Research On HTTP-Based Botnet C&C Traffic Detection Method

In such an era that information technology develops rapidly,network has made our work and life more convenient,intelligent and efficient since it has vigorously promoted the development of information sharing,digital economy and intelligent Internet of things.Howerver,network has also caused serious economic losses resulted from the increasing number of botnet attacks,ransomware and other malicious network activities.we have to pay more attention to cyber security and take counter measures.It's significant to reduce economic losses and build a secure cyberspace by eliminating network security threats to aviod network security incidents.Although the realization technologies of malicious network behaviors are complex and diverse,command and contol(C&C)mechanism is still the key to achieve attacks for most malwares.The typical C&C malware is botnet,which carries out a variety of malicious activities against Internet users,and is one of the most serious security threats to the current cyberspace.At present,there are many mature botnet detection methods,most of them are based on either coorperative characteristics of botnet or specific network behaviors of known botnet,but few literatures focus on botnet command and control traffic detection.With the escalation of confrontation,malwares are much more sophisticated than ever and hide their traffic features by means of using existing protocols of target network or encryption communication.In order to cope with these changes,researchers have proposed C&C traffic detection method which becomes a powerful means to detect botnets.This paper mainly studies the C&C traffic detection method of HTTP-based botnet.Firstly,it analyses the botnet C&C topological structures,C&C protocols and C&C communication hiding and confusion methods,then summarizes their advantages and disadvantages.Secondly,based on the existing research findings of botnet C&C traffic detection,it takes the technical defects existing in botnet C&C communications as breakthrough points,and finds out the characteristics of HTTP request packages and DNS response packages that are difficult to be successfully imitated by botnets.Research on botnet C&C traffic detection method combines anomaly detection technology and realtime detection technology.Thirdly,on the basis study of C&C traffic detection method,it has designed and implemented a system for HTTP-based botnet C&C traffic detection.The detection system consists of anomaly detection and real-time detection,both detection parts run in parallel and work cooperatively.In anomaly detection,there are three different machine learning algorithms selected to analyze the extracted features so that they can identify new unknown C&C traffic.In real-time detection,four different detection techniques are used to check C&C traffic in real-time based on the known data sources and characteristics in botnet C&C communications.The results show that the botnet C&C traffic detection system has a good performance and it can accurately detect botnet C&C connections with a true positive rate of 86% and a false positive rate less than 15%.