Title :
Detecting encrypted botnet traffic
Author :
Han Zhang ; Papadopoulos, Christos ; Massey, Dan
Author_Institution :
Comput. Sci. Dept., Colorado State Univ., Fort Collins, CO, USA
Abstract :
Bot detection methods that rely on deep packet inspection (DPI) can be foiled by encryption. Encryption, however, increases entropy. This paper investigates whether adding high-entropy detectors to an existing bot detection tool that uses DPI can restore some of the bot visibility. We present two high-entropy classifiers, and use one of them to enhance BotHunter. Our results show that while BotHunter misses about 50% of the bots when they employ encryption, our high-entropy classifier restores most of its ability to detect bots, even when they use encryption.
Keywords :
computer network security; cryptography; entropy; inspection; peer-to-peer computing; telecommunication traffic; BotHunter enhancement; DPI; advanced hybrid peer-to-peer botnet; bot detection methods; bot detection tool; deep packet inspection; encrypted botnet traffic detection; high-entropy classifiers; high-entropy detectors; Detectors; Encryption; Entropy; IP networks; Malware; Payloads;
Conference_Titel :
Computer Communications Workshops (INFOCOM WKSHPS), 2013 IEEE Conference on
Conference_Location :
Turin
Print_ISBN :
978-1-4799-0055-8
DOI :
10.1109/INFCOMW.2013.6562912
