Using entropy of traffic features to identify bot infected hosts

Botnets are proliferating on the web and are increasingly being used by criminals for data theft, denial of service attacks, spamming and such other activities. Several bot detection approaches have been proposed which can be classified as either host-based or network-based. A hybrid approach which mitigates the disadvantages of the previous two approaches is proposed here. The proposed method aims to identify bots on a single host by looking at the network traffic generated by the host. The detection method is designed for HTTP traffic. A characterization of normal HTTP traffic as well as bot traffic is initially done using features extracted from network packets. A Neural Network Classifier is trained using these traffic features and later used to classify unlabeled traffic as benign or malicious. A normal traffic profile is first used to filter out packets to commonly accessed destinations thereby reducing the workload on the classifier. Stealthy bots which communicate at large time intervals of up to 32 hours are also detected. 120 bots samples were used to evaluate the system. The experimental results demonstrate a high detection rate of 97.4% and a very low false positive rate of 2.5%. The performance of the system is compared with many recent bot detection methods.