Abstract: Botnets have turn out to be a most important engines for malicious activities in cyberspace these days. Botnets are the major drivers of cyber attacks, such as distributed denial of service (DDoS), flash crowds, email spamming and information phishing. Both flash crowds and DDoS attacks have extremely related properties in terms of internet traffic. Flash crowds are legal flows whereas DDoS attacks are illegal flows. To maintain their botnets, botnet owners are mimicking valid cyber behavior. This poses a critical confront in anomaly detection. In this work, study of mimicking attacks and detections from both sides, as attackers and defenders is made. First of all, a semi-Markov model for browsing behavior is recognized. Based on this model, a botmasters can create flash crowd effectively in terms of statistics, with a adequate number of active bots(not less than the number of active valid users). But it is hard for botnet owners to gratify the situation to carry out a mimicking attack most of the time. With this new finding, we conclude that mimicking attacks can be discriminated from real flash crowds using second order statistical metrics. When the adequate number condition does not hold for botmasters we detect the mimicking attacks. Detection is proclaimed to the user. Furthermore, the findings can be widely functional to related situations in further research fields.

Keywords: detection; flash crowd attack; mimicking; second order metrics;