Botnet Detection Techniques

Wikipedia:

• http://en.wikipedia.org/wiki/Botnet

What Is a Botnet?

• http://www.microsoft.com/security/sir/story/default.aspx#!botnetsection_detecting

Description:

• Elsevier - Computer Networks
• 2012 - Botnets: A survey
• SéRgio S. C. Silva, Rodrigo M. P. Silva, Raquel C. G. Pinto, and Ronaldo M. Salles
• http://dl.acm.org/citation.cfm?id=2450798

Below summarizes the main detection technique classifications.

• Botnet Detection Techniques
  
  • Honeynet-Based
    
    • [1, 7, 25, 30, 72, 94-104]
  • Intrusion Detection system (IDS)
    
    • Signature-Based
      
      • [82, 107, 108]
    • Anomaly-Based
      
      • Host-Based
        
        • [45, 103, 111, 113, 114]
      • Network-Based
        
        • Active Monitoring
          
          • [112]
        • Passive Monitoring
          
          • IRC
            
            • [1, 82, 110, 115-117]
          • DNS
            
            • [2, 25, 72, 76, 118]
          • SMTP
            
            • [9, 119-122]
          • P2P
            
            • [52, 53, 123-127]
          • Multiporpose
            
            • [5, 41, 49, 77, 104, 108, 128-131]

References:

