Bots C&C Traffic Detection Using Decision Tree Based Classifier

Abstract

In recent years, the root cause of many security problems on the Internet are botnets. A botnet is a network of compromised computers under the control of bot code. When accessing a bot infected sites, these bot code are installed into the victim machine. Once the bot code affects a victim machine, it became part of the botnet. These botnets are the major cause of cyber-crimes such as spamming, phishing, click fraud etc. Bot is a type of malware and it differ from other class of malware is its command and control (C&C) channels. Thus the effective way to detect botnet is based on the command and control channels. This work presents a system that detects botnet based on the statistical features of the communication between bot and its botmasters without performing packet payload inspection. The proposed system uses machine learning technique to identify the features of the command and control channel. Based on the extracted feature a model is created to detect unknown bot traffic. Both classification and clustering methods are used to create the models and the detection accuracy and false positive rate of these methods are compared. The detection accuracy of the model is evaluated on standard real dataset, CTU-13 dataset. The experimental result shows that, both algorithms provide very good detection rate in CTU-13 dataset. Also, the false positive rate of the model is evaluated using another standard dataset, LBNL dataset. The evaluation results shows that the classification algorithm has less false positive rate compared to clustering.