A botnet is one of the most dangerous forms of security issues. It infects unsecured computers and transmit malicious commands. By using botnet, the attacker can launch a variety of attacks, such as distributed denial of service (DDoS), data theft, and phishing. The botnet may contain a lot of infected hosts and its size is usually large. In this paper, we addressed the problem of botnet detection based on network’s flows records and activities in the host. We proposed a host-based approach that detects a host, that has been compromised by observing the flow of in-out bound traffic. To prove the existence of command and control communication, we examine host network flow. Once the bot process has been identified in the host being monitored, this knowledge allows blocking any in/out traffic with the bot’s server. In addition to providing information about the compromised machine’s IP address and how it communicates with servers, the log file is generated, which can provide data about the command and control (C&C) servers. Most existing work on detecting botnet is based on flow-based traffic analysis by mining their communication patterns. Our work distinguishes itself from other methods of bot detection from its ability to use real-time host-related data for detection.

Botmaster; Botnet; Centralized command and control; Host based detection; Traffic analysis