Detecting encrypted botnet traffic
Bot detection methods that rely on deep packet inspection (DPI) can be foiled by encryption. Encryption, however, increases entropy. This paper investigates whether adding high-entropy detectors to an existing bot detection tool that uses DPI can restore some of the bot visibility. We present two high-entropy classifiers, and use one of them to enhance BotHunter. Our results show that while BotHunter misses about 50% of the bots when they employ encryption, our high-entropy classifier restores most of its ability to detect bots, even when they use encryption. © 2013 IEEE.
Proceedings - IEEE INFOCOM
Zhang, H., Papadopoulos, C., & Massey, D. (2013). Detecting encrypted botnet traffic. Proceedings - IEEE INFOCOM, 3453-3458. https://doi.org/10.1109/INFCOM.2013.6567180