Full Text:   <9748>

Summary:  <712>

CLC number: TP393.08

On-line Access: 2014-11-07

Received: 2013-08-31

Revision Accepted: 2014-01-23

Crosschecked: 2014-10-15

Cited: 10

Clicked: 10807

Citations:  Bibtex RefMan EndNote GB/T7714

-   Go to

Article info.
1. Reference List
Open peer comments

Journal of Zhejiang University SCIENCE C 2014 Vol.15 No.11 P.943-983

10.1631/jzus.C1300242


Botnet detection techniques: review, future trends, and issues


Author(s):  Ahmad Karim, Rosli Bin Salleh, Muhammad Shiraz, Syed Adeel Ali Shah, Irfan Awan, Nor Badrul Anuar

Affiliation(s):  Faculty of Computer Science and Information Technology, University of Malaya, Kuala Lumpur, Malaysia; more

Corresponding email(s):   ahmadkarim@um.edu.my

Key Words:  Botnet detection, Anomaly detection, Network security, Attack, Defense, Taxonomy


Share this article to: More |Next Article >>>

Ahmad Karim, Rosli Bin Salleh, Muhammad Shiraz, Syed Adeel Ali Shah, Irfan Awan, Nor Badrul Anuar. Botnet detection techniques: review, future trends, and issues[J]. Journal of Zhejiang University Science C, 2014, 15(11): 943-983.

@article{title="Botnet detection techniques: review, future trends, and issues",
author="Ahmad Karim, Rosli Bin Salleh, Muhammad Shiraz, Syed Adeel Ali Shah, Irfan Awan, Nor Badrul Anuar",
journal="Journal of Zhejiang University Science C",
volume="15",
number="11",
pages="943-983",
year="2014",
publisher="Zhejiang University Press & Springer",
doi="10.1631/jzus.C1300242"
}

%0 Journal Article
%T Botnet detection techniques: review, future trends, and issues
%A Ahmad Karim
%A Rosli Bin Salleh
%A Muhammad Shiraz
%A Syed Adeel Ali Shah
%A Irfan Awan
%A Nor Badrul Anuar
%J Journal of Zhejiang University SCIENCE C
%V 15
%N 11
%P 943-983
%@ 1869-1951
%D 2014
%I Zhejiang University Press & Springer
%DOI 10.1631/jzus.C1300242

TY - JOUR
T1 - Botnet detection techniques: review, future trends, and issues
A1 - Ahmad Karim
A1 - Rosli Bin Salleh
A1 - Muhammad Shiraz
A1 - Syed Adeel Ali Shah
A1 - Irfan Awan
A1 - Nor Badrul Anuar
J0 - Journal of Zhejiang University Science C
VL - 15
IS - 11
SP - 943
EP - 983
%@ 1869-1951
Y1 - 2014
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/jzus.C1300242


Abstract: 
In recent years, the Internet has enabled access to widespread remote services in the distributed computing environment; however, integrity of data transmission in the distributed computing platform is hindered by a number of security issues. For instance, the botnet phenomenon is a prominent threat to Internet security, including the threat of malicious codes. The botnet phenomenon supports a wide range of criminal activities, including distributed denial of service (DDoS) attacks, click fraud, phishing, malware distribution, spam emails, and building machines for illegitimate exchange of information/materials. Therefore, it is imperative to design and develop a robust mechanism for improving the botnet detection, analysis, and removal process. Currently, botnet detection techniques have been reviewed in different ways; however, such studies are limited in scope and lack discussions on the latest botnet detection techniques. This paper presents a comprehensive review of the latest state-of-the-art techniques for botnet detection and figures out the trends of previous and current research. It provides a thematic taxonomy for the classification of botnet detection techniques and highlights the implications and critical aspects by qualitatively analyzing such techniques. Related to our comprehensive review, we highlight future directions for improving the schemes that broadly span the entire botnet detection research field and identify the persistent and prominent research challenges that remain open.

僵尸网络探测技术:回顾、发展趋势及存在的问题

近年来,互联网使得人们可以在分布式计算环境中获取广泛的远程服务。然而,一系列安全问题影响着分布式计算平台数据传输完整性。例如,"僵尸网络"(包含恶意代码)就是互联网安全的一种显著威胁。多种犯罪活动依附于僵尸网络,包括分布式拒绝服务(DDoS)攻击、点击欺诈、网络钓鱼、恶意软件分发、垃圾邮件、建立用于非法信息交换的机器,等等。因此,有必要设计并构建一种稳健的机制以提升僵尸网络的探测、分析和移除过程。目前,已有较多工作从不同角度针对僵尸网络的探测技术进行综述,但是,这些工作视角有限,缺乏对最新技术的探讨。本文全面评述僵尸网络最新探测技术,指出该技术的发展趋势;对僵尸网络探测技术作了分类,并通过定性分析凸显了这些技术的潜在影响和关键方面。基于此全面综述,指出涵盖整个僵尸网络探测领域多个方案的改进方向,并指明此领域长期存在的显著挑战。
僵尸网络检测;异常检测;网络安全;攻击;防护;分类

Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article

Reference

[1]Abu Rajab, M., Zarfoss, J., Monrose, F., et al., 2006. Amultifaceted approach to understanding the botnet phenomenon. Proc. 6th ACM SIGCOMM Conf. on Internet Measurement, p.41-52.

[2]Ahmed, R., Dharaskar, R.V., Thakare, V.M., 2013. Efficient generalized forensics framework for extraction and documentation of evidence from mobile devices. Int. J. Enhanced Res. Manag. Comput. Appl., 2(1):1-7.

[3]Aviv, A.J., Haeberlen, A., 2011. Challenges in experimenting with botnet detection systems. USENIX 4th CSET Workshop, p.1-8.

[4]Bailey, M., Cooke, E., Jahanian, F., et al., 2009. A survey of botnet technology and defenses. IEEE Cybersecurity Applications & Technology Conf. for Homeland Security, p.299-304.

[5]Barford, P., Yegneswaran, V., 2007. An inside look at botnets. In: Malware Detection. Springer, p.171-191.

