A New C&C Channel Detection Framework Using Heuristic Rule and Transfer Learning

A great many of botnet detection methods focus on recognizing the significant C&C channels. Most of them require a C&C training set to build a behavior detection model. However, when lacking such training set for new or unknown botnets, these methods may become inefficient or even invalid.To overcome it, we propose a new general framework for C&C channel detection. It neither needs us to know the families of bots or prepare a training set nor requires deploying malicious activity monitors. Also, it is capable of mining useful knowledge from the historical dataset to boost its detection performance. In our framework, we put forward a clustering method and several heuristic rules to aggregate and label partial C&C traffic, a sample selection function to mine useful historical knowledge and a transfer learning based model to find other C&C channels. We evaluated our framework on two datasets and achieved the best C&C F-measure of about 0.886 and 0.960 respectively. Moreover, the comparison result further indicates its performance advantage and better behavior learning ability.