Detecting Bot Networks Based On HTTP And TLS Traffic Analysis
Subject Areas : Network Security
1 - Science and Research Branch, Islamic Azad University, Tehran, Iran.
Keywords: Security Threats, Bot Networks, Network Security, Intrusion Detection, HTTP Traffic Analysis, TLS Traffic Analysis,
Abstract :
Abstract— Bot networks are a serious threat to cyber security, whose destructive behavior affects network performance directly. Detecting of infected HTTP communications is a big challenge because infected HTTP connections are clearly merged with other types of HTTP traffic. Cybercriminals prefer to use the web as a communication environment to launch application layer attacks and secretly engage in forbidden activities, while TLS (Transport Layer Security) protocols allow encrypted communication between client and server in the context of Internet provides. Methods of analyzing traffic behavior do not depend on payloads. This means that they can work with encrypted network communication protocols. Traffic behavior analysis methods do not depend on package shipments, which means they can work with encrypted network communication protocols. Hence, the analysis of TLS and HTTP traffic behavior has been considered for detecting malicious activities. Because of the exchange of information in the network context is very high and the volume of information is very large, storing and indexing of this massive data require a Big data platform.
1. Eslahi, M., R. Salleh, and N.B. Anuar. Bots and botnets: An overview of characteristics, detection and challenges. in 2012 IEEE International Conference on Control System, Computing and Engineering. 2012. IEEE.
2. Acarali, D., et al., Survey of approaches and features for the identification of HTTP-based botnet traffic. Journal of Network and Computer Applications, 2016. 76: p. 1-15; Available from: https://www.sciencedirect.com/science/article/pii/S1084804516302363.
3. Eslahi, M., R. Salleh, and N.B. Anuar. MoBots: A new generation of botnets on mobile devices and networks. in 2012 International Symposium on Computer Applications and Industrial Electronics (ISCAIE). 2012. IEEE.
4. Li, C., W. Jiang, and X. Zou. Botnet: Survey and case study. in 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC). 2009. IEEE.
5. Silva, S.S., et al., Botnets: A survey. Computer Networks, 2013. 57(2): p. 378-403; Available from: https://www.sciencedirect.com/science/article/abs/pii/S1389128612003568.
6. Eslahi, M., H. Hashim, and N.M. Tahir. An efficient false alarm reduction approach in HTTP-based botnet detection. in 2013 IEEE Symposium on Computers & Informatics (ISCI). 2013. IEEE.
7. Roques, O., Detecting Malware in TLS Traffic. 2019, Imperial College London.
8. Anderson, B. and D. McGrew. Machine learning for encrypted malware traffic classification: accounting for noisy labels and non-stationarity. in Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2017.
9. Karim, A., et al., Botnet detection techniques: review, future trends, and issues. Journal of Zhejiang University SCIENCE C, 2014. 15(11): p. 943-983; Available from: https://link.springer.com/article/10.1631/jzus.C1300242.
10. Alieyan, K., et al., A survey of botnet detection based on DNS. Neural Computing and Applications, 2017. 28(7): p. 1541-1558; Available from: https://link.springer.com/article/10.1007/s00521-015-2128-0.
11. Security 101: Distributed Denial of Service (DDoS) Attacks, 2016. 2016; Available from: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/security-101-distributed-denial-of-service-ddos-attacks.
12. Jang, D.-i., et al. Evasion technique and detection of malicious botnet. in 2010 International Conference for Internet Technology and Secured Transactions. 2010. IEEE.
13. Luo, P., et al. Leveraging client-side DNS failure patterns to identify malicious behaviors. in 2015 IEEE Conference on Communications and Network Security (CNS). 2015. IEEE.
14. Yadav, S. and A.N. Reddy. Winning with DNS failures: Strategies for faster botnet detection. in International Conference on Security and Privacy in Communication Systems. 2011. Springer.
15. Sharifnya, R. and M. Abadi, DFBotKiller: Domain-flux botnet detection based on the history of group activities and failures in DNS traffic. Digital Investigation, 2015. 12: p. 15-26; Available from: https://www.sciencedirect.com/science/article/abs/pii/S1742287614001182.
16. Kazato, Y., K. Fukuda, and T. Sugawara. Towards classification of dns erroneous queries. in Proceedings of the 9th Asian Internet Engineering Conference. 2013.
17. Heuer, T., et al. Recognizing Time-Efficiently Local Botnet Infections-A Case Study. in 2016 11th International Conference on Availability, Reliability and Security (ARES). 2016. IEEE.
18. Ichise, H., Y. Jin, and K. Iida. Detection method of DNS-based botnet communication using obtained NS record history. in 2015 IEEE 39th Annual Computer Software and Applications Conference. 2015. IEEE.
19. Lu, W., M. Tavallaee, and A.A. Ghorbani. Automatic discovery of botnet communities on large-scale communication networks. in Proceedings of the 4th international symposium on information, computer, and communications security. 2009.
20. Wang, B., et al. Modeling connections behavior for web-based bots detection. in 2010 2nd International Conference on E-business and Information System Security. 2010. IEEE.
21. AsSadhan, B., J.M. Moura, and D. Lapsley. Periodic behavior in botnet command and control channels traffic. in GLOBECOM 2009-2009 IEEE Global Telecommunications Conference. 2009. IEEE.
22. AsSadhan, B. and J.M. Moura, An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic. Journal of advanced research, 2014. 5(4): p. 435-448; Available from: https://www.sciencedirect.com/science/article/pii/S2090123213001410.
23. Wang, K., et al., A fuzzy pattern-based filtering algorithm for botnet detection. Computer Networks, 2011. 55(15): p. 3275-3286; Available from: https://www.sciencedirect.com/science/article/abs/pii/S1389128611002040.
24. Eslahi, M., et al. Periodicity classification of HTTP traffic to detect HTTP Botnets. in 2015 IEEE Symposium on Computer Applications & Industrial Electronics (ISCAIE). 2015. IEEE.
25. Zhao, G., et al., Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE access, 2015. 3: p. 1132-1142; Available from: https://ieeexplore.ieee.org/abstract/document/7163279.
26. Stevanovic, M., et al., A method for identifying compromised clients based on DNS traffic analysis. International Journal of Information Security, 2017. 16(2): p. 115-132; Available from: https://link.springer.com/article/10.1007/s10207-016-0331-3.