Botnets have become a major threat to the Internet as large armies of bot machines can be used to carry out a wide range of attacks. We present a botnet detection mechanism that uses two levels of support vector machines (SVMs) to identify infected bot machines before they are used in an attack. Our technique detects relationships in the network-flows dynamically and determines if such relationships are similar to those found within the command and control traffic for known botnets. Two levels of SVMs enable monitoring of large networks in real-time, requiring no knowledge of the packet payload, and permit detecting bots that use multiple communication protocols/frameworks. The first level of SVMs examines network flows within short overlapping time windows to detect suspect flows. The second level SVMs monitor the suspect flows over a longer duration to discern inter-flow and inter- channel relationships that characterize botnet command and control traffic. The basic framework based on detecting similarities in relationships permit it to detect a variety of botnets including those that use peer-to-peer protocols and/or fast-flux techniques. An experimental evaluation using representative botnet flows, superimposed on flow information collected over the span of several days in a medium scale campus network with over 1000 hosts, shows that we realize detection accuracies of over 99.8% with false positive rates of well under 1%.
Paper Under submission