Botnet Detecting Method Based on Clustering Flow Attributes of Command and Control Communication Channel

Botnet is a novel attack strategy evolved from traditional malware forms; It provides the attackers stealthy, flexible and efficient one to many Command and Control (CC) mechanisms, which can be used to order an army of zombies to achieve the goals including information theft, launching Distributed Denial of Service (DDoS), and sending spam. This paper proposed a botnet detecting method which independent of botnet CC protocol and structure, and not analysis payload of packets. At first this method use pre-filter rules to filter flow which have irrelevant with botnet; Second, the flow attributes are analyzed; Third, two-steps clustering algorithm which based on X-means clustering is used to analyze and cluster flow attributes of CC channel, and the botnet detection is implemented. The experiment shows that this method can differentiate traffic of botnet and normal network with high accuracy, low false positive, achieve the goal that detects botnet under real network environment.