier which uses synchronisation activity as a
metric based on the fact that the bots may perform abnormal
activities to be in synchronisation with other bots in the same
botnet. This method also requires a large number of bots in one
botnet and may generate false alarms in small-scale botnets.
Finally, In order to detect small-scale botnets with lower
false alarms, Binbin et al. [6] used request byte, response byte,
and the number of packets as common features of an HTTP
connection, to classify the similar connections generated by a
single bot. Their method can detect the small-scale botnets, but
some techniques like random request delay or random packet
number can evade their detection method and generate high
false negative rates in the results. In addition, like the other
HTTP-based botnet detection approaches, normal programs
which generate periodic connections (e.g. auto refresh web
pages) can be detected as a bot and increase the number of
false positives.
Each of aforementioned methods comes with different
tradeoffs regarding false alarm rates and efficiency in detecting
HTTP-based botnet with random patterns. Therefore, this paper
aims to propose new data filtering approaches to reduce the
false positive and false negative rates in the detection results.
Proposed
Method
False Negative
False Positive
[3]
[4]
[6]
[8]
[9]
[11]
High
Low
High
Low
High
High
High
Medium
High
Medium
High
Medium
Efficiency in
Random Pattern
Detection
202
VLAN 1
PC1
VLAN 2
C&C
Server 1
PC2
VLAN 5
Analyser
PC3
VLAN 3
VLAN 6
PC4
C&C
Server 2
VLAN 4
P1
Start
Time
P2
P3
Normal Activities
Suspicious
Pn
Stop
Time
203
Infected
Computer
Name of Bot
Method
C&C
Connection
Interval
PC1
PC2
PC3
PC4
BlackEnergy
HBot1
HBot2
HBot3
GET
GET
POST
POST
Fixed
Random
Fixed
Random
Infected by
PC1
BlackEnergy
PC2
HBot1
PC3
HBot2
PC4
HBot3
All Collected Data
Collected
Packets
74,594
87,495
70,943
72,829
305,861
Data Preparation
HTS
GPS
27,264
21,099
23,702
30,558
102,623
3,837
2,64
3,523
2,456
12,461
HAR
Result
LAR
Result
PAA
Result
192
255
201
357
1,005
48
30
100
48
226
48
22
34
21
125
VI. CONCLUSION
This paper proposed several approaches to reduce the false
alarms rate in HTTP-based botnets detection. The proposed
methods are evaluated based on the false positive and false
negative rates and its efficiency in the detection of botnets
with random intervals. The test results show that the proposed
method achieved higher efficiency in detecting HTTP-based
botnets. The very low false positive ratio obtained through the
204
use of the new proposed HAR, and LAR filters, shows that the
proposed method is able to reduce false alarm rates and
improve current studies on HTTP-based botnet detection
successfully.
[10]
ACKNOWLEDGMENTS
[11]
[12]
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
205