Centralized Botnet Detection by Traffic Aggregation

Botnets with the centralized architecture provide a simple, low-latency, anonymous and efficient real-time communication platform for the botnet controllers. To our knowledge, most of the latest detected large-scale botnets are based on the centralized structure with HTTP or customized protocols. Therefore, centralized botnets detection helps greatly improve control of unwanted traffic. The main contribution of this study is the development of a common detection mechanism aiming at the centralized botnets. In this work we investigate the intrinsic characteristics based on the distributed yet bursting property of the centralized botnets. Our study shows that there exist great similarity and synchronization among the behaviors and the command and control (C&C) traffic of the bots, because the bots are controlled to operate according to the programmed schedule. Firstly we can determine if the groups of flows are suspectable by performing evaluation on the payload similarity and sequence correlation. Further, we will monitor and keep tracking with the collective and simultaneous behaviors of the suspicious groups of hosts. As is shown by conducting experiments, the proposed method can detect and hold back the centralized botnets effectively before they seriously influence the normal operation on the wide-scale network.