[1] E. Cooke, F. Jahanian, D. McPherson, The zombie roundup: understanding, detecting, and disrupting botnets, in: Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, USENIX Association, Berkeley, CA, USA, 2005, p. 6.
[2] H. Choi, H. Lee, H. Kim, BotGAD: detecting botnets by capturing group activities in network traffic, in: Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE, COMSWARE ’09, ACM, New York, NY, USA, 2009, pp. 21–28.
[5] B. AsSadhan, J. Moura, D. Lapsley, C. Jones, W. Strayer, Detecting botnets using command and control traffic, in: Eighth  IEEE International Symposium on Network Computing and Applications, 2009. NCA, 2009, pp. 156–162.
[7] P. Bacher, T. Holz, M. Kotter, G. Wicherski, Know Your Enemy: Tracking Botnets (using honeynets to learn more about bots), Technical Report, The Honeynet Project, 2008.
[9] G. Stringhini, T. Holz, B. Stone-Gross, C. Kruegel, G. Vigna, BOTMAGNIFIER: locating spambots on the internet, in: Proceedings of the 20th USENIX conference on Security, SEC’11, USENIX Association, Berkeley, CA, USA, 2011, p. 28.
[25] M.A Rajab, J. Zarfoss, F. Monrose, A. Terzis, A multifaceted approach to understanding the botnet phenomenon, in: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, IMC’06, ACM, New York, NY, USA, 2006, pp. 41–52.
[30] F.C Freiling, T. Holz, G. Wicherski, Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks, in: S. de Capitani di Vimercati, P. Syverson, D. Gollmann (Eds.), Computer Security ESORICS 2005, Lecture Notes in Computer Science, vol. 3679, Springer, Berlin/Heidelberg, 2005, pp. 319–335. 10.1007/11555827 19.
[41] T. Yen, M.K Reiter, Traffic aggregation for malware detection, in: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA’08, Springer-Verlag, Berlin, Heidelberg, 2008, pp. 207–227.
[45] L. Liu, S. Chen, G. Yan, Z. Zhang, BotTracer: Execution-Based Bot-Like Malware Detection, in: T. Wu, C. Lei, V. Rijmen, D. Lee (Eds.), Information Security, Lecture Notes in Computer Science, vol. 5222, Springer, Berlin/Heidelberg, 2008, pp. 97–113. 10.1007/978-3-540-85886-7 7.
[49] G. Gu, J. Zhang, W. Lee, BotSniffer – detecting botnet command and control channels in network traffic, in: 15th Annual Network & Distributed System Security Symposium, The Internet Society (ISOC), San Diego, 2008.
[52] T. Holz, M. Steiner, F. Dahl, E. Biersack, F. Freiling, Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm, in: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, USENIX Association, Berkeley, CA, USA, 2008.
[53] C. Davis, J. Fernandez, S. Neville, J. McHugh, Sybil attacks as a mitigation strategy against the storm botnet, in: 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, 2008, pp. 32–40.
[72] D. Dagon, C. Zou, W. Lee, Modeling botnet propagation using time zones, in: Proceedings of the 13th Network and Distributed System Security Symposium NDSS.
[76] A. Ramachandran, N. Feamster, D. Dagon, Revealing botnet membership using DNSBL counter-intelligence, Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet, vol. 2, USENIX Association, Berkeley, CA, USA, 2006, p. 8.
[77] G. Gu, R. Perdisci, J. Zhang, W. Lee, BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection, in: Proceedings of the 17th Conference on Security Symposium, USENIX Association, Berkeley, CA, USA, 2008, pp. 139–154.
[82] J. Goebel, T. Holz, Rishi: identify bot contaminated hosts by IRC nickname evaluation, in: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, USENIX Association, Berkeley, CA, USA, 2007, p. 8.
[94] N. Provos, A virtual honeypot framework, Proceedings of the 13th Conference on USENIX Security Symposium SSYM’04, vol. 13, USENIX Association, Berkeley, CA, USA, 2004, p. 1.
[95] B. McCarty, Botnets: big and bigger, Security Privacy, IEEE 1 (2003) 87–90.
[96] A. Ramachandran, N. Feamster, Understanding the network-level behavior of spammers, SIGCOMM Computer Communication Review 36 (2006) 291–302.
[97] P. Barford, V. Yegneswaran, An inside look at botnets, in: M. Christodorescu, S. Jha, D. Maughan, D. Song, C. Wang (Eds.), Malware Detection, Advances in Information Security, vol. 27, Springer, US, 2007, pp. 171–191. 10.1007/9780-387-44599-1 8.
[98] J. Oberheide, M. Karir, Z.M. Mao, Characterizing dark DNS behavior, in: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA’07, Springer-Verlag, Berlin, Heidelberg, 2007, pp. 140–156.
[99] Z. Li, A. Goyal, Y. Chen, V. Paxson, Automating analysis of large-scale botnet probing events, in: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS’09, ACM, New York, NY, USA, 2009, pp. 11–22.
[100] B.B Kang, E. Chan-Tin, C.P Lee, J. Tyra, H.J Kang, C. Nunnery, Z. Wadler, G. Sinclair, N. Hopper, D. Dagon, Y. Kim, Towards complete node enumeration in a peer-to-peer botnet, in: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS’09, ACM, New York, NY, USA, 2009, pp. 23–34.
[101] M. Cremonini, M. Riccardi, The dorothy project: an open botnet analysis framework for automatic tracking and activity visualization, in: European Conference on Computer Network Defense (EC2ND), 2009, pp. 52–54.
[102] V. Pham, M. Dacier, Honeypot traces forensics: the observation viewpoint matters, in: Third International Conference on Network and System Security, NSS’09, 2009, pp. 365–372.
[103] M. Szymczyk, Detecting botnets in computer networks using multi-agent technology, in: Fourth International Conference on Dependability of Computer Systems, DepCos-RELCOMEX’09, 2009, pp. 192–201.
[104] K. Rieck, G. Schwenk, T. Limmer, T. Holz, P. Laskov, Botzilla: detecting the ’’phoning home’’ of malicious software, in: Proceedings of the 2010 ACM Symposium on Applied Computing, SAC’10, ACM, New York, NY, USA, 2010, pp. 1978–1984.
