Abstract
Of all current threats to cybersecurity, botnets are at the top of the list. In consequence, interest in this problem is increasing rapidly among the research community and the number of publications on the question has grown exponentially in recent years. This article proposes a taxonomy of botnet research and presents a survey of the field to provide a comprehensive overview of all these contributions. Furthermore, we hope to provide researchers with a clear perspective of the gaps that remain to be filled in our defenses against botnets. The taxonomy is based upon the botnet's life-cycle, defined as the sequence of stages a botnet needs to pass through in order to reach its goal.
This approach allows us to consider the problem of botnets from a global perspective, which constitutes a key difference from other taxonomies that have been proposed. Under this novel taxonomy, we conclude that all attempts to defeat botnets should be focused on one or more stages of this life-cycle. In fact, the sustained hindering of any of the stages makes it possible to thwart a botnet's progress and thus render it useless. We test the potential capabilities of our taxonomy by means of a survey of current botnet research, and find it genuinely useful in understanding the focus of the different contributions in this field.
- Abu-Rajab, M., Zarfoss, J., Monrose, F., and Terzis, A. 2006. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (IMC'06). ACM Press, New York, 41--52. Google ScholarDigital Library
- Abuse.Ch 2011. Zeus gets more sophisticated using P2P techniques. Tech. rep. http://www.abuse.ch/?p=3499.Google Scholar
- Al-Duwairi, B. and Manimaran, G. 2009. Just-google: A search engine-based defense against botnet based ddos attacks. In Proceedings of the IEEE International Conference on Communications (ICC'09). 1--5. Google ScholarDigital Library
- Amini, P. 2008. Kraken botnet infiltration. Tech. rep., DVLabs. http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnetinfiltration.Google Scholar
- Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, I. N., and Dagon, D. 2011. Detecting malware domains at the upper dns hierarchy. In Proceedings of the 20th USENIX Conference on Security (SEC'11). USENIX Association, Berkeley, CA. Google ScholarDigital Library
- Apec. 2008. Guide on policy and technical approaches against botnet. Tech. rep., Telecommunications and Information Working Group, Asia-Pacific Economic Cooperation (APEC). http://publications.apec.org/publication-detail.php?pub_id=145.Google Scholar
- Arce, I. and Levy, E. 2003. An analysis of the slapper worm. IEEE Secur. Privacy Mag. 1, 1, 82--87. Google ScholarDigital Library
- Assadhan, B., Moura, J. M. F., Lapsley, D., Jones, C., and Strayer, W. T. 2009. Detecting botnets using command and control traffic. In Proceedings of the 8th IEEE International Symposium on Network Computing and Applications (NCA'09). 156--162. Google ScholarDigital Library
- Bacher, P., Holz, T., Kotter, M., and Wicherski, G. 2008. Know your enemy: Tracking botnets. Tech. rep., The Honeynet Project. October. http://www.honeynet.org/book/export/html/50.Google Scholar
- Bailey, M., Cooke, E., Jahanian, F., Xu, Y., and Karir, M. 2009. A survey of botnet technology and defenses. In Proceedings of the Cybersecurity Applications and Technology Conference for Homeland Security (CATCH'09). 299--304. Google ScholarDigital Library
- Balas, E. 2004. Know your Enemy: Learning about Security Threats 2nd Ed. Addison Wesley.Google Scholar
- Barford, P. and Yegneswaran, V. 2007. An inside look at botnets. In ARO-DHS Special Workshop on Malware Detection, Advances in Information Security Series, vol. 27, Springer, 171--191.Google Scholar
- Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. 2011. EXPOSURE: Finding malicious domains using passive dns analysis. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS'11).Google Scholar
- Binkley, J. R. 2006. An algorithm for anomaly-based botnet detection. In Proceedings of the USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI'06). 43--48. Google ScholarDigital Library
- Boyd, C. 2010. The diy twitter botnet creator. http://www.gfi.com/blog/the-diy-twitter-botnet-creator/.Google Scholar
- Brosch, T. and Morgenstern, M. 2006. Runtime rackers: The hidden problem? Tech. rep., Black Hat. http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Morgenstern.pdf.Google Scholar
