Detecting Web-Based Botnets Using Bot Communication Traffic Features

Fu Hau Hsu, Chih Wen Ou, Yan Ling Hwang, Ya Ching Chang, Po Ching Lin

Research output: Contribution to journalArticlepeer-review

5 Scopus citations


Web-based botnets are popular nowadays. A Web-based botnet is a botnet whose C&C server and bots use HTTP protocol, the most universal and supported network protocol, to communicate with each other. Because the botnet communication can be hidden easily by attackers behind the relatively massive HTTP traffic, administrators of network equipment, such as routers and switches, cannot block such suspicious traffic directly regardless of costs. Based on the clients constituent of a Web server and characteristics of HTTP responses sent to clients from the server, this paper proposes a traffic inspection solution, called Web-based Botnet Detector (WBD). WBD is able to detect suspicious C&C (Command-and-Control) servers of HTTP botnets regardless of whether the botnet commands are encrypted or hidden in normal Web pages. More than 500 GB real network traces collected from 11 backbone routers are used to evaluate our method. Experimental results show that the false positive rate of WBD is 0.42%.

Original languageEnglish
Article number5960307
JournalSecurity and Communication Networks
StatePublished - 2017


Dive into the research topics of 'Detecting Web-Based Botnets Using Bot Communication Traffic Features'. Together they form a unique fingerprint.

Cite this