[6]Barsamian, A.V., 2009. Network Characterization for Botnet Detection Using Statistical-Behavioral Methods. Master Thesis, Dartmouth College.

[7]Bauer, J., van Eeten, M., Chattopadhyay, T., 2008. ITU Study on the Financial Aspects of Network Security: Malware and Spam. Final Report, ICT Applications and Cyber-security Division, International Telecommunication Union.

[8]BBC, 2008. Technology | Spam on Rise after Brief Reprieve. BBC News. Available from http://news.bbc.co.uk/2/hi/technology/7749835.stm [Accessed on Dec. 3, 2013].

[9]Bethencourt, J., Franklin, J., Vernon, M., 2005. Mapping Internet sensors with probe response attacks. Proc. 14th USENIX Security Symp., p.193-208.

[10]Bhuyan, M., Bhattacharyya, D., Kalita, J., 2013. Network anomaly detection: methods, systems and tools. IEEE Commun. Surv. Tutor., 16(1):1-24.

[11]Binkley, J.R., Singh, S., 2006. An algorithm for anomaly-based botnet detection. Proc. USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop, p.43-48.

[12]Bu, Z., Bueno, P., Kashyap, R., et al., 2010. The New Era of Botnets. Available from http://www.mcafee.com/in/resources/white-papers/wp-new-era-of-botnets.pdf [Accessed on Sept. 9, 2013].

[13]Cai, T., Zou, F., 2012. Detecting HTTP botnet with clustering network traffic. IEEE 8th Int. Conf. on Wireless Communications, Networking and Mobile Computing, p.1-7.

[14]Ceron, J.M., Granville, L.Z., Tarouco, L.M., 2008. Uma arquitetura baseada em assinaturas para mitiga cao de botnets. In: X Simposio Brasileiro em Seguran ca da Informa cao e de Sistemas Computacionais (SBSeg), p.105-118 (in Portuguese).

[15]Chandola, V., Banerjee, A., Kumar, V., 2009. Anomaly detection: a survey. ACM Comput. Surv., 41(3):1-58.

[16]Chang, S., Daniels, T.E., 2009. P2P botnet detection using behavior clustering & statistical tests. Proc. 2nd ACM Workshop on Security and Artificial Intelligence, p.23-30.

[17]Chen, C.M., Huang, M.Z., Ou, Y.H., 2013. Detecting web-based botnets with fast-flux domains. Advances in Intelligent Systems and Applications, Volume 2. Springer, p.79-89.

[18]Chen, F., Ranjan, S., Tan, P., 2011. Detecting bots via incremental LS-SVM learning with dynamic feature adaptation. Proc. 17th ACM SIGKDD Int. Conf. on Knowledge Discovery and Data Mining, p.386-394.

[19]Choi, H., Lee, H., Lee, H., et al., 2007. Botnet detection by monitoring group activities in DNS traffic. 7th IEEE Int. Conf. on Computer and Information Technology, p.715-720.

[20]Choi, H., Lee, H., Kim, H., 2009. BotGAD: detecting botnets by capturing group activities in network traffic. Proc. 4th Int. ICST Conf. on Communication System Software and Middleware, p.1-8.

[21]Choi, Y.H., Li, L., Liu, P., et al., 2010. Worm virulence estimation for the containment of local worm outbreak. Comput. & Secur., 29(1):104-123.

[22]Comazzetto, A., 2011. Botnets: the Dark Side of Cloud Computing. Technical Report, Bostan, USA.

[23]Constantin, L., 2013. Microsoft: Almost 90 Percent of Citadel Botnets in the World Disrupted in June. Available from http://www.pcworld.com/article/2045282/microsoft-almost-90-percent-of-citadel-botnets-in-the-world-disrupted-in-june.html [Accessed on July 6, 2013].

[24]Constantinou, F., Mavrommatis, P., 2006. Identifying known and unknown peer-to-peer traffic. 5th IEEE Int. Symp. on Network Computing and Applications, p.93-102.

[25]Cooke, E., Jahanian, F., McPherson, D., 2005. The zombie roundup: understanding, detecting, and disrupting botnets. Proc. USENIX SRUTI Workshop, p.44.

[26]Coskun, B., Dietrich, S., Memon, N., 2010. Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts. Proc. 26th Annual Computer Security Applications Conf., p.131-140.

[27]Cranor, C.D., Gansner, E., Krishnamurthy, B., et al., 2001. Characterizing large DNS traces using graphs. Proc. 1st ACM SIGCOMM Workshop on Internet Measurement, p.55-67.

[28]Creech, G., Hu, J., 2013. A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns. IEEE Trans. Comput., 1(1):1-23.

[29]Cremonini, M., Riccardi, M., 2009. The Dorothy project: an open botnet analysis framework for automatic tracking and activity visualization. IEEE European Conf. on Computer Network Defense, p.52-54.

[30]Crowfoot, S., 2012. Trojan.Bredolab Spreading in PDF Download. Available from http://www.iceni.com/blog/trojan-bredolab-spreading-in-pdf-download/ [Accessed on Oct. 4, 2014].

[31]Cui, X., Fang, B., Yin, L., Xiang, C., et al., 2011. Andbot: towards advanced mobile botnets. Proc. 4th USENIX Conf. on Large-Scale Exploits and Emergent Threats, p.11.

[32]Dagon, D., Zou, C.C., Lee, W., 2006. Modeling botnet propagation using time zones. NDSS, 6:2-13.

[33]Dagon, D., Gu, G., Lee, C.P., et al., 2007. A taxonomy of botnet structures. IEEE 23rd Annual Computer Security Applications Conf., p.325-339.

[34]Danchev, D., 2009. Research: Small DIY Botnets Prevalent in Enterprise Networks. Available from http://www.zdnet.com/blog/security/research-small-diy-botnets-prevalent-in-enterprise-networks/4485 [Accessed on Oct. 13, 2014].

