A botnet C&C channel is relatively stable and unlikely to change among bots and their variants.
Essential mechanism that allows a Botmaster who control the botnet to direct the actions f bots in a botnet.
C&c channel the weakest link.
detection of C&C channel.

Botmaster interact with the bots by issuing commands and receiving responses in real-time by using IRC PRIVMSG messages.
HTTP based approach which is pull based approach.

Question: Way of communications?
1. IRC
2. HTTP
3. P2P

paper: Study the problems of detecting centralized botnet C&C channels using network anomaly detection techniques.
Main focus: IRC and HTTP based C&C channels.


detection approach that does not require prior knowledge of botnet.
difficulty:
follows normal protocol usage and is similar to normal traffic
traffic volume is low.
very few bot sin the monitored network
encrypted communication

advantage:
demonstrate spatial-temporal correlation and similarities due to nature of their pre-programmed response activities to control commands.
key is synchronized and correlated behavior in the network. Use of sequential hypothesis algorithm for testing.

evaluation: Using real-world network traces. open-source snort