- Caballero, J., Grier, C., Kreibich, C., and Paxson, V. 2011. Measuring pay-per-install: The commoditization of malware distribution. In Proceedings of the 20th USENIX Conference on Security (SEC'11). USENIX Association, Berkeley, CA. Google ScholarDigital Library
- Caballero, J., Poosankam, P., Kreibich, C., and Song, D. 2009. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09). ACM Press, New York, 621--634. Google ScholarDigital Library
- Caglayan, A., Toothaker, M., Drapaeau, D., Burke, D., and Eaton, G. 2009a. Behavioral analysis of fast flux service networks. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW'09). 1--4. Google ScholarDigital Library
- Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., and Eaton, G. 2009b. Real-time detection of fast flux service networks. In Proceedings of the Cybersecurity Applications and Technology Conference for Homeland Security (CATCH'09). 285--292. Google ScholarDigital Library
- Calvet, J., Davis, C., and Bureau, P.-M. 2009. Malware authors don't learn, and that's good! In Proceedings of the 4th International Conference on Malicious and Unwanted Software (MALWARE'09). 88--97.Google Scholar
- Chang, S. and Daniels, T. E. 2009. P2p botnet detection using behavior clustering and statistical tests. In Proceedings of the 2nd ACM Workshop on Security and Artificial Intelligence (AISec'09). 23--30. Google ScholarDigital Library
- Chen, C.-M., Ou, Y.-H., and Tsai, Y.-C. 2010. Web botnet detection based on flow information. In Proceedings of the International Computer Symposium (ICS'10). 381--384.Google Scholar
- Chien, E. 2010. W32.stuxnet dossier. Tech. rep., Symantec. Septemeber. http://www.symantec.com/connect/blogs/w32stuxnet-dossier.Google Scholar
- Cho, C. Y., Babic, D., Shin, E. C. R., and Song, D. 2010. Inference and analysis of formal models of botnet command and control protocols. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10). ACM Press, New York, 426--439. Google ScholarDigital Library
- Choi, H., Lee, H., Lee, H., and Kim, H. 2007. Botnet detection by monitoring group activities in dns traffic. In Proceedings of the 7th IEEE International Conference on Computer and Information Technology (CIT'07). 715--720. Google ScholarDigital Library
- Collins, M. P., Shimeall, T. J., Faber, S., Janies, J., Weaver, R., Shon, M. D., and Kadane, J. 2007. Using uncleanliness to predict future botnet addresses. In Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement (IMC'07). 93--104. Google ScholarDigital Library
- Cormack, G. V. 2008. Email spam filtering: A systematic review. Foundat. Trends Inf. Retriev. 1, 4, 335--455. Google ScholarDigital Library
- Coskun, B., Dietrich, S., and Memon, N. 2010. Friends of an enemy: Identifying local members of peer-to-peer botnets using mutual contacts. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC'10). ACM Press, New York, 131--140. Google ScholarDigital Library
- Cremonini, M. and Riccardi, M. 2009. The dorothy project: An open botnet analysis framework for automatic tracking and activity visualization. In Proceedings of the European Conference on Computer Network Defense (EC2ND'09). 52--54. Google ScholarDigital Library
- Dagon, D., Gu, G., Lee, C., and Lee, W. 2007. A taxonomy of botnet structures. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC'07). 325--339.Google Scholar
- Dagon, D., Zou, C. C., and Lee, W. 2006. Modeling botnet propagation using time zones. In Proceedings of the Network and Distributed System Security Symposium (NDSS'06).Google Scholar
- Danchev, D. 2010. DIY botnet kit spotted in the wild. http://www.zdnet.com/blog/security/diy-botnet-kitspotted-in-the-wild/9440.Google Scholar
- Daswani, N. and Stoppelman, M. 2007. The anatomy of clickbot.A. In Proceedings of the 1st Conference on the 1st Workshop on Hot Topics in Understanding Botnets. USENIX Association. 11. Google ScholarDigital Library
- Davis, C., Fernandez, J., and Neville, S. 2009. Optimising sybil attacks against P2P-based botnets. In Proceedings of the 4th International Conference on Malicious and Unwanted Software (MALWARE'09). 78--87.Google Scholar
- Davis, C., Fernandez, J., Neville, S., and Mchugh, J. 2008. Sybil attacks as a mitigation strategy against the storm botnet. In Proceedings of the 3rd International Conference on Malicious and Unwanted Software (MALWARE'08). 32--40.Google Scholar
