Detecting Botnets Using Command and Control Traffic

Botnets pose a significant threat to network-based applications and communications; it is believed that 16-25% of the computers connected to the Internet are members of a botnet. The detection of botnets is essential to prevent further damages. We approach this problem by monitoring the command and control (C2) communication traffic, as this reveals the botnet structure before any real harm is caused.We observe that C2 traffic exhibits a repeated pattern behavior. This is due to the nature of the pre-programmed behavior of bots. We explore this behavior and look for periodic components in C2 traffic. We use periodograms to study the periodic behavior, and apply Walker´s large sample test to detect whether the traffic has a significant periodic component or not, and, if it does, then it is bot traffic. This test is independent of the structure and communication protocol used in the botnet, and does not require any a priori knowledge of a certain botnet behavior. Since we only look at the aggregate traffic behavior, it is also more scalable than other techniques that examine individual packets or track the communication flows of different hosts.We apply this test to two variants of botnet C2 communication traffic generated by SLINGbot, and show that the traffic in both variants exhibits periodic behavior. We compare the results we get on botnet C2 communication traffic to the ones we get on real traffic that is obtained from a secured enterprise network packet trace.