Feature selection for effective botnet detection based on periodicity of traffic

Abstract

Botnets are networks that are composed with a set of compromised machines called bots that are remotely controlled by a botmaster. They pose a threatening remark to network communications and applications. A botnet relies on its command and control communication channel for performing attacks. C2 traffic occurs prior to any attack; hence, the detection of botnet’s traffic helps in detecting the bots before any real attack happens. Recently, the HTTP based Botnet threat has become a serious challenge for security experts as Bots can be distributed quickly and stealthily. The HTTP Bots periodically connect to particular web pages or URLs to get commands and updates from the Botmaster. In fact, this identifiable periodic connection pattern has been used to detect HTTP Botnets. This paper proposes an idea for identifying bots that exhibit non periodic nature as well normal traffic that exhibit periodic nature. The proposed method reduces the false positive rate as well as increases the detection rate. For that a set of traffic features are taken from many detection methods and feature selection is made on these features. Feature selection helps in enhancing the detection rate of the bot traffic in the network. For performing feature selection Principal Components Analysis is chosen. Top ranked features from PCA are added to existing work. Result shows improvement in detection rate and reduction in false positive rate.