Feature Selection Strategies for HTTP Botnet Traffic Detection

We report about a HTTP botnet detection strategy based on a behavioral analysis of raw traffic data with the aim at minimizing resources necessary for the detection. It involves the selective choice of traffic characteristical features and their extraction with engineered probes, in a context of evolving malicious traffic. We develop the extraction software for eight selected features and experiment with a Multilayer Perceptron Classifier (MLP) over a benchmark traffic dataset for botnet detection, achieving a good 98.03% accuracy. In the effort to optimize the classifier overall performance by reducing data redundancy, we compute a statistics on Decision Tree Classifiers (DT) in order to rank features and observe that, by selecting out few of the lowest ranked ones (3), we can maintain MLP accuracy at 97.54% yet reducing probing resources and costs. We obtain a small further improvement in MLP performance, avoid the lengthy process of running the statistics of the DTs on actual data, and boost the ranking/selecting-out process by means of mutual partion entropy computation.