Signature generation model for botnet command and control channel

The malicious activities such as distributed denial of service attack, spam sending, and sensitive information theft launched by botnet have been the serious threats to Internet security. Command and control channel is the only way for botnet to manipulate these malicious activities. With the features of relatively fixed command format and string in the command and control channel, a novel signature generation model is proposed based on the existing techniques of signature generation, which focuses on the edge network’s suspect traffics. Experiment results show that the proposed model can generate accurate signatures conforming to the command format. Furthermore, the intrusion detection rules generated from these signatures can be used to identify the zombies effectively.