Detecting bots using multi-level traffic analysis

Abstract

Botnets, as networks of compromised "zombie" computers, represent one of the most serious security threats on the Internet today. This paper explores how machines compromised with bot malware can be identified at local and enterprise networks in accurate and time-efficient manner. The paper introduces a novel multi-level botnet detection approach that performs network traffic analysis of three protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. The proposed method relies on supervised machine learning for identifying patterns of botnet network traffic. The method has been evaluated through a series of experiments using traffic traces originating from 40 different bot samples and diverse benign applications. The evaluation indicates accurate and time-efficient classification of botnet traffic for all the three protocols as well as promising performance of identifying potentially compromised machines. The future work will be devoted to the optimization of traffic analysis and correlation of findings from three analysis levels in order to increase the accuracy of identifying compromised clients within the network.