Pedram Amini - ICT Department, Malek-Ashtar University of Technology Tehran, Iran
Reza Azmi - Department of Technical and Engineering, Alzahra University Tehran, Iran
MuhammadAmin Araghizadeh - Department of Electrical and Computer Engineering, University of Tehran Tehran, Iran

Among the various forms of malware, botnets are becoming the major threats on the Internet that use for many attacks, such as spam, distributed denial-of-service (DDoS), identity theft andphishing. NetFlow protocol is a standard for monitoring Internet traffic that developed by Cisco Systems. Therefore, it is veryeffective to identifying unusual programs generating illegal traffic, or additional load, and also identification of botnet. Themain goal of this paper is to show a novel approach for botnet detection using data records of NetFlow protocol and clustering technique. Our approach for C&C bot detection is to examine flow characteristics such as IP, port, packet event times and bytes per packet for evidence of botnet activity. First we collectthe flows and refined records based on basic filtering, white list and black list. The remaining records produce a cluster and thecluster refined based on patterns, policies, and another cluster that generated based on reported events, alerts and activities ofnetwork security sensors. We apply hierarchical clustering that allows us to build a dendrogram, i.e., a tree like graph that encodes the relationships among the bots. The merged cluster modifies based on rules and combined with other information about detected infected nodes to reduce false positive.

NetFlow Protocol, C&C Botnet, Hierarchical Clustering, Correlation, Anomaly Detection, Network Security