[35]Davis, C.R., Fernandez, J.M., Neville, S., et al., 2008. Sybil attacks as a mitigation strategy against the Storm botnet. IEEE 3rd Int. Conf. on Malicious and Unwanted Software, p.32-40.

[36]di Pietro, R., Mancini, L.V., 2008. Intrusion Detection Systems. Springer.

[37]Douceur, J.R., 2002. The sybil attack. In: Peer-to-Peer Systems. Springer Berlin Heidelberg, p.251-260.

[38]Emre, Y., 2011. A literature survey about recent botnet trends, p.1-14.

[39]Erman, J., Mahanti, A., Arlitt, M., et al., 2007. Identifying and discriminating between web and peer-to-peer traffic in the network core. Proc. 16th Int. Conf. on World Wide Web, p.883-892.

[40]Falliere, N., 2011. Sality: Story of a Peer-to-Peer Viral Network. Symantic Security Response, Technical Report.

[41]Falliere, N., Murchu, L.O., Chien, E., 2011. W32.Stuxnet Dossier, Version 1.4. White Paper, Symantec Security Response.

[42]FBI, 2012. FBI, International Law Enforcement Disrupt International Organized Cyber Crime Ring Related to Butterfly Botnet.

[43]Feily, M., Shahrestani, A., Ramadass, S., 2009. A survey of botnet and botnet detection. IEEE 3rd Int. Conf. on Emerging Security Information, Systems and Technologies, p.268-273.

[44]Fogarty, K., 2011. Just What We Need: Malware to Slave Your Android to a Botnet. IT World. Available from http://www.itworld.com/article/2732959/mobile/just-what-we-need--malware-to-slave-your-android-to-a-botnet.html [Accessed on June 20, 2014].

[45]Forristal, J., 2013. Uncovering Android Master Key That Makes 99% of Devices Vulnerable. Available from https://bluebox.com/technical/uncovering-android-master-key-that-makes-99-of-devices-vulnerable/ [Accessed on Oct. 4, 2014].

[46]Fossi, M., Egan, G., Haley, K., et al., 2011. Symantec Internet Security Threat Report Trends for 2010. Symantec Internet Security Threat Report, Volume 16, p.1-20.

[47]Francia, R., 2007. Storm Worm Network Shrinks to About One-Tenth of Its Former Size. Tech. Blorge. Com., p.10-21.

[48]François, J., Wang, S., Engel, T., 2011. BotTrack: tracking botnets using NetFlow and PageRank. NETWORKING, p.1-14.

[49]Freiling, F.C., Holz, T., Wicherski, G., 2005. Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. Springer Berlin Heidelberg, p.319-335.

[50]Ge, L., Liu, H., Zhang, D., et al., 2012. On effective sampling techniques for host-based intrusion detection in MANET. IEEE Military Communications Conf., p.1-6.

[51]Gilbertson, S., 2013. Massive WordPress Attack Targets Weak Admin Passwords. Available from http://www.webmonkey.com/2013/04/massive-wordpress-attack-targets-weak-admin-passwords [Accessed on Sept. 8, 2013].

[52]Goebel, J., Holz, T., 2007. Rishi: identify bot contaminated hosts by irc nickname evaluation. Proc. 1st Conf. on 1st Workshop on Hot Topics in Understanding Botnets, p.1-12.

[53]Goodin, D., 2008. Botnet Sics Zombie Soldiers on Gimpy Websites. Available from http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/ [Accessed on June 6, 2013].

[54]Goodin, D., 2010. Waledac Botnet ‘Decimated’ by MS Takedown. Available from http://www.theregister.co.uk/2010/03/16/waledac_takedown_success/ [Accessed on June 8, 2013].

[55]Grizzard, J., Sharma, V., Nunnery, C., 2007. Peer-to-peer botnets: overview and case study. Proc. 1st USENIX Workshop on Hot Topics in Understanding Botnets, p.1.

[56]Gu, G., Porras, P., Yegneswaran, V., et al., 2007. Bothunter: detecting malware infection through IDS-driven dialog correlation. Proc. 16th USENIX Security Symp., p.167-182.

[57]Gu, G., Zhang, J., Lee, W., 2008a. BotSniffer: detecting botnet command and control channels in network traffic. Proc. 15th Annual Network and Distributed System Security Symp., p.2-19.

[58]Gu, G., Perdisci, R., Zhang, J., et al., 2008b. BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. USENIX Security Symp., p.139-154.

[59]Gu, G., Yegneswaran, V., Porras, P., et al., 2009. Active botnet probing to identify obscure command and control channels. IEEE Annual Computer Security Applications Conf., p.241-253.

[60]Ha, D.T., Yan, G., Eidenbenz, S., et al., 2009. On the effectiveness of structural detection and defense against P2P-based botnets. IEEE/IFIP Int. Conf. on Dependable Systems & Networks, p.297-306.

[61]Holz, T., Steiner, M., Dahl, F., et al., 2008. Measurements and mitigation of peer-to-peer-based botnets: a case study on Storm worm. LEET, 8(1):1-9.

[62]Huang, S.Y., Mao, C.H., Lee, H.M., 2010. Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection. Proc. 5th ACM Symp. on Information, Computer and Communications Security, p.101-111.

[63]Husna, H., Phithakkitnukoon, S., Palla, S., et al., 2008. Behavior analysis of spam botnets. IEEE 3rd Int. Conf. on Communication Systems Software and Middleware and Workshops, p.246-253.

[64]Ianelli, N., Hackworth, A., 2005. Botnets as a vehicle for online crime. CERT Coordination Center, 1(1):28.

[65]Iliofotou, M., Pappu, P., Faloutsos, M., et al., 2007. Network monitoring using traffic dispersion graphs (TDGS). Proc. 7th ACM SIGCOMM Conf. on Internet Measurement, p.315-320.

[66]Jackson, K., 2008. New Massive Botnet Twice the Size of Storm. Available from http://www.darkreading.com/security/news/211201307 [Accessed on May 5, 2014].