- Douligeris, C. and Mitrokotsa, A. 2004. DDoS attacks and defense mechanisms: Classification and state-of-the-art. Comput. Netw. 44, 5, 643--666. Google ScholarDigital Library
- Duan, Z., Chen, P., Sanchez, F., Dong, Y., Stephenson, M., and Barker, J. 2009. Detecting spam zombies by monitoring outgoing messages. In Proceedings of the 28th Conference on Computer Communications (INFOCOM'09). 1764--1772.Google Scholar
- Egele, M., Wurzinger, P., Kruegel, C., and Kirda, E. 2009. Defending browsers against drive-by-downloads: Mitigating heap-spraying code injection attacks. In Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'09). Springer, 88--106. Google ScholarDigital Library
- Enisa. 2011. Botnets: Detection, measurement, disinfection and defence. Tech. rep., European Network and Information Security Agency (ENISA). http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/botnets/presentations-from-the-workshop-botnets-measurement-detection-disinfection-and-defence.Google Scholar
- Faghani, M. and Saidi, H. 2009. Malware propagation in online social networks. In Proceedings of the 4th International Conference on Malicious and Unwanted Software (MALWARE'09). 8--14.Google Scholar
- Fallmann, H., Wondracek, G., and Platzer, C. 2010. Covertly probing underground economy marketplaces. In Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'10). Springer, 101--110. Google ScholarDigital Library
- Fbi. 2007. Over one million potential victims of botnet cyber crime. Tech. rep., FBI Press Release. June. http://www.fbi.gov/news/pressrel/press-releases/over-1-million-potential-victims-of-botnet-cyber-crime.Google Scholar
- Fbi. 2010. Another pleads guilty in botnet hacking conspiracy. Tech. rep., FBI Press Release. June. http://www.fbi.gov/dallas/press-releases/2010/dl061010.htm.Google Scholar
- Feily, M., Shahrestani, A., and Ramadass, S. 2009. A survey of botnet and botnet detection. In Proceedings of the 3rd International Conference on Emerging Security Information, Systems and Technologies (SECURWARE'09). 268--273. Google ScholarDigital Library
- Fortinet. 2010. Fortinet august threat landscape report shows return of ransomware and rise of “do-it-yourself” botnets. http://investor.fortinet.com/releasedetail.cfm?releaseid=504094.Google Scholar
- Franklin, J., Perrig, A., Paxson, V., and Savage, S. 2007. An inquiry into the nature and causes of the wealth of internet miscreants. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07). ACM Press, New York, 375--388. Google ScholarDigital Library
- Freiling, F., Holz, T., and Wicherski, G. 2005. Botnet tracking: Exploring a root-cause methodology to prevent denial-of-service attacks. In Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS'05). 319--335. Google ScholarDigital Library
- Goebel, J. and Holz, T. 2007. Rishi: identify bot contaminated hosts by IRC nickname evaluation. In Proceedings of the 1st Conference on the 1st Workshop on Hot Topics in Understanding Botnets. USENIX Association, Berkeley, CA. Google ScholarDigital Library
- Govil, J. and Jivika, G. 2007. Criminology of botnets and their detection and defense methods. In Proceedings of the IEEE International Conference on Electro/Information Technology. 215--220.Google Scholar
- Grizzard, J. B., Sharma, V., Nunnery, C., Kang, B. B., and Dagon, D. 2007. Peer-to-peer botnets: Overview and case study. In Proceedings of the 1st Conference on the 1st Workshop on Hot Topics in Understanding Botnets. USENIX Association, Berkeley, CA, 1--8. Google ScholarDigital Library
- Gu, G., Perdisci, R., Zhang, J., and Lee, W. 2008a. BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In Proceedings of the 17th USENIX Security Symposium (Security'08). 139--154. Google ScholarDigital Library
- Gu, G., Porras, P., Yegneswaran, V., Fong, M., and Lee, W. 2007. BotHunter: Detecting malware infection through IDS-driven dialog correlation. In Proceedings of 16th USENIX Security Symposium. 167--182. Google ScholarDigital Library
- Gu, G., Yegneswaran, V., Porras, P., Stoll, J., and Lee, W. 2009. Active botnet probing to identify obscure command and control channels. In Proceedings of the Annual Computer Security Applications Conference (ACSAC'09). 241--253. Google ScholarDigital Library
- Gu, G., Zhang, J., and Lee, W. 2008b. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08).Google Scholar
