Abstract:
The aim of this paper is to present a method of detecting botnets based on identification of their synchronous actions. There are a lot of botnets implementations and there are a lot of methods of their detection. Usually those methods are only effective against specific groups of botnets which are using for example IRC, HTTP or P2P protocols to communicate with their Command&Control. Presented method, called BotTROP, utilizes clustering and classification methods to detect synchronous action among corporate network traffic to detect malicious activity such as a botnet of any type. Furthermore, the effectiveness of the presented method was verifed in numerous experiments where simulated and real-life network traffic was used.