[67]Janssen, C., 2011. Global Threat Bot (GTbot). Available from http://www.techopedia.com/definition/59/global-threat-bot-gtbot [Accessed on May 6, 2014].

[68]Jelasity, M., Bilicki, V., Kasza, M., 2011. Modeling network-level impacts of P2P flows. 19th IEEE Euromicro Int. Conf. on Parallel, Distributed and Network-Based Processing, p.590-594.

[69]Jian, G., Zheng, K., Yang, Y., et al., 2012. An evaluation model of botnet based on peer to peer. IEEE 4th Int. Conf. on Computational Intelligence and Communication Networks, p.925-929.

[70]Jiang, N., Cao, J., Jin, Y., et al., 2010. Identifying suspicious activities through DNS failure graph analysis. 18th IEEE Int. Conf. on Network Protocols, p.144-153.

[71]Jing, L., Yang, X., Kaveh, G., et al., 2009. Botnet: classification, attacks, detection, tracing, and preventive measures. EURASIP J. Wirel. Commun. Network., 2009:1-11.

[72]John, J.P., Moshchuk, A., Gribble, S.D., et al., 2009. Studying spamming botnets using Botlab. NSDI, p.291-306.

[73]Kaemarungsi, K., Yoskamtorn, N., Jirawannakool, K., et al., 2009. Botnet statistical analysis tool for limited resource computer emergency response team. IEEE 5th Int. Conf. on IT Security Incident Management and IT Forensics, p.27-40.

[74]Kalt, C., 2000. Internet Relay Chat: Architecture. Available from http://tools.ietf.org/html/rfc2810 [Accessed on Oct. 20, 2013].

[75]Kang, B.B., Chan-Tin, E., Lee, C.P., et al., 2009. Towards complete node enumeration in a peer-to-peer botnet. Proc. 4th Int. Symp. on Information, Computer, and Communications Security, p.23-34.

[76]Kang, J., Zhang, J.Y., 2009. Application entropy theory to detect new peer-to-peer botnet with multi-chart CUSUM. IEEE 2nd Int. Symp. on Electronic Commerce and Security, p.470-474.

[77]Karagiannis, T., Broido, A., Brownlee, N., et al., 2003. File-sharing in the Internet: a characterization of P2P traffic in the backbone. Technical Report, University of California, Riverside, USA.

[78]Karagiannis, T., Broido, A., Faloutsos, M., 2004. Transport layer identification of P2P traffic. Proc. 4th ACM SIGCOMM Conf. on Internet Measurement, p.121-134.

[79]Karagiannis, T., Papagiannaki, K., Faloutsos, M., 2005. BLINC: multilevel traffic classification in the dark. ACM SIGCOMM Comput. Commun. Rev., 35(4):229-240.

[80]Karasaridis, A., Rexroad, B., Hoeflin, D., 2007. Wide-scale botnet detection and characterization. Proc. first Conf. on 1st Workshop on Hot Topics in Understanding Botnets, p.1-8.

[81]Kassner, M., 2003. The Top 10 Spam Botnets: New and Improved. Available from http://www.techrepublic.com/blog/10-things/the-top-10-spam-botnets-new-and-improved/ [Accessed on June 6, 2013].

[82]Keizer, G., 2008. Top Botnets Control 1M Hijacked Computers. Available from http://www.computerworld.com/article/2536378/security0/top-botnets-control-1m-hijacked-computers.html [Accessed on Sept. 8, 2013].

[83]Kespersky, 2011. How to Detect and Remove the Rootkit TDL4. Available from http://infoaleph.wordpress.com/2011/07/03/como-detectar-y-borrar-el-rootkit-tdl4-tdssalureon/ [Accessed on June 20, 2013].

[84]Kugisaki, Y., Kasahara, Y., Hori, Y., et al., 2007. Bot detection based on traffic analysis. IEEE Int. Conf. on Intelligent Pervasive Computing, p.303-306.

[85]Lee, C.P., 2009. Framework for Botnet Emulation and Analysis. PhD Thesis, Georgia Institute of Technology.

[86]Leonard, J., Xu, S., Sandhu, R., 2009. A first step towards characterizing stealthy botnets. IEEE Int. Conf. on Availability, Reliability and Security, p.106-113.

[87]Li, C., Jiang, W., Zou, X., 2009. Botnet: survey and case study. IEEE 4th Int. Conf. on Innovative Computing, Information and Control, p.1184-1187.

[88]Li, Z., Goyal, A., Chen, Y., et al., 2009. Automating analysis of large-scale botnet probing events. Proc. 4th Int. Symp. on Information, Computer, and Communications Security, p.11-22.

[89]Liao, W.H., Chang, C.C., 2010. Peer to peer botnet detection using data mining scheme. IEEE Int. Conf. on Internet Technology and Applications, p.1-4.

[90]Liu, D., Li, Y., Hu, Y., et al., 2010. A P2P-botnet detection model and algorithms based on network streams analysis. IEEE Int. Conf. on Future Information Technology and Management Engineering, p.55-58.

[91]Liu, F., Li, Z., Nie, Q., 2009. A new method of P2P traffic identification based on support vector machine at the host level. IEEE Int. Conf. on Information Technology and Computer Science, p.579-582.

[92]Liu, L., Chen, S., Yan, G., et al., 2008. BotTracer: execution-based bot-like malware detection. In: Information Security. Springer Berlin Heidelberg, p.97-113.

[93]Livadas, C., Walsh, R., Lapsley, D., et al., 2006. Using machine learning technliques to identify botnet traffic. Proc. 31st IEEE Conf. on Local Computer Networks, p.967-974.

[94]Lu, W., Ghorbani, A.A., 2008. Botnets detection based on IRC-community. IEEE Global Telecommunications Conf., p.1-5.

[95]Lu, W., Tavallaee, M., Ghorbani, A., 2009a. Automatic discovery of botnet communities on large-scale communication networks. Proc. 4th Int. Symp. on Information, Computer, and Communications Security, p.1-10.

[96]Lu, W., Tavallaee, M., Rammidi, G., et al., 2009b. BotCop: an online botnet traffic classifier. 7th IEEE Annual Communication Networks and Services Research Conf., p.70-77.