- Ha, D., Yan, G., Eidenbenz, S., and Ngo, H. 2009. On the effectiveness of structural detection and defense against P2P-based botnets. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems Networks (DSN'09). 297--306.Google Scholar
- Harley, D., Vibert, R. S., Bechtel, K., Blanchard, M., Diemer, H., Lee, A., Muttik, I., and Zdrnja, B. 2007. AVIEN Malware Defense Guide for the Enterprise. Elsevier. Google ScholarDigital Library
- Holz, T., Engelberth, M., and Freiling, F. 2009. Learning more about the underground economy: A case-study of keyloggers and dropzones. In Proceedings of the 14th European Conference on Research in Computer Security (ESORICS'09). Springer, 1--18. Google ScholarDigital Library
- Holz, T., Gorecki, C., Freiling, F., and Rieck, K. 2008a. Measuring and detecting fast-flux service networks. In Proceedings of the 15th Network and Distributed System Security Conference (NDSS'08).Google Scholar
- Holz, T., Steiner, M., Dahl, F., Biersack, E., and Freiling, F. 2008b. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08). USENIX Association, 1--9. Google ScholarDigital Library
- Honeynet Project. 2007. Know your enemy: Fast-flux service networks. Tech. rep., The Honeynet Project. July. http://www.honeynet.org/book/export/html/130.Google Scholar
- Hund, R., Hamann, M., and Holz, T. 2008. Towards next-generation botnets. In Proceedings of the European Conference on Computer Network Defense. 33--40. Google ScholarDigital Library
- Il Jang, D., Kim, M., Chul Jung, H., and Noh, B.-N. 2009. Analysis of HTTP2P botnet: Case study waledac. In Proceedings of the 9th Malaysia International Conference on Communications (MICC'09). 409--412.Google Scholar
- Jackson, A., Lapsley, D., Jones, C., Zatko, M., Golubitsky, C., and Strayer, W. 2009. Slingbot: A system for live investigation of next generation botnets. In Proceedings of the Cybersecurity Applications Technology Conference for Homeland Security (CATCH'09). 313--318. Google ScholarDigital Library
- Ji, S., Im, C., Kim, M., and Jeong, H. 2008. Botnet detection and response architecture for offering secure internet services. In Proceedings of the International Conference on Security Technology (SECTECH'08). 101--104. Google ScholarDigital Library
- Jian, G., Yang, Y., Zheng, K., and Hu, Z. 2010. Research of an innovative P2P-based botnet. In Proceedings of the International Conference on Machine Vision and Human-Machine Interface (MVHI'10). 214--218. Google ScholarDigital Library
- Jordan, C., Chang, A., and Luo, K. 2009. Network malware capture. In Proceedings of the Cybersecurity Applications and Technology Conference for Homeland Security (CATCH'09). 293--296. Google ScholarDigital Library
- Juniper. 2012. 2011 Mobile threats report. Tech. rep., Juniper Networks. February. http://www.juniper. net/us/en/local/pdf/additional-resources/jnpr-2011-mobile-threats-report.pdf.Google Scholar
- Kang, B. B., Chan-Tin, E., Lee, C. P., Tyra, J., Kang, H. J., Nunnery, C., Wadler, Z., Sinclair, G., Hopper, N., Dagon, D., and Kim, Y. 2009a. Towards complete node enumeration in a peer-to-peer botnet. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS'09). ACM Press, New York, 23--34. Google ScholarDigital Library
- Kang, J. and Song, Y.-Z. 2010. Detecting new decentralized botnet based on kalman filter and multichart cusum amplification. In Proceedings of the 2nd International Conference on Networks Security Wireless Communications and Trusted Computing (NSWCTC'10). Vol. 1. 7--10. Google ScholarDigital Library
- Kang, J., Zhang, J.-Y., Li, Q., and Li, Z. 2009b. Detecting new P2P botnet with multi-chart cumsum. In Proceedings of the International Conference on Networks Security, Wireless Communications and Trusted Computing (NSWCTC'09). Vol. 1. 688--691. Google ScholarDigital Library
- Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., and Savage, S. 2008a. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS'08). ACM Press, New York, 3--14. Google ScholarDigital Library
- Kanich, C., Levchenko, K., Enright, B., Voelker, G. M., and Savage, S. 2008b. The heisenbot uncertainty problem: Challenges in separating bots from chaff. In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08). USENIX Association, 1--9. Google ScholarDigital Library
- Kanich, C., Weaver, N., McCoy, D., Halvorson, T., Kreibich, C., Levchenko, K., Paxson, V., Voelker, G. M., and Savage, S. 2011. Show me the money: Characterizing spam-advertised revenue. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
