Abstract
Identifying Botnet in Command and Control (C&C) channel from network traffic still remains a main difficulty due to ambiguous traffics between Botnet and normal communications. In the early stage of Botnet C&C, however, the diverse behaviors are hard to be detected and difficult to be distinguished from usual fluctuations. In this study, we propose a novel approach for Botnet early detection by modeling the phenomena of bursty traffic within different phases of behaviors of bot. Since communication of Botnet is temporal interdependencies, we consider that network traffic is sequential and has to be seen as time series task. Therefore, the Hybrid Hidden Markov Model (HHMM), a sequential profiling method, is applied to identify Botnet C&C behaviors as early as possible without losing detecting capability; so that the affection of Botnet can be reduced before invoking large-scale distributed attacks. Experimental results demonstrate the proposed method not only indeed outperforms than other non-sequential methods but also capable to detect compromised hosts with bots in the early phase under an acceptable level of false positive rate.
|