Botnet Behavior Detection using Network Synchronism

GARCIA, S.; ZUNINO, A.; CAMPO, M.

Privacy, Intrusion Detection and Response: Technologies for Protecting Networks

IGI Global

Lugar: Hershey PA; Año: 2011; p. 122 - 144

Botnets diversity and dynamism challenge detection and classification algorithms that depend heavily on static or protocol-dependant features. Several methods showing promising results were proposed using behavioral-based approaches. We conducted an analysis of botnets and bots most inherent characteristics, such as synchronism and network load within specific time windows, to detect them more efficiently. Not relying on any specific protocol, our proposed approach detects infected computers by clustering bots network behavioral characteristics using the Expectation-Maximization algorithm. An encouraging false positive error rate of 0.7% shows that bots traffic can be accurately separated by our approach by analyzing several bots and non-botnet network captures and applying a detailed analysis of error rates.