Automatically Generating Payload-Based Models for Botnet Detection

In recent years, botnet has become a popular technique for deploying cybercrime because it is hard to be prevented and easily cause devastating loss. Therefore, in this paper, we proposed a novel approach that can automatically generate effective payload-based models purely based on the traffic of actual bot instances instead of signatures hand-tuned by human experts. In the learning phase, we group the packets of the botnet traffic and the benign traffic collected in advance according to their payload size and extract the signatures in the payload in order to generate the payload-based models. We then identify the high quality signatures to reduce the size of models via the information gain ratio and the probability. During the matching phase, the proposed approach uses these payload-based models to check each incoming packet. Moreover, these models can efficiently discriminate the malicious botnet traffic from the benign traffic since it doesn´t perform any correlation between different packets. The proposed approach was evaluated with several real-world network traces. Experimental results demonstrate that the proposed approach can detect botnet traffic traces successfully (about 96.4%) with high efficiency and an acceptable low false alarm rate (about 0.9%).