Title: HTTP botnet detection using hidden semi-Markov model with SNMP MIB variables

Authors: G. Kirubavathi Venkatesh; V. Srihari; R. Veeramani; R.M. Karthikeyan; R. Anitha

Addresses: Department of Applied Mathematics and Computational Sciences, PSG College of Technology, Coimbatore, India ' Department of Applied Mathematics and Computational Sciences, PSG College of Technology, Coimbatore, India ' Department of Applied Mathematics and Computational Sciences, PSG College of Technology, Coimbatore, India ' Department of Applied Mathematics and Computational Sciences, PSG College of Technology, Coimbatore, India ' Department of Applied Mathematics and Computational Sciences, PSG College of Technology, Coimbatore, India

Abstract: Botnet has become a prevalent platform for many malicious attacks and hence it is considered as a serious threat to internet security. A botmaster can control millions of compromised systems using command & control (C&C) infrastructure. At early time IRC protocol-based botnets were used by the attackers. Recently attackers have shifted their paradigm towards HTTP-based C&C server because of several advantages and in this situation, bots frequently request and download commands from web servers which are under the control of botmaster. Since web-based C&C bots try to blend into normal HTTP traffic, it is difficult to identify HTTP botnets. In this work, we propose a hidden semi-Markov model (HsMM) to characterise the normal network behaviour considering that most of the communications of web-based bots are based on TCP. We use TCP-based MIB variables as observed sequence and forward-backward algorithm for estimating model parameters to best account for an observed sequence. Several experiments are conducted to validate our model. The proposed system is lightweight and real time.

Keywords: HTTP botnets; SNMP MIB variables; hidden semi-Markov model; HsMM; internet security; HTTP bots; network behaviour; simple network management protocol; management information base; web-based bots; TCP; transmission control protocol.

DOI: 10.1504/IJESDF.2013.058653

International Journal of Electronic Security and Digital Forensics, 2013 Vol.5 No.3/4, pp.188 - 200

Received: 03 Feb 2012
Accepted: 24 May 2012

Published online: 26 Jul 2014 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article