Periodicity classification of HTTP traffic to detect HTTP Botnets

Recently, the HTTP based Botnet threat has become a serious challenge for security experts as Bots can be distributed quickly and stealthily. With the HTTP protocol, Bots hide their communication flows within the normal HTTP flows making them more stealthy and difficult to detect. Furthermore, since the HTTP service is being widely used by the Internet applications, it is not easy to block this service as a precautionary measure and other techniques are required to detect and deter the Bot menace. The HTTP Bots periodically connect to particular web pages or URLs to get commands and updates from the Botmaster. In fact, this identifiable periodic connection pattern has been used in several studies as a feature to detect HTTP Botnets. In this paper, we review the current studies on detection of periodic communications in HTTP Botnets as well as the shortcomings of these methods. Consequently, we propose three metrics to be used in identifying the types of communication patterns according to their periodicity. Test results show that in addition to detecting HTTP Botnet communication patterns with 80% accuracy, the proposed method is able to efficiently classify communication patterns into several periodicity categories.