ABSTRACT
In this chapter we describe our system setup, data collection process, and approach to categorizing bot commands. We build a testbed with an isolated network containing two servers and a three client virtual machine. We execute two di¡erent IRC bots and collect packet traces. We also collect packet traces of known benign tra¨c. We identify several packet-level and ªow-level features that can distinguish the botnet tra¨c from benign tra¨c. In addition, we ’nd temporal correlations between the system execution log (exedump) and packet trace log (tcpdump) and use these correlations as additional features. Using these features, we then train classi’ers with known botnet and benign tra¨c. is classi’er is then used to identify future unseen instances of bot tra¨c.
