HTTP botnet detection using hidden semi-Markov model with SNMP MIB variables
by G. Kirubavathi Venkatesh; V. Srihari; R. Veeramani; R.M. Karthikeyan; R. Anitha
International Journal of Electronic Security and Digital Forensics (IJESDF), Vol. 5, No. 3/4, 2013

Abstract: Botnet has become a prevalent platform for many malicious attacks and hence it is considered as a serious threat to internet security. A botmaster can control millions of compromised systems using command & control (C&C) infrastructure. At early time IRC protocol-based botnets were used by the attackers. Recently attackers have shifted their paradigm towards HTTP-based C&C server because of several advantages and in this situation, bots frequently request and download commands from web servers which are under the control of botmaster. Since web-based C&C bots try to blend into normal HTTP traffic, it is difficult to identify HTTP botnets. In this work, we propose a hidden semi-Markov model (HsMM) to characterise the normal network behaviour considering that most of the communications of web-based bots are based on TCP. We use TCP-based MIB variables as observed sequence and forward-backward algorithm for estimating model parameters to best account for an observed sequence. Several experiments are conducted to validate our model. The proposed system is lightweight and real time.

Online publication date: Mon, 13-Jan-2014

The full text of this article is only available to individual subscribers or to users at subscribing institutions.

Existing subscribers:
Go to Inderscience Online Journals to access the Full Text of this article.

Pay per view:
If you are not a subscriber and you just want to read the full contents of this article, buy online access here.

Complimentary Subscribers, Editors or Members of the Editorial Board of the International Journal of Electronic Security and Digital Forensics (IJESDF):
Login with your Inderscience username and password:

    Username:        Password:         

Forgotten your password?

Want to subscribe?
A subscription gives you complete access to all articles in the current issue, as well as to all articles in the previous three years (where applicable). See our Orders page to subscribe.

If you still need assistance, please email