- Leder, F. and Werner, T. 2009. Know your enemy: Containing conficker. Tech. rep., The Honeynet Project. April. http://www.honeynet.org/files/KYE-Conficker.pdf.Google Scholar
- Leder, F., Werner, T., and Martini, P. 2009. Proactive botnet countermeasures an offensive approach. In Proceedings of the 1st Conference on Cyber Warfare (CCDECEO'09).Google Scholar
- Lee, J.-S., Jeong, H., Park, J.-H., Kim, M., and Noh, B.-N. 2008. The activity analysis of malicious httpbased botnets using degree of periodic repeatability. In Proceedings of the International Conference on Security Technology (SECTECH'08). 83--86. Google ScholarDigital Library
- Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Felegyhe Zi, M., Grier, C., Halvorson, T., Kanich, C., Kreibich, C., Liu, H., McCoy, D., Weaver, N., Paxson, V., Voelker, G. M., and Savage, S. 2011. Click trajectories: End-to-end analysis of the spam value chain. In Proceedings of the IEEE Symposium on Security and Privacy. 431--446. Google ScholarDigital Library
- Li, C., Jiang, W., and Zou, X. 2009a. Botnet: Survey and case study. In Proceedings of the 4th International Conference on Innovative Computing, Information and Control (ICICIC'09). 1184--1187.Google Scholar
- Li, R., Gan, L., and Jia, Y. 2009b. Propagation model for botnet based on conficker monitoring. In Proceedings of the 2nd International Symposium on Information Science and Engineering (ISISE'09). 185--190. Google ScholarDigital Library
- Li, Z., Goyal, A., Chen, Y., and Paxson, V. 2009c. Automating analysis of large-scale botnet probing events. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS'09). 11--22. Google ScholarDigital Library
- Liao, W.-H. and Chang, C.-C. 2010. Peer to peer botnet detection using data mining scheme. In Proceedings of the International Conference on Internet Technology and Applications. 1--4.Google Scholar
- Liu, J., Xiao, Y., Ghaboosi, K., Deng, H., and Zhang, J. 2009. Botnet: Classification, attacks, detection, tracing, and preventive measures. EURASIP J. Wirel. Comm. Netw. 2009, 1. Google ScholarDigital Library
- Masud, M. M., Gao, J., Khan, L., Han, J., and Thuraisingham, B. 2008. Peer to peer botnet detection for cyber-security: A data mining approach. In Proceedings of the 4th Annual Workshop on Cyber Security and Information Intelligence Research: Developing Strategies to Meet the Cyber Security and Information Intelligence Challenges Ahead (CSIIRW'08). 1--2. Google ScholarDigital Library
- Mazzariello, C. 2008. IRC traffic analysis for botnet detection. In Proceedings of the 4th International Conference on Information Assurance and Security. 318--323. Google ScholarDigital Library
- Mcaffe. 2009. Mcafee threats report: First quarter 2009. http://resources.mcafee.com/content/AvertReportQ109.Google Scholar
- Mcelroy, W. 2007. In child porn case, technology entraps the innocent. Tech. rep., Fox News.Google Scholar
- Mirkovic, J., Dietrich, S., Dittrich, D., and Reiher, P. 2004. Internet Denial of Service. Attack and Defense Mechanisms. Prentice Hall. Google ScholarDigital Library
- Mirkovic, J. and Reiher, P. 2004. A taxonomy of ddos attack and ddos defense mechanisms. SIGCOMM Comput. Comm. Rev. 34, 2, 39--53. Google ScholarDigital Library
- Molnar, D., Egelman, S., and Christin, N. 2010. This is your data on drugs: Lessons computer security can learn from the drug war. In Proceedings of the Workshop on New Security Paradigms (NSPW'10). ACM Press, New York, 143--149. Google ScholarDigital Library
- Motoyama, M., McCoy, D., Levchenko, K., Savage, S., and Voelker, G. M. 2011. An analysis of underground forums. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC'11). ACM Press, New York, 71--80. Google ScholarDigital Library
- Nagaraja, S., Mittal, P., Hong, C.-Y., Caesar, M., and Borisov, N. 2010. BotGrep: Finding P2P bots with structured graph analysis. In Proceedings of the 19th USENIX Conference on Security. USENIX Association, Berkeley, CA, 95--110. Google ScholarDigital Library
- Namestnikov, Y. 2009. The economics of botnets. Tech. rep., Securelist. July. http://www.securelist.com/en/downloads/pdf/ynam_botnets_0907_en.pdf.Google Scholar
