Publication

Abstract : Botnet has become a prevalent platform for many malicious attacks and hence it is considered as a serious threat to internet security. A botmaster can control millions of compromised systems using command & control C&C infrastructure. At early time IRC protocol-based botnets were used by the attackers. Recently attackers have shifted their paradigm towards HTTP-based C&C server because of several advantages and in this situation, bots frequently request and download commands from web servers which are under the control of botmaster. Since web-based C&C bots try to blend into normal HTTP traffic, it is difficult to identify HTTP botnets. In this work, we propose a hidden semi-Markov model HsMM to characterise the normal network behaviour considering that most of the communications of web-based bots are based on TCP. We use TCP-based MIB variables as observed sequence and forward-backward algorithm for estimating model parameters to best account for an observed sequence. Several experiments are conducted to validate our model. The proposed system is lightweight and real time.