BotCatch: Botnet Detection Based on Coordinated Group Activities of Compromised Hosts
Paper ID : 1724-IST
Mosa Yahyazadeh, Mahdi Abadi *
Tarbiat Modares University
Botnets have become one of the major tools used by attackers to perform various malicious activities on the Internet, such as launching distributed denial of service attacks, sending spam, and leaking personal information. In this paper, we propose BotCatch, a fuzzy pattern-based technique which considers multiple coordinated group activities in the monitored network to identify bot-infected hosts. To do so, it first identifies suspicious hosts participating in coordinated group activities by the online fixed width clustering algorithm and then calculates a membership value for each of them based on a fuzzy pattern recognition technique. It then makes an informed decision and identifies a host as bot-infected if its membership value is higher than a threshold. We demonstrate the effectiveness of BotCatch to detect various botnets including HTTP-, IRC-, and P2P-based botnets using a testbed network consisting of some bot-infected hosts. The experimental results show that BotCatch can successfully detect various botnets with a high detection rate while keeping false alarm rate significantly low because of considering multiple coordinated group activities.