Detecting encrypted botnet traffic
Bot detection methods that rely on deep packet inspection (DPI) can be foiled by encryption. Encryption, however, increases entropy. This paper investigates whether adding high-entropy detectors to an existing bot detection tool that uses DPI can restore some of the bot visibility.We present two high-entropy classifiers, and use one of them to enhance BotHunter. Our results show that while BotHunter misses about 50% of the bots when they employ encryption, our high-entropy classifier restores most of its ability to detect bots, even when they use encryption. © 2013 IEEE.
2013 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2013
Zhang, H., Papadopoulos, C., & Massey, D. (2013). Detecting encrypted botnet traffic. 2013 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2013, 163-168. https://doi.org/10.1109/INFCOMW.2013.6562912