Skip to main content
Skip main navigation
No Access

HTTP botnet detection using hidden semi-Markov model with SNMP MIB variables

Published Online:pp 188-200https://doi.org/10.1504/IJESDF.2013.058653

Botnet has become a prevalent platform for many malicious attacks and hence it is considered as a serious threat to internet security. A botmaster can control millions of compromised systems using command & control (C&C) infrastructure. At early time IRC protocol-based botnets were used by the attackers. Recently attackers have shifted their paradigm towards HTTP-based C&C server because of several advantages and in this situation, bots frequently request and download commands from web servers which are under the control of botmaster. Since web-based C&C bots try to blend into normal HTTP traffic, it is difficult to identify HTTP botnets. In this work, we propose a hidden semi-Markov model (HsMM) to characterise the normal network behaviour considering that most of the communications of web-based bots are based on TCP. We use TCP-based MIB variables as observed sequence and forward-backward algorithm for estimating model parameters to best account for an observed sequence. Several experiments are conducted to validate our model. The proposed system is light weight and real time.

Keywords

botnet, HTTP botnet, SNMP MIB variables, hidden semi-Markov model, HsMM

References

  • 1. Bacher, P. , et al. (2005). Know your Enemy: Tracking Botnets. (accessed 15 April 2010), The Honeynet Project & Research Alliance [online] http://www.honeynet.org/papers/bots Google Scholar
  • 2. Binkley, J.R. , Singh, S. ‘An algorithm for anomaly based botnet detection’. Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet (SRUTI’06). 2006, 07, San Jose, CA, 43-48 Google Scholar
  • 3. Chen, C-M. , Ou, Y-H. , Tsai, Y-C. (2010). ‘Web botnet detection based on flow information’. International Computer Symposium 2010 (IEEE), 381-384 Google Scholar
  • 4. Choi, H. , Lee, H. (2011). ‘Identifying botnets by capturing group activities in DNS traffic’. Computer Networks. 56, 1, 20-33 Google Scholar
  • 5. Choi, H. , Lee, H. , Kim, H. (2007). ‘Botnet detection by monitoring group activities in DNS traffic’. Proceeding of 7th IEEE International Conference on Computer and Information Technology (CIT 2007). 715-720 Google Scholar
  • 6. Dagon, D. (2005). ‘Botnet Detection and Response’. In Operations, Analysis and Research Center Workshop (OARC), July 2005 Google Scholar
  • 7. Goebel, J. , Holz, T. (2007). ‘Rishi: identify bot contaminated hosts by irc nickname evaluation’. Proceedings of USENIX HotBots’07. Google Scholar
  • 8. Gu, G. , Zhang, J. , Lee, W. ‘BotSniffer: detecting botnet command and control channels in network traffic’. Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08). 2008, 02, San Diego, CA Google Scholar
  • 9. Karasaridis, A. , Rexroad, B. , Hoeflin, D. (2007). ‘Wide-scale botnet detection and characterization’. First Workshop on Hot Topics in Understanding Botnets (HotBots’07), April, Cambridge, MA Google Scholar
  • 10. Lee., J. , et al. ‘The activity analysis of malicious http-based botnets using degree of periodic repeatability’. Proceedings of the IEEE International Conference on Security Technology. 2008, 12, 83-86 Google Scholar
  • 11. Liu, J. , Xiao, Y. , Ghaboosi, K. , Deng, H. , Zhang, J. (2009). ‘Botnet: classification, attacks, detection, tracing and preventive measures’. EURASIP Journal on Wireless Communications and Networking. 1: 692654, 1-11 Google Scholar
  • 12. Malware Intelligence SpyEye Bot: Analysis of a New Alternative Scenario Crimeware. (accessed 20 March 2011), [online] http://www.malwareint.com/docs/spyeye-analysis-en.pdf Google Scholar
  • 13. Malware Intelligence SpyEye Bot: Conversations with the Creator of Crimeware. (accessed 20 March 2011), [online] http://www.malwareint.com/docs/spyeye-analysis-ii-en.pdf Google Scholar
  • 14. Nazario, J. BlackEnergy DDoS Bot Analysis. 2007, 10, Arbor Networks, Technical Report Google Scholar
  • 15. Nogueira, A. , Salvador, P. , Blessa, F. (2010). ‘A botnet detection system based on neural networks’. in Proceedings of 5th International IEEE Conference on Digital Telecommunications (ICDT)-2010. 57-62 Google Scholar
  • 16. Tan, X. , Xi, H. ‘Hidden semi-Markov model for anomaly detection’. Journal of Applied Mathematics and Computation. 2008, 11, 205, 2, Elsevier, 562-567, Special Issue on Advanced Intelligent Computing Theory and Methodology in Applied Mathematics and Computation Google Scholar
  • 17. Team Cymru. Inc. (2008). A Taste of HTTP Botnets. (accessed 10 March 2011), [online] http://www.teamcymru.org/ReadingRoom/Whitepapers/2008/httpbotnets.pdf Google Scholar
  • 18. Wang, B. , Li, Z. , Li, D. , Liu, F. , Chen, H. (2010). ‘Modeling connections behavior for web-based bots detection’. 2nd IEEE International Conference on e-Business and Information System Security (EBISS) – 2010, Wuhan, 1-4 Google Scholar
  • 19. Xie, Y. , Yu, S-Z. ‘Monitoring the application-layer DDoS attacks for popular websites’. IEEE/ACM Transactions on Networking. 2009, 02, 17, 1, Google Scholar
  • 20. Yu, S-Z. , Kobayashi, H. ‘An efficient forward-backward algorithm for an explicit duration hidden Markov model’. IEEE Signal Processing Letters. 2003, 01, 10, 1, 11-14 Google Scholar