A novel HTTP botnet traffic detection method

In this paper we propose a novel technique for detecting HTTP botnet traffic “N-gram based HTTP bot traffic detection” that makes use of Deep Packet Inspection (DPI) of network packets to detect hosts infected with a bot. Botnet is a collection of compromised hosts or computers (bots) which are remotely controlled by its originator (botmaster) under a common command and control (C&C) infrastructure. The proposed botnet detection technique is capable of detecting bots that use encryption to hide the contents of their communication which most of the existing DPI based techniques fail to detect. It is also capable of detecting Fast Flux botnets in which C&C dynamically changes its IP address which most of the existing techniques based on traffic flow analysis fail to detect. The proposed technique is based on the fact that the C&C responds with similar communication patterns with only slight modifications to an HTTP GET request made by a bot. The communications patterns do not vary unless the bot is updated. Performance observations using our proposed botnet detection technique show high accuracy of botnet detection.