Mining Botnet Behaviors on the Large-Scale Web Application Community

Botnets are networks of compromised computers controlled under a common command and control channel. Recognized as one of the most serious security threats on current Internet infrastructure, botnets are often hidden in existing applications, e.g. IRC, HTTP, or peer-to-peer, which makes botnet detection a challenging problem. In this paper we propose a new, centralized, fully-encrypted, botnet system called Weasel. A set of signatures are examined and formalized to differentiate the behaviors of Weasel and normal web applications. Through these signatures, we apply a set of data mining techniques to detect the web based botnet behaviors on a web application community formed on a campus backbone network. The proposed approach was evaluated with over 400 thousand flows collected over seven consecutive days on a large scale network and results show the proposed approach successfully detects the botnet flows with a high detection rate and an acceptably low false alarm rate.