- Nappa, A., Fattori, A., Balduzzi, M., Dellamico, M., and Cavallaro, L. 2010. Take a deep breath: A stealthy, resilient and cost-effective botnet using skype. In Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'10). Springer, 81--100. Google ScholarDigital Library
- Nazario, J. 2009. Twitter-based botnet command channel. Tech. rep., Arbor SERT. August. http://ddos. arbornetworks.com/2009/08/twitter-based-botnet-command-channel/.Google Scholar
- Nazario, J. and Holz, T. 2008. As the net churns: Fast-flux botnet observations. In Proceedings of the 3rd International Conference on Malicious and Unwanted Software (MALWARE'08). 24--31.Google Scholar
- Nvd. 2010. Vulnerabilities in the last three years. Tech. rep., National Vulnerability Database. http://nvd.nist.gov/.Google Scholar
- Oberheide, J., Cooke, E., and Jahanian, F. 2008. CloudAV: N-version antivirus in the network cloud. In Proceedings of the 17th Conference on Security Symposium (SS'08). USENIX Association, Berkeley, CA, 91--106. Google ScholarDigital Library
- Passerini, E., Paleari, R., Martignoni, L., and Bruschi, D. 2008. FluXOR: Detecting and monitoring fast-flux service networks. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'08). 186--206. Google ScholarDigital Library
- Perdisci, R., Corona, I., Dagon, D., and Lee, W. 2009. Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Proceedings of the Annual Computer Security Applications Conference (ACSAC'09). 311--320. Google ScholarDigital Library
- Pham, V.-H. and Dacier, M. 2009. Honeypot traces forensics: The observation viewpoint matters. In Proceedings of the 3rd International Conference on Network and System Security (NSS'09). 365--372. Google ScholarDigital Library
- Pointer, R. 1993. Home page of eggdrop botnet. http://s23.org/wiki/Eggdrop.Google Scholar
- Polychronakis, M., Mavrommatis, P., and Provos, N. 2008. Ghost turns zombie: Exploring the life cycle of web-based malware. In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats. USENIX Association, Berkeley, CA, 11:1--11:8. Google ScholarDigital Library
- Popov, I. V., Debray, S. K., and Andrews, G. R. 2007. Binary obfuscation using signals. In Proceedings of the 16th USENIX Security Symposium. USENIX Association, 275--290. Google ScholarDigital Library
- Porras, P., Saidi, H., and Yegneswaran, V. 2009. A foray into Conficker's logic and rendezvous points. In Proceedings of the 2nd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET'09). USENIX Association, 1--9. Google ScholarDigital Library
- Porras, P., Saidi, H., and Yegneswaran, V. 2007. A multiperspective analysis of the storm (peacomm) worm. Tech. rep., Cyber-ta project page. http://www.cyber-ta.org/pubs/StormWorm/SRITechnical-Report-10-01-Storm-Analysis.pdf.Google Scholar
- Priestley, M. B. 1982. Spectral Analysis and Time Series. Academic Press.Google Scholar
- Provos, N. 2004. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium (SSYM'04). Vol. 13. USENIX Association, 1--14. Google ScholarDigital Library
- Provos, N., Mavrommatis, P., Rajab, M. A., and Monrose, F. 2008. All your IFRAMES point to us. In Proceedings of the 17th Conference on Security Symposium. USENIX Association, Berkeley, CA, 1--15. Google ScholarDigital Library
- Provos, N., McNamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. 2007. The ghost in the browser analysis of web-based malware. In Proceedings of the 1st Conference on the 1st Workshop on Hot Topics in Understanding Botnets. USENIX Association, Berkeley, CA, USA. Google ScholarDigital Library
- Provos, N., Rajab, M. A., and Mavrommatis, P. 2009. Cybercrime 2.0: When the cloud turns dark. Comm. ACM 52, 42--47. Google ScholarDigital Library
- Radianti, J. 2010. A study of a social behavior inside the online black markets. In Proceedings of the 4th International Conference on Emerging Security Information Systems and Technologies (SECURWARE'10). 189--194. Google ScholarDigital Library
- Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. 2007. My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging. In Proceedings of the 1st Conference on the 1st Workshop on Hot Topics in Understanding Botnets. USENIX Association. Google ScholarDigital Library
- Ramachandran, A., Feamster, N., and Dagon, D. 2006. Revealing botnet membership using DNSBL counter-intelligence. In Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet. Vol. 2. USENIX Association, 49--54. Google ScholarDigital Library