[97]Madhukar, A., Williamson, C., 2006. A longitudinal study of P2P traffic classification. 14th IEEE Int. Symp. on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, p.179-188.

[98]Mador, Z., 2012. M86 Security Threat Report for the Second Half of 2011 is Now Available. Available from http://labs.m86security.com/2012/02/m86-security-threat-report-for-the-second-half-of-2011-is-now-available/ [Accessed on June 20, 2013].

[99]Mansmann, F., Fischer, F., Keim, D.A., et al., 2009. Visual support for analyzing network traffic and intrusion detection events using TreeMap and graph representations. Proc. Symp. on Computer Human Interaction for the Management of Information Technology, p.3.

[100]Marko, P., Vilhan, P., 2012. Efficient detection of malicious nodes based on DNS and statistical methods. IEEE 10th Int. Symp. on Applied Machine Intelligence and Informatics, p.227-230.

[101]Marry, W., 2010. Pushdo Botnet. Available from http://msmvps.com/blogs/harrywaldron/archive/2010/02/02/pushdo-botnet-new-ddos-attacks-on-major-web-sites.aspx.

[102]Marupally, P.R., Paruchuri, V., 2011. Comparative Analysis and Evaluation of Botnet Command and Control Models. 24th IEEE Int. Conf. on Advanced Information Networking and Applications, p.82-89.

[103]Masud, M.M., Al-Khateeb, T., Khan, L., et al., 2008. Flow-based identification of botnet traffic by mining multiple log files. IEEE 1st Int. Conf. on Distributed Framework and Applications, p.200-206.

[104]McCarty, B., 2003. Botnets: big and bigger. IEEE Secur. Priv., 1(4):87-90.

[105]McMillan, R., 2009. Experts Bicker over Conficker Numbers. Available from http://news.techworld.com/security/114307/experts-bicker-over-conficker-numbers/ [Accessed on Oct. 14, 2013].

[106]McMillan, R., 2010. Spanish Police Take Down Massive Mariposa Botnet. Available from http://www.pcworld.com/article/190634/article.html [Accessed on June 20, 2013].

[107]Messmer, E., 2009. America’s 10 Most Wanted Botnets. Available from http://www.networkworld.com/news/2009/072209-botnets.html [Accessed on June 20, 2013].

[108]Miller, C., 2008. The Rustock Botnet Spams Again. SC Magazine, July 25.

[109]Miller, C., 2009. Researchers Hijack Control of Torpig Botnet. Available from http://www.scmagazine.com/researchers-hijack-control-of-torpig-botnet/article/136207/ [Accessed on June 2, 2013].

[110]Mills, E., 2009. Experts: Gumblar Attack Is Alive, Worse than Conficker. Available from http://news.cnet.com/8301-1009_3-10251779-83.html [Accessed on Oct. 2, 2013].

[111]Mockapetris, P., 1987. Domain Names—Concepts and Facilities. Available from http://tools.ietf.org/html/rfc1034 [Accessed on Dec. 5, 2013].

[112]Morrison, T., 2012. Spam Botnets: the Fall of Grum and the Rise of Festi. Available from http://www.spamhaus.org/news/article/685/ [Accessed on Dec. 12, 2013].

[113]Moscaritolo, A., 2010. Kraken Botnet Re-emerges 318,000 Nodes Strong. Available from http://www.scmagazineus.com [Accessed on Dec. 14, 2013].

[114]Mukosaka, S., Koike, H., 2007. Integrated visualization system for monitoring security in large-scale local area network. IEEE 6th Int. Asia-Pacific Symp. on Visualization, p.41-44.

[115]Mulliner, C., Seifert, J.P., 2010. Rise of the iBots: owning a telco network. IEEE 5th Int. Conf. on Malicious and Unwanted Software, p.71-80.

[116]Murugan, S., Kuppusamy, K., 2011. System and methodology for unknown malware attack. IET Int. Conf. on Sustainable Energy and Intelligent Systems, p.803-804.

[117]Musil, S., 2012. More than 600,000 Macs Infected with Flashback Botnet. Available from http://www.cnet.com/news/more-than-600000-macs-infected-with-flashback-botnet/ [Accessed on Oct. 5, 2014].

[118]Nagaraja, S., Mittal, P., Hong, C., et al., 2010. BotGrep: finding P2P bots with structured graph analysis. USENIX Security Symp., p.95-110.

[119]Nazario, J., 2009. Politically motivated denial of service attacks. The Virtual Battlefield: Perspectives on Cyber Warfare, p.163-181.

[120]Oberheide, J., Karir, M., Mao, Z., 2007. Characterizing dark DNS behavior. In: Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, p.140-156.

[121]Panda Security, 2013. Firewall: Prevent Unknown Connections Between the Network and the Internet. Available from http://www.pandasecurity.com/enterprise/solutions/security-appliances/firewall [Accessed on Sept. 9, 2013].

[122]Paranoid, 2004. The Dangers of HTTPS. Available from http://www.wilderssecurity.com/threads/the-dangers-of-https.31087/ [Accessed on Oct. 5, 2013].

[123]Paxton, N., Ahn, G.J., Chu, B., et al., 2007. Towards practical framework for collecting and analyzing network-centric attacks. IEEE Int. Conf. on Information Reuse and Integration, p.73-78.

[124]Perdisci, R., Corona, I., Dagon, D., et al., 2009. Detecting malicious flux service networks through passive analysis of recursive dns traces. IEEE Annual Computer Security Applications Conf., p.311-320.

[125]Pham, V.H., Dacier, M., 2011. Honeypot trace forensics: the observation viewpoint matters. Fut. Gener. Comput. Syst., 27(5):539-546.

[126]Plohmann, D., Gerhards-Padilla, E., Leder, F., 2011. Botnets: Detection, Measurement, Disinfection & Defence. The European Network and Information Security Agency (ENISA).

