Poster: A Lightweight Unknown Http Botnets Detecting And Characterizing System

The ability of the HTTP protocol to bypass Firewalls and IDSs has resulted in it becoming the most popular command and control (C&C) protocol adopted for use by most current botnets. To date, most botnet detection approaches either operate at packet-level or flow-level by identifying signatures or flow patterns. In addition, some detection technologies correlate both flow and malicious behaviors to detect botnets. However, most of these approaches relay on obvious behavior characteristics of botnets and cannot simultaneously detect and characterize unknown bots in the early stages subsequent to an infection. In an effort to rectify this situation, we studied the distribution pattern of relevant packets and determined that, in general, the first request packet from bots and the first response packet from C&C servers contain the most valuable information. Consequently, we propose a technique that automatically detects unknown HTTP botnets and generates the signatures of C&C activities on the basis of this knowledge. The results of preliminary experiments conducted indicate that our proposed approach can accurately detect unknown HTTP botnets (such as SpyEye and ZeuS) with low false positive rates and generate their signatures automatically.