- Rodionov, E. and Matrosov, A. 2011. The evolution of tdl: Conquering x64. Tech. rep.,ESET. June. http://go.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf.Google Scholar
- Shin, S. and Gu, G. 2010. Conficker and beyond: A large-scale empirical study. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC'10). ACM Press, New York, 151--160. Google ScholarDigital Library
- Shin, S., Lin, R., and Gu, G. 2011. Cross-analysis of botnet victims: New insights and implications. In Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID'11). Google ScholarDigital Library
- Shin, S., Xu, Z., and Gu, G. 2012. EFFORT: Efficient and effective bot malware detection. In Proceedings of the 31st Annual IEEE Conference on Computer Communications (INFOCOM'12).Google Scholar
- Sinclair, G., Nunnery, C., and Kang, B.-H. 2009. The waledac protocol: The how and why. In Proceedings of the 4th International Conference on Malicious and Unwanted Software (MALWARE'09). 69--77.Google Scholar
- Solomon, A. and Evron, G. 2006. The world of botnets. Virus Bull. 10--12. http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf.Google Scholar
- Starnberger, G., Kruegel, C., and Kirda, E. 2008. Overbot: A botnet protocol based on kademlia. In Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm'08). 1--9. Google ScholarDigital Library
- Stewart, J. 2004a. Bobax trojan analysis. Tech. rep., SecureWorks. http://www.secureworks.com/research/threats/bobax/.Google Scholar
- Stewart, J. 2004b. Phatbot trojan analysis. Tech. rep., SecureWorks. http://www.secureworks.com/research/threats/phatbot/.Google Scholar
- Stewart, J. 2006. Spamthru trojan analysis. Tech. rep., SecureWorks. http://www.secureworks.com/cyber-threat-intelligence/threats/spamthru/.Google Scholar
- Stewart, J. 2009. Sinit p2p trojan analysis. Tech. rep., SecureWorks. http://www.secureworks.com/research/threats/sinit/.Google Scholar
- Stewart, J. 2010. Zeus banking trojan report. Tech. rep., SecureWorks. http://www.secureworks.com/cyber-threat-intelligence/threats/zeus/.Google Scholar
- Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. 2009. Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09). ACM Press, New York, 635--647. Google ScholarDigital Library
- Stone-Gross, B., Cova, M., Gilbert, B., Kemmerer, R., Kruegel, C., and Vigna, G. 2011. Analysis of a botnet takeover. IEEE Secur. Privacy 9, 1, 64--72. Google ScholarDigital Library
- Stover, S., Dittrich, D., Hernandez, J., and Dietrich, S. 2007. Analysis of the storm and nugache trojans: P2P is here. USENIX 32, 6, 46--63.Google Scholar
- Strayer, W., Lapsely, D.,Walsh, R., and Livadas, C. 2008. Botnet detection based on network behavior. In Botnet Detection. Advances in Information Security Series, vol. 36, Springer, 1--24.Google Scholar
- Symantec. 2008. Symantec global internet security threat report, trends for july- december 07. Tech. rep. http://eval.symantec.com/mktginfo/enterprise/white papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf.Google Scholar
- Symantec. 2010. Symantec global internet security threat report trends of 2009. Tech. rep. DIY kit of Turkojan, Symantec. TURKOJAN. http://www.turkojan.com/eng/.Google Scholar
- van der Merwe, A., Loock, M., and Dabrowski, M. 2005. Characteristics and responsibilities involved in a phishing attack. In Proceedings of the 4th International Symposium on Information and Communication Technologies (WISICT'05). 249--254. Google ScholarDigital Library
- Villamarin-Salomon, R. and Brustoloni, J. C. 2008. Identifying botnets using anomaly detection techniques applied to DNS traffic. In Proceedings of the 5th IEEE Consumer Communications and Networking Conference (CCNC'08). 476--481.Google Scholar
- Wang, P., Sparks, S., and Zou, C. 2010a. An advanced hybrid peer-to-peer botnet. IEEE Trans. Dependable Secure Comput. 7, 2, 113--127. Google ScholarDigital Library
- Wang, P., Wu, L., Aslam, B., and Zou, C. C. 2009a. A systematic study on peer-to-peer botnets. http://www.eecs.ucf.edu/∼czou/research/P2P-Botnet-ICCCN09.pdf.Google Scholar
- Wang, P., Wu, L., Cunningham, R., and Zou, C. C. 2010b. Honeypot detection in advanced botnet attacks. Int. J. Inf. Comput. Secur. 4, 30--51. Google ScholarDigital Library
- Wang, W., Fang, B., Zhang, Z., and Li, C. 2009b. A novel approach to detect IRC-based botnets. In Proceedings of the International Conference on Networks Security, Wireless Communications and Trusted Computing. Vol. 1. 408--411. Google ScholarDigital Library