[127]Plohmann, D., Gerhards-Padilla, E., Leder, F., 2011. Botnets: 10 Tough Questions. Available from https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/botnets/botnets-10-tough-questions [Accessed on Dec. 20, 2013].

[128]Podrezov, A., 2013. F-Secure, Threat Description: Backdoor: W32/Agobot. Available from http://www.f-secure.com/v-descs/agobot.shtml [Accessed on June 20, 2014].

[129]Press, W., 2013. Wordpress website targeted by hackers.

[130]Proffitt, B., 2012. BotClouds: How Botnets Now Offer Crime-as-a-Service. Available from http://readwrite.com/2012/11/15/botclouds-how-botnets-now-offer-crime-as-a-service#awesm=~opWmkZjKTKOJBu [Accessed on Dec. 4, 2013].

[131]Provos, N., 2004. A virtual honeypot framework. USENIX Security Symp.

[132]Puri, R., 2003. Bots & Botnet: an Overview. SANS Institute.

[133]Qiao, Y., Yang, Y., He, J., et al., 2012. Detecting parasite P2P botnet in eMule-like networks through quasi-periodicity recognition. Information Security and Cryptology-ICISC, p.127-139.

[134]Raff, A., 2012. Ramnit Goes Social. Available from http://www.seculert.com/blog/2012/01/ramnit-goes-social.html [Accessed on Dec. 5, 2013].

[135]Raghava, N.S., Sahgal, D., Chandna, S., 2012. Classification of botnet detection based on botnet architechture. IEEE Int. Conf. on Communication Systems and Network Technologies, p.569-572.

[136]Ramachandran, A., Feamster, N., 2006. Understanding the network-level behavior of spammers. ACM SIGCOMM Comput. Commun. Rev., 36(4):291-302.

[137]Ramachandran, A., Feamster, N., Dagon, D., et al., 2006. Revealing botnet membership using DNSBL counter-intelligence. Proc. 2nd USENIX Steps to Reducing Unwanted Traffic on the Internet, p.49-54.

[138]Rieck, K., Schwenk, G., Limmer, T., et al., 2010. Botzilla: detecting the phoning home of malicious software. Proc. ACM Symp. on Applied Computing, p.1978-1984.

[139]Rodríguez-Gómez, R.A., Maciá-Fernández, G., García-Teodoro, P., 2013. Survey and taxonomy of botnet research through life-cycle. ACM Comput. Surv., 45(4):1-33.

[140]Rrushi, J., Mokhtari, E., Ghorbani, A.A., 2011. A statistical approach to botnet virulence estimation. Proc. 6th ACM Symp. on Information, Computer and Communications Security, p.508-512.

[141]Ruiter, J., Warnier, M., 2011. Privacy regulations for cloud computing: compliance and implementation in theory and practice. In: Computers, Privacy and Data Protection: an Element of Choice. Springer, p.361-376.

[142]Saha, B., Gairola, A., 2005. Botnet: an overview. CERT-In, White Paper, CIWP-2005-05, 240.

[143]Sanchez, F., Duan, Z., Dong, Y., 2012. Blocking spam by separating end-user machines from legitimate mail server machines. Secur. Commun. Networks, p.1-9.

[144]Schiller, C., Binkley, J., 2007. Spybot.

[145]Schiller, C., Binkley, J., Harley, D., et al., 2011. Botnets—the Killer Web APP. Syngress, Rockland.

[146]Schmudlach, M., 2009. Calculating the Size of the Downadup Outbreak. Available from http://forums.cnet.com/7723-6132_102-325455/virus-spyware-alerts-january-16-2009/ [Accessed on Aug. 7, 2013].

[147]Schwartz, M.J., 2012. Zeus Botnet Eurograbber Steals $47 Million. Available from http://www.informationweek.com/attacks/zeus-botnet-eurograbber-steals-$47-million/d/d-id/1107673 [Accessed on Nov. 6, 2013].

[148]Schwartz, M.J., 2013. Microsoft, FBI Trumpet Citadel Botnet Takedowns. Available from http://www.informationweek.com/attacks/microsoft-fbi-trumpet-citadel-botnet-takedowns/d/d-id/1110261 [Accessed on Nov. 8, 2013].

[149]Sevcenco, S., 2012. SdBot. Available from http://www.symantec.com/security_response/writeup.jspdocid=2002-051312-3628-99 [Accessed on Dec. 14, 2013].

[150]Shahrestani, A., Feily, M., Ahmad, R., et al., 2009. Architecture for applying data mining and visualization on network flow for botnet traffic detection. IEEE Int. Conf. on Computer Technology and Development, p.33-37.

[151]Shin, Y.H., Im, E.G., 2009. A survey of botnet: consequences, defenses and challenges. Joint Workshop on Internet Security, p.1-11.

[152]Silva, S.S., Silva, R.M., Pinto, R.C.G., et al., 2013. Botnets: a survey. Comput. Networks, 57(2):378-403.

[153]Sousa, R., Rodrigues, N., Salvador, P., et al., 2012. Analyzing the behavior of top spam botnets. IEEE Int. Conf. on Communications, p.6540-6544.

[154]Spider, I.O., 2013. Discovered: Botnet Costing Display Advertisers over Six Million Dollars per Month. Available from http://www.spider.io/blog/2013/03/chameleon-botnet/ [Accessed on Dec. 14, 2013].

[155]Stalmans, E., Irwin, B., 2011. A framework for DNS based detection and mitigation of malware infections on a network. IEEE Information Security South Africa, p.1-8.

[156]Stefan, 2013. Sinkholing the Hlux/Kelihos Botnet—What Happened? Available from http://www.securelist.com/en/blog/208214147/Sinkholing_the_Hlux_Kelihos_botnet_what_ happened [Accessed on Dec. 16, 2013].

[157]Stephens, K., 2010. Malware Command and Control Overview. Technical Report. Available from http://www.nsci-va.org/whitepapers.htm [Accessed on Dec. 1, 2013].

[158]Stewart, J., 2007. Pushdo – Analysis of a Modern Malware Distribution System. Available from http://www.secureworks.com [Accessed on Aug. 7, 2013].

