Botnets are collections of compromised computers which are remotely controlled by its originator under a common Command-and-Control (C&C) infrastructure. Most of the existing botnet detection approaches concentrate only on particular botnet command and control (C&C) protocols (e.g., IRC, HTTP) and structures (e.g., centralized), and can become ineffective as botnets change their structure and C&C techniques. In this paper, we proposed a new general detection framework which currently focuses on P2P based botnets. This proposed framework is based on our definition of botnets. We define a botnet as a group of bots that will perform similar communication and malicious activity patterns within the same botnet. In our proposed detection framework, we monitor a group of host that demonstrate similar communication patterns in one step and also performing malicious activities in another step and finding common hosts on them. The point that distinguishes our proposed detection framework from many other similar works is that there is no need for prior knowledge of botnets such as botnet signature.
展开▼