Web Botnet Detection Based on Flow Information

Abstract

Botnets are a combination of cyber attack, infection, and dissemination, and they become one of the most severe threats on the Internet. Cross the Internet, the infected host might launch any kind of attacks such as DDoS (Distributed Denial-of-Service) or Phishing. Comparing with botnets using other command-and-control (C&C) channels, web-based botnets are difficult to detect, because the C&C messages of web botnet are spread over HTTP protocol hiding behind normal flows. Most previous work tackles IRC-based botnet detection, while this study analyzes web botnet behaviors and develops a detection mechanism based on anomaly web flow traffic over an administrative network domain. Web bots exhibit routine and regular web connections which can be used to identify unusual web flow in a network. The experimental results show that the proposed approach can detect web botnets efficiently both in the simulated networks and a real campus network.