[107] Y. Kugisaki, Y. Kasahara, Y. Hori, K. Sakurai, Bot detection based on traffic analysis, in: The 2007 International Conference on Intelligent Pervasive Computing, IPC, 2007, pp. 303–306.
[108] P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, E. Kirda, Automatically generating models for botnet detection, in: M. Backes, P. Ning (Eds.), Computer Security – ESORICS 2009, Lecture Notes in Computer Science, vol. 5789, Springer, Berlin/Heidelberg, 2009, pp. 232–249. 10.1007/978-3-642-04444-1 15.
[110] J.R Binkley, S. Singh, An algorithm for anomaly-based botnet detection, Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet, vol. 2, USENIX Association, Berkeley, CA, USA, 2006, p. 7.
[111] E. Stinson, J.C Mitchell, Characterizing bots’ remote control behavior, in: Proceedings of the 4th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA’07, Springer-Verlag, Berlin, Heidelberg, 2007, pp. 89–108.
[112] G. Gu, V. Yegneswaran, P. Porras, J. Stoll, W. Lee, Active botnet probing to identify obscure command and control channels, in: Computer Security Applications Conference, ACSAC’09, Annual, 2009, pp. 241–253.
[113] M. Masud, T. Al-khateeb, L. Khan, B. Thuraisingham, K. Hamlen, Flow-based identification of botnet traffic by mining multiple log files, in: First International Conference on Distributed Framework and Applications, DFmA 2008, 2008, pp. 200–206.
[114] K. Xu, D. Yao, Q. Ma, A. Crowell, Detecting infection onset with behavior-based policies, in: 5th International Conference on Network and System Security (NSS), 2011, pp. 57–64.
[115] A. Karasaridis, B. Rexroad, D. Hoeflin, Wide-scale botnet detection and characterization, in: Proceedings of the First conference on First Workshop on Hot Topics in Understanding Botnets, USENIX Association, Berkeley, CA, USA, 2007, p. 7.
[116] W. Strayer, D. Lapsely, R. Walsh, C. Livadas, Botnet detection based on network behavior, in: W. Lee, C. Wang, D. Dagon (Eds.), Botnet Detection, Advances in Information Security, vol. 36, Springer, US, 2008, pp. 1–24. 10.1007/978-0-387-68768-1 1.
[117] W. Lu, A. Ghorbani, Botnets detection based on IRC-Community, in: Global Telecommunications Conference, 2008. IEEE GLOBECOM 2008, IEEE, pp. 1–5.
[118] R. Villamarin-Salomon, J. Brustoloni, Identifying botnets using anomaly detection techniques applied to DNS traffic, in: 5th IEEE Consumer Communications and Networking Conference, CCNC 2008, 2008, pp. 476–481.
[119] H. Husna, S. Phithakkitnukoon, S. Palla, R. Dantu, Behavior analysis of spam botnets, in: 3rd International Conference on Communication Systems Software and Middleware and Workshops, COMSWARE 2008, 2008, pp. 246–253.
[120] L. Zhuang, J. Dunagan, D.R Simon, H.J Wang, J.D Tygar, Characterizing botnets from email spam records, in: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, USENIX Association, Berkeley, CA, USA, 2008, pp. 2:1–2:9.
[121] Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, E. Gillum, BotGraph: large scale spamming botnet detection, in: Proceedings of the 6th USENIX Symposium on NETWORKED SYSTEMS DESIGN and Implementation, NSDI’09, USENIX Association, Berkeley, CA, USA, 2009, pp. 321-334.
[122] J. P. John, A. Moshchuk, S.D. Gribble, A. Krishnamurthy, Studying spamming botnets using botlab, in: Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation, NSDI’09, USENIX Association, Berkeley, CA, USA, 2009, pp. 291–306.
[123] J. Zhang, R. Perdisci, W. Lee, U. Sarfraz, X. Luo, Detecting stealthy P2P botnets using statistical traffic fingerprints, in: DNS 2011, IEEE Computer Society, Los Alamitos, CA, USA, 2011, pp. 121–132.
[124] D. Liu, Y. Li, Y. Hu, Z. Liang, A P2P-Botnet Detection Model and Algorithms Based on Network Streams Analysis, IEEE Computer Society, Changzhou, China, 2010. pp. 55–58.
[125] W.-H. Liao, C.-C. Chang, Peer to peer botnet detection using data mining scheme, in: International Conference on Internet Technology and Applications, IEEE Computer Society, 2010, pp. 1–4.
[126] X. Yu, X. Dong, G. Yu, Y. Qin, D. Yue, Y. Zhao, Online botnet detection based on incremental discrete Fourier transform, Journal of Networks 5 (2010).
[127] S. Nagaraja, P. Mittal, C.-Y. Hong, M. Caesar, N. Borisov, Botgrep: finding p2p bots with structured graph analysis, in: Proceedings of the 19th USENIX Conference on Security, USENIX Security’10, USENIX Association, Berkeley, CA.USA, 2010, p. 7.
[128] G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. Lee, BotHunter: detecting malware infection through IDS-driven dialog correlation, in: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, USENIX Association, Berkeley, CA, USA, 2007, pp. 12:1–12:16.
[129] F. Mansmann, F. Fischer, D.A Keim, S.C North, Visual support for analyzing network traffic and intrusion detection events using TreeMap and graph representations, in: Proceedings of the Symposium on Computer Human Interaction for the Management of Information Technology, CHiMiT 09, ACM, New York, NY, USA, 2009, pp. 3:19–3:28.
[130] S. Gianvecchio, M. Xie, Z. Wu, H. Wang, Measurement and classification of humans and bots in internet chat, in: Proceedings of the 17th Conference on Security Symposium, USENIX Association, Berkeley, CA, USA, 2008, p. 155.
[131] F. Giroire, J. Chandrashekar, N. Taft, E. Schooler, D. Papagiannaki, Exploiting temporal persistence to detect covert botnet channels, in: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, RAID ’09, Springer-Verlag, Berlin, Heidelberg, 2009, pp. 326–345.