HTTP botnet detection using hidden semi-Markov model with SNMP MIB variables Online publication date: Mon, 13-Jan-2014
by G. Kirubavathi Venkatesh; V. Srihari; R. Veeramani; R.M. Karthikeyan; R. Anitha
International Journal of Electronic Security and Digital Forensics (IJESDF), Vol. 5, No. 3/4, 2013
Abstract: Botnet has become a prevalent platform for many malicious attacks and hence it is considered as a serious threat to internet security. A botmaster can control millions of compromised systems using command & control (C&C) infrastructure. At early time IRC protocol-based botnets were used by the attackers. Recently attackers have shifted their paradigm towards HTTP-based C&C server because of several advantages and in this situation, bots frequently request and download commands from web servers which are under the control of botmaster. Since web-based C&C bots try to blend into normal HTTP traffic, it is difficult to identify HTTP botnets. In this work, we propose a hidden semi-Markov model (HsMM) to characterise the normal network behaviour considering that most of the communications of web-based bots are based on TCP. We use TCP-based MIB variables as observed sequence and forward-backward algorithm for estimating model parameters to best account for an observed sequence. Several experiments are conducted to validate our model. The proposed system is lightweight and real time.
Online publication date: Mon, 13-Jan-2014
If you are not a subscriber and you just want to read the full contents of this article, buy online access here.Complimentary Subscribers, Editors or Members of the Editorial Board of the International Journal of Electronic Security and Digital Forensics (IJESDF):
Login with your Inderscience username and password:
Want to subscribe?
A subscription gives you complete access to all articles in the current issue, as well as to all articles in the previous three years (where applicable). See our Orders page to subscribe.
If you still need assistance, please email firstname.lastname@example.org