HTTP and contact‐based features for Botnet detection

Over the past decade, Botnets have been prevailing as a relevant threat on the Internet. A Botnet is compound by many infected computers connected to the global network and subdued to a controller, which uses the computational resources for malicious purposes. Many techniques are used to make difficult the identification of Botnet communications on networks. However, these communications are automated and usually have typical behavioral patterns, which have been used by detection approaches. In this context, we noted that HTTP connections established as command and control (C&C) channels of Botnets commonly have specific implementations, which deviate from the patterns used by legitimate HTTP accesses. Also, C&C channels over other protocols, such as IRC or TCP, typically are compound by similar chunks of data transmission interleaved with times with negligible traffic. We used both particularities to propose new features to distinguish C&C channels from benign traffic. The proposed detection method uses a random forest classifier implemented over Apache Spark, a Big Data processing framework. In the presented experiments, the approach achieved more than 99% of accuracy with virtually zero false positives, which are good results when compared with other available similar approaches. Also, the proposed features can be extracted before the communication end, which enables a premature response.