[159]Stewart, J., 2009. Spam Botnets to Watch in 2009. Dell SecureWorks. Available from http://www.secureworks.com/cyber-threat-intelligence/threats/botnets2009/ [Accessed on Nov. 5, 2013].

[160]Stinson, E., Mitchell, J.C., 2007. Characterizing bots’ remote control behavior. In: Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, p.89-108.

[161]Stinson, E., Mitchell, J.C., 2008. Characterizing bots’ remote control behavior. In: Botnet Detection. Springer, p.45-64.

[162]Strayer, W.T., Walsh, R., Livadas, C., et al., 2006. Detecting botnets with tight command and control. Proc. 31st IEEE Conf. on Local Computer Networks, p.195-202.

[163]Strayer, W.T., Lapsely, D., Walsh, R., et al., 2008. Botnet detection based on network behavior. In: Botnet Detection. Springer, p.1-24.

[164]Stringhini, G., Holz, T., Stone-Gross, B., et al., 2011. BOTMAGNIFIER: Locating Spambots on the Internet. USENIX Security Symp.

[165]Symantic, 2010. Bagle. Available from http://www.messagelabs.com/mlireport/MLI_2010_04_Apr_FINAL_EN.pdf [Accessed on Apr. 7, 2014].

[166]Systems, C., 2012. DNS Best Practices. Available from http://www.cisco.com/web/about/security/intelligence/dns-bcp.html [Accessed on Dec. 5, 2013].

[167]Szongott, C., Henne, B., Smith, M., 2012. Evaluating the threat of epidemic mobile malware. IEEE 8th Int. Conf. on Wireless and Mobile Computing, Networking and Communications, p.443-450.

[168]Szymczyk, M., 2009. Detecting botnets in computer networks using multi-agent technology. IEEE 4th Int. Conf. on Dependability of Computer Systems, p.192-201.

[169]Tartakovsky, A.G., Polunchenko, A.S., Sokolov, G., 2013. Efficient computer network anomaly detection by changepoint detection methods. IEEE J. Sel. Topics Signal Process., 7(1):4-11.

[170]The H Security, 2007. New Zealand Teenager Accused of Controlling Botnet of 1.3 Million Computers. Available from http://www.h-online.com/security/news/item/New-Zealand-teenager-accused-of-controlling-botnet-of-1-3-million-computers-734068.html

[171]Thonnard, O., Dacier, M., 2011. A strategic analysis of spam botnets operations. Proc. 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conf., p.162-171.

[172]Tokhtabayev, A.G., Skormin, V.A., 2007. Non-stationary Markov models and anomaly propagation analysis in IDS. IEEE 3rd Int. Symp. on Information Assurance and Security, p.203-208.

[173]Torre, J.D., 2013. Stealrat: an In-Depth Look at an Emerging Spambot Jessa. White Paper, Available from http://www.trendmicro.co.uk/media/wp/stealrat-whitepaper-en.pdf

[174]Traynor, P., Lin, M., Ongtang, M., et al., 2009. On cellular botnets: measuring the impact of malicious devices on a cellular network core. Proc. 16th ACM Conf. on Computer and Communications Security, p.223-234.

[175]Trend Micro, 2006. Taxonomy of Botnet Threats. Technical Report.

[176]Trend Micro, 2013. Andrameda Botnet. Available from http://blog.trendmicro.com/trendlabs-security-intelligence/andromeda-botnet-gets-an-update/ [Accessed on Nov. 7, 2013].

[177]Truhanov, A., 2010. Russian Botnet Wants to Kill the Competitor. Available from http://safe.cnews.ru/news/top/index.shtml2010/02/10/379202 (in Russian).

[178]Tung, L., 2011. Android DreamDroid Two: Rise of Laced APPs. Available from http://www.itnews.com.au/News/259147/android-dreamdroid-two-rise-of-laced-apps.aspx [Accessed on May 5, 2013].

[179]Vaarandi, R., 2013. Detecting anomalous network traffic in organizational private networks. IEEE Int. Multi-disciplinary Conf. on Cognitive Methods in Situation Awareness and Decision Support, p.2-9.

[180]van Ruitenbeek, E., Sanders, W.H., 2008. Modeling peer-to-peer botnets. IEEE 5th Int. Conf. on Quantitative Evaluation of Systems, p.307-316.

[181]Villamarín-Salomón, R., Brustoloni, J.C., 2008. Identifying botnets using anomaly detection techniques applied to DNS traffic. 5th IEEE Consumer Communications and Networking Conf., p.476-481.

[182]Vishwanath, K.V., Vahdat, A., 2009. Swing: realistic and responsive network traffic generation. IEEE/ACM Trans. Network., 17(3):712-725.

[183]Wang, B., Li, Z., Li, D., et al., 2010. Modeling connections behavior for web-based bots detection. 2nd IEEE Int. Conf. on e-Business and Information System Security, p.1-4.

[184]Wang, C., Li, T., Wang, H., 2009. Botnet detection based on analysis of mail flow. IEEE 2nd Int. Conf. on Biomedical Engineering and Informatics, p.1-4.

[185]Wang, P., Sparks, S., Zou, C., 2007. An Advanced Hybrid Peer-to-Peer Botnet. Available from http://static.usenix.org/event/hotbots07/tech/full_papers/wang/wang_html [Accessed on June 6, 2013].

[186]Wang, P., Sparks, S., Zou, C., 2010. An advanced hybrid peer-to-peer botnet. IEEE Trans. Depend. Secur. Comput., 7(2):113-127.

[187]Wang, W., Fang, B., Zhang, Z., et al., 2009. A novel approach to detect IRC-based botnets. IEEE Int. Conf. on Networks Security, Wireless Communications and Trusted Computing, p.408-411.

[188]Wang, X.R., 2003. Eggdrop. Available from http://www.symantec.com/security_response/writeup.jspdocid=2003-041013-5338-99 [Accessed on July 8, 2013].

