We present a novel anomaly-based detection approach capable
of detecting botnet Command and Control traffic in an enterprise
network by estimating the trustworthiness of the traffic destinations.
A traffic flow is classified as anomalous if its destination identifier does
not origin from: human input, prior traffic from a trusted destination, or
a defined set of legitimate applications. This allows for real-time detection
of diverse types of Command and Control traffic. The detection
approach and its accuracy are evaluated by experiments in a controlled
environment.
