Layered Botnet Detection Framework Based On Signal Processing And Discrete Time Analysis

A massive volume of online financial transactions and sensitive information is exchanged over the Internet. This has shifted the focus of cyber attackers from curiosity to financial gain. Attackers use different malware to achieve their goals. Among the various forms of malware; the botnet is considered as the worst, because of its vast computing power, ability to control many machines and its significant threat to the Internet users. This thesis presents a new approach in the area of botnet detection. It introduces a framework called Layered Botnet Detection Framework (LBDF) that can detect botnet members efficiently. This framework works in the frequency domain rather than in the time domain. LBDF is equipped with a ‘malicious-scanning’ detection algorithm. The LBDF algorithm uses SYN, ACK (SNAK) rules to reduce the volume of network captured traffic and to convert the reduced traffic into discrete time sequences. Then LBDF applies both a periodogram and circular autocorrelation function to these sequences to detect any hidden periodicities. If periodic behavior were detected, the frequency of the sequence and the IP address of the monitored computer will be recorded. Thus the IP address of PCs with periodic behavior will be saved in a database and labeled as suspicious. If any of the suspicious machines performs a malicious-scanning action, it will be declared as a bot. Bots that have similar features are grouped together as members of the same botnet.