[189]Wang, Z., Wang, J., Huang, W., et al., 2010. The detection of IRC botnet based on abnormal behavior. 2nd IEEE Int. Conf. on Multimedia and Information Technology, p.146-149.

[190]Warner, G., 2010. Oleg Nikolaenko, Mega-D Botmaster to Stand Trial. Available from http://garwarner.blogspot.com/2010/12/oleg-nikolaenko-mega-d-botmaster-to.html

[191]Weigle, M.C., Adurthi, P., Hernández-Campos, F., et al., 2006. Tmix: a tool for generating realistic TCP application workloads in ns-2. ACM SIGCOMM Comput. Commun. Rev., 36(3):65-76.

[192]Welch, M.J., Cho, J., Olston, C., 2011. Search result diversity for informational queries. Proc. 20th Int. Conf. on World Wide Web, p.237-246.

[193]Wikipedia, 1998. NetBus. Available from http://en.wikipedia.org/wiki/NetBus [Accessed on Aug. 7, 2013].

[194]Wikipedia, 2013a. Anomaly Detection. Available from http://en.wikipedia.org/wiki/Anomaly_detection [Accessed on Aug. 7, 2013].

[195]Wikipedia, 2013b. Botnets. Available from http://en.wikipedia.org/wiki/Botnet [Accessed on Aug. 7, 2013].

[196]Wikipedia, 2013c. Mariposa Botnet. Available from http://en.wikipedia.org/wiki/Mariposa_botnet [Accessed on Aug. 7, 2013].

[197]Wills, C.E., Mikhailov, M., Shang, H., 2003. Inferring relative popularity of Internet applications by actively querying DNS caches. Proc. 3rd ACM SIGCOMM Conf. on Internet Measurement, p.78-90.

[198]WordPress, 2008. Social VPN. Available from http://socialvpn.wordpress.com/ [Accessed on Dec. 25, 2013].

[199]Wurzinger, P., Bilge, L., Holz, T., et al., 2009. Automatically generating models for botnet detection. Computer Security ESORICS, p.232-249.

[200]Xu, K., Yao, D., Ma, Q., et al., 2011. Detecting infection onset with behavior-based policies. 5th IEEE Int. Conf. on Network and System Security, p.57-64.

[201]Xu, Z., Chen, L., Gu, G., et al., 2012. PeerPress: utilizing enemies’ P2P strength against them. Proc. ACM Conf. on Computer and Communications Security, p.581-592.

[202]Yen, T.F., Reiter, M.K., 2010. Are your hosts trading or plotting Telling P2P file-sharing and bots apart. IEEE 30th Int. Conf. on Distributed Computing Systems, p.241-252.

[203]Ying, L., Yan, Z., Ou, Y.J., 2010. The design and implementation of host-based intrusion detection system. 3rd IEEE Int. Symp. on Intelligent Information Technology and Security Informatics, p.595-598.

[204]Yu, F., Xie, Y., Ke, Q., 2010. SBotMiner: large scale search bot detection. Proc. 3rd ACM Int. Conf. on Web Search and Data Mining, p.421-430.

[205]Yu, X., Dong, X., Yu, G., et al., 2009. Online botnet detection by continuous similarity monitoring. IEEE Int. Symp. on Information Engineering and Electronic Commerce, p.145-149.

[206]Yu, X., Dong, X., Yu, G., et al., 2010. Online botnet detection based on incremental discrete Fourier transform. J. Networks, 5(5):568-576.

[207]Zeidanloo, H.R., Manaf, A.A., 2009. Botnet command and control mechanisms. 2nd IEEE Int. Conf. on Computer and Electrical Engineering, p.564-568.

[208]Zeidanloo, H.R., Shooshtari, M.J.Z., Amoli, P.V., et al., 2010. A taxonomy of botnet detection techniques. 3rd IEEE Int. Conf. on Computer Science and Information Technology, p.158-162.

[209]Zeng, Y., Yan, G., Eidenbenz, S., et al., 2011. Measuring the effectiveness of infrastructure-level detection of large-scale botnets. IEEE 19th Int. Workshop on Quality of Service, p.1-9.

[210]Zhang, J., Luo, X., Perdisci, R., et al., 2011a. Boosting the scalability of botnet detection using adaptive traffic sampling. Proc. 6th ACM Symp. on Information, Computer and Communications Security, p.124-134.

[211]Zhang, J., Perdisci, R., Lee, W., et al., 2011b. Detecting stealthy P2P botnets using statistical traffic fingerprints. IEEE/IFIP 41st Int. Conf. on Dependable Systems & Networks, p.121-132.

[212]Zhao, S., Lee, P.P., Lui, J., et al., 2012. Cloud-based push-styled mobile botnets: a case study of exploiting the cloud to device messaging service. Proc. 28th Annual Computer Security Applications Conf., p.119-128.

[213]Zhao, Y., Xie, Y., Yu, F., et al., 2009. BotGraph: large scale spamming botnet detection. NSDI, 9:321-334.

[214]Zhou, L., Li, Z., Liu, B., 2006. P2P traffic identification by TCP flow analysis. IEEE Int. Workshop on Networking, Architecture, and Storages, p.2.

[215]Zhu, Z., Lu, G., Chen, Y., et al., 2008. Botnet research survey. 32nd Annual IEEE Int. Computer Software and Applications, p.967-972.

[216]Zhuang, L., Dunagan, J., Simon, D.R., et al., 2008. Characterizing botnets from email spam records. Proc. 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats LEET, Article 2, p.1-9.

[217]Zou, C.C., Cunningham, R., 2006. Honeypot-aware advanced botnet construction and maintenance. IEEE Int. Conf. on Dependable Systems and Networks, p.199-208.

Open peer comments: Debate/Discuss/Question/Opinion

<1>

Please provide your name, email address and a comment





Journal of Zhejiang University-SCIENCE, 38 Zheda Road, Hangzhou 310027, China
Tel: +86-571-87952783; E-mail: cjzhang@zju.edu.cn
Copyright © 2000 - Journal of Zhejiang University-SCIENCE