Fast-flux botnet detection from network traffic

HTTP botnets have been a major threat to cyber security in recent years. Fast-flux technique can be detrimental to botnet detection techniques based on traffic analysis, due to its ability to hide bot traffic among normal traffic. In this paper we propose a new approach to detect hosts infected by HTTP bots. Our technique will not only detect traditional HTTP botnets but also fast-flux botnet traffic by analyzing network traffic data. The first stage of this approach is to cluster similar packets from traffic data irrespective of their origin, thus separating out traffic from a single botnet in one of the clusters. The second stage is to analyze the timing of the packets using power spectral density to identify any hidden patterns present in them. If similar packets belong to many destination addresses arrive, following a pattern, the traffic can be considered to be suspicious and the host, that originates these packets, may be infected by a bot with a fast-flux command and control server. Our technique can be easily applied to analyze the traffic of a single personal computer as well as a group of computers in an enterprise. It has detected malicious packets with a high sensitivity of 95.8% for traffic of more than five hours and a low false positive rate of 1.6% at the worst.