- Weber, T. 2007. Criminals may overwhelm the web. Tech. rep., BBC News. http://news.bbc.co.uk/2/hi/business/6298641.stm.Google Scholar
- Wilbur, K. C. and Zhu, Y. 2009. Click fraud. Market. Sci. 28, 293--308. Google ScholarDigital Library
- Wilson, C. 2007. Botnets, cybercrime, and cyberterrorism: Vulnerabilities and policy issues for congress. Tech. rep., CRS Report for Congress. http://www.fas.org/sgp/crs/terror/RL32114.pdf.Google Scholar
- Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., and Kirda, E. 2009. Automatically generating models for botnet detection. In Proceedings of the 14th European Conference on Research in Computer Security (ESORICS'09). Springer, 232--249. Google ScholarDigital Library
- Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G., and Osipkov, I. 2008. Spamming botnets: Signatures and characteristics. In Proceedings of the ACM SIGCOMM Conference on Data Communication (SIGCOMM'08). 171--182. Google ScholarDigital Library
- Yadav, S., Reddy, A. K. K., Reddy, A. N., and Ranjan, S. 2010. Detecting algorithmically generated malicious domain names. In Proceedings of the 10th Annual Conference on Internet Measurement (IMC'10). ACM Press, New York, 48--61. Google ScholarDigital Library
- Yadav, S. and Reddy, A. N. 2011. Winning with DNS failures: Strategies for faster botnet detection. In Proceedings of the 7th International ICST Conference on Security and Privacy in Communication Networks (SecureComm'11).Google Scholar
- Yan, W., Zhang, Z., and Ansari, N. 2008. Revealing packed malware. IEEE Secur. Privacy 6, 5, 65--69. Google ScholarDigital Library
- Yu, F., Xie, Y., and Ke, Q. 2010a. Sbotminer: Large scale search bot detection. In Proceedings of the 3rd ACM International Conference on Web Search and Data Mining (WSDM'10). 421--430. Google ScholarDigital Library
- Yu, X., Dong, X., Yu, G., Qin, Y., and Yue, D. 2010b. Data-adaptive clustering analysis for online botnet detection. In Proceedings of the 3rd International Joint Conference on Computational Science and Optimization (CSO'10). Vol. 1. 456--460. Google ScholarDigital Library
- Zeidanloo, H., Shooshtari, M., Amoli, P., Safari, M., and Zamani, M. 2010. A taxonomy of botnet detection techniques. In Proceedings of the 3rd IEEE International Conference on Computer Science and Information Technology (ICCSIT'10). Vol. 2, 158--162.Google Scholar
- Zeng, Y., Hu, X., and Shin, K. G. 2010. Detection of botnets using combined host- and network-level information. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'10). 291--300.Google Scholar
- Zetter, K. 2009. Trick or tweet? Malware abundant in twitter urls. Tech. rep., Kaspersky. http://www.wired.com/threatlevel/2009/10/twitter malware/.Google Scholar
- Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., and Luo, X. 2011. Detecting stealthy p2p botnets using statistical traffic fingerprints. In Proceedings of the 41st IEEE/IFIP International Conference on Dependable Systems Networks (DSN'11). 121--132. Google ScholarDigital Library
- Zhao, Y., Xie, Y., Yu, F., Ke, Q., Yu, Y., Chen, Y., and Gillum, E. 2009. BotGraph: Large scale spamming botnet detection. In Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI'09). USENIX Association, Berkeley, CA, 321--334. Google ScholarDigital Library
- Zhu, Z., Lu, G., Chen, Y., Fu, Z., Roberts, P., and Han, K. 2008. Botnet research survey. In Proceedings of the 32nd Annual IEEE International Computer Software and Applications (COMPSAC'08). 967--972. Google ScholarDigital Library
- Zhuge, J., Holz, T., Song, C., Guo, J., Han, X., and Zou, W. 2008. Studying malicious websites and the underground economy on the chinese web. In Proceedings of the Workshop on the Economics of Information Security (WEIS'08).Google Scholar
Index Terms
- Survey and taxonomy of botnet research through life-cycle
Recommendations
Your botnet is my botnet: analysis of a botnet takeover
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityBotnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is ...
A Survey of Botnet and Botnet Detection
SECURWARE '09: Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and TechnologiesAmong the various forms of malware, botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical ...
A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions
In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious ...
Comments