Poster: Detecting Command and Control Servers of Botnet With Randomized Traffic

Botnet continue to be a significant threat to Internet. Accordingly, the present research of botnet traffic detection mainly based on the assumption that communication or attack flows between a botnet tend to have space-time similarities. However, in order to bypass existing detection systems, attackers begin to add some randomness to the process of botnet propagation and control to make the feature matching or aggregating difficult. For example, randomly changing the communication contents or letting bot randomly visit benign domains. In this paper, we address this issue and propose a botnet command and control (C&C) servers detection system to against the randomization attack. The system, combined features of host-side and server-side, successively employs the clustering inference and supervised learning based on feedback mechanism. The two-step structure and two dimensions of features assure that the botnet can be fully detected with lower false positive rate.