C&C Botnet Detection over SSL

Nowadays botnets are playing an important role in the panorama of cybercrime. These cyber weapons are used to perform malicious activities such financial frauds, cyber-espionage, etc... using infected computers. This threat can be mitigated by detecting C&C channels on the network. In literature many solutions have been proposed. However, botnet are becoming more and more complex, and currently they are trying to move towards encrypted solutions. In this work, we have designed, implemented and validated a method to detect botnet C&C communication channels over SSL, the security protocol standard de-facto. We provide a set of SSL features that can be used to detect malicious connections. Using our features, the results indicate that we are able to detect, what we believe to be, a botnet and malicious connections. Our system can also be considered privacy-preserving and lightweight, because the payload is not analyzed and the portion of analyzed traffic is very small. Our analysis also indicates that 0.6% of the SSL connections were broken. Limitations of the system, its applications and possible future works are also discussed.