Analysis of P2P, IRC and HTTP traffic for botnets detection

Botnets are widespread and have become a major threat to network security. A botnet is a group of infected computers that are controlled by a botmaster. Botnet's members use command and control (C&C) channels to communicate with their C&C server. In this paper, we study the detection of botnets by monitoring and analyzing botnets' C&C channels communication traffic. As bots are preprogramed to communicate every T seconds, we exploit this periodic behavior of C&C traffic to detect the botnet. The botnet detection approach we use is based on evaluating the periodogram of several count-feature sequences of the traffic and testing the significance of the peak of each periodogram. We apply this approach to real traffic that we captured from King Saud University's (KSU) network. The captured traffic contains more than 11 TB of traffic that spans 50 days during 2012 and 2013 from different locations inside KSU. We apply the detection approach to KSU's traffic to detect botnet C&C traffic that uses P2P, IRC, or HTTP as its communication protocols. The results show that the botnet detection approach can efficiently detect botnet members in recent traffic datasets. The period values of the detected bots ranged between 31 and 49 min.