Botnet Detection Through Fine Flow Classification

The prevalence of botnets, which is defined as a group of infected machines, have become the predominant factor among all the internet malicious attacks such as DDoS, Spam, and Click fraud. The number of botnets is steadily increasing, and the characteristic C&C channels have evolved from IRC to HTTP, FTP, and DNS, etc., and from the centralized structure to P2P and Fast Flux Network Services. In counter to the escalations of the botnet developments, the internet security community have designed many botnet detection and disruption systems which can be summarized into two categories: Honeynet-based and Passive Traffic Monitoring, while the Passive Traffic Monitoring could be further divided into Behavior-based, DNS-based, and Mining-based techniques. Among all the Intrusion Detection System designs, the mining-based method, operated on the flow level internet traffic, has shown some promising resilience against the botnets evolutions. A preliminary experiment has been conducted in this paper observing the discriminating capabilities of the Hierarchical and K mean clustering algorithms and exploring a RTT adjustment procedure to mix the botnet trace with the background internet traffic.