research-article

Survey and taxonomy of botnet research through life-cycle

Authors:
Rafael A. Rodríguez-Gómez

University of Granada, Granada, Spain

University of Granada, Granada, Spain
View Profile

,
Gabriel Maciá-Fernández

University of Granada, Granada, Spain

University of Granada, Granada, Spain
View Profile

,
Pedro García-Teodoro

University of Granada, Granada, Spain

University of Granada, Granada, Spain
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 45 Issue 4Article No.: 45pp 1–33https://doi.org/10.1145/2501654.2501659

Published:30 August 2013Publication History

ACM Computing Surveys

Abstract

Of all current threats to cybersecurity, botnets are at the top of the list. In consequence, interest in this problem is increasing rapidly among the research community and the number of publications on the question has grown exponentially in recent years. This article proposes a taxonomy of botnet research and presents a survey of the field to provide a comprehensive overview of all these contributions. Furthermore, we hope to provide researchers with a clear perspective of the gaps that remain to be filled in our defenses against botnets. The taxonomy is based upon the botnet's life-cycle, defined as the sequence of stages a botnet needs to pass through in order to reach its goal.

This approach allows us to consider the problem of botnets from a global perspective, which constitutes a key difference from other taxonomies that have been proposed. Under this novel taxonomy, we conclude that all attempts to defeat botnets should be focused on one or more stages of this life-cycle. In fact, the sustained hindering of any of the stages makes it possible to thwart a botnet's progress and thus render it useless. We test the potential capabilities of our taxonomy by means of a survey of current botnet research, and find it genuinely useful in understanding the focus of the different contributions in this field.

References

Abu-Rajab, M., Zarfoss, J., Monrose, F., and Terzis, A. 2006. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the 6^th ACM SIGCOMM Conference on Internet Measurement (IMC'06). ACM Press, New York, 41--52. Google ScholarDigital Library
Abuse.Ch 2011. Zeus gets more sophisticated using P2P techniques. Tech. rep. http://www.abuse.ch/&quest;p=3499.Google Scholar
Al-Duwairi, B. and Manimaran, G. 2009. Just-google: A search engine-based defense against botnet based ddos attacks. In Proceedings of the IEEE International Conference on Communications (ICC'09). 1--5. Google ScholarDigital Library
Amini, P. 2008. Kraken botnet infiltration. Tech. rep., DVLabs. http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnetinfiltration.Google Scholar
Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, I. N., and Dagon, D. 2011. Detecting malware domains at the upper dns hierarchy. In Proceedings of the 20^th USENIX Conference on Security (SEC'11). USENIX Association, Berkeley, CA. Google ScholarDigital Library
Apec. 2008. Guide on policy and technical approaches against botnet. Tech. rep., Telecommunications and Information Working Group, Asia-Pacific Economic Cooperation (APEC). http://publications.apec.org/publication-detail.php&quest;pub_id=145.Google Scholar
Arce, I. and Levy, E. 2003. An analysis of the slapper worm. IEEE Secur. Privacy Mag. 1, 1, 82--87. Google ScholarDigital Library
Assadhan, B., Moura, J. M. F., Lapsley, D., Jones, C., and Strayer, W. T. 2009. Detecting botnets using command and control traffic. In Proceedings of the 8^th IEEE International Symposium on Network Computing and Applications (NCA'09). 156--162. Google ScholarDigital Library
Bacher, P., Holz, T., Kotter, M., and Wicherski, G. 2008. Know your enemy: Tracking botnets. Tech. rep., The Honeynet Project. October. http://www.honeynet.org/book/export/html/50.Google Scholar
Bailey, M., Cooke, E., Jahanian, F., Xu, Y., and Karir, M. 2009. A survey of botnet technology and defenses. In Proceedings of the Cybersecurity Applications and Technology Conference for Homeland Security (CATCH'09). 299--304. Google ScholarDigital Library
Balas, E. 2004. Know your Enemy: Learning about Security Threats 2^nd Ed. Addison Wesley.Google Scholar
Barford, P. and Yegneswaran, V. 2007. An inside look at botnets. In ARO-DHS Special Workshop on Malware Detection, Advances in Information Security Series, vol. 27, Springer, 171--191.Google Scholar
Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. 2011. EXPOSURE: Finding malicious domains using passive dns analysis. In Proceedings of the 18^th Annual Network and Distributed System Security Symposium (NDSS'11).Google Scholar
Binkley, J. R. 2006. An algorithm for anomaly-based botnet detection. In Proceedings of the USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI'06). 43--48. Google ScholarDigital Library
Boyd, C. 2010. The diy twitter botnet creator. http://www.gfi.com/blog/the-diy-twitter-botnet-creator/.Google Scholar
Brosch, T. and Morgenstern, M. 2006. Runtime rackers: The hidden problem&quest; Tech. rep., Black Hat. http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Morgenstern.pdf.Google Scholar
Caballero, J., Grier, C., Kreibich, C., and Paxson, V. 2011. Measuring pay-per-install: The commoditization of malware distribution. In Proceedings of the 20^th USENIX Conference on Security (SEC'11). USENIX Association, Berkeley, CA. Google ScholarDigital Library
Caballero, J., Poosankam, P., Kreibich, C., and Song, D. 2009. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proceedings of the 16^th ACM Conference on Computer and Communications Security (CCS'09). ACM Press, New York, 621--634. Google ScholarDigital Library
Caglayan, A., Toothaker, M., Drapaeau, D., Burke, D., and Eaton, G. 2009a. Behavioral analysis of fast flux service networks. In Proceedings of the 5^th Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW'09). 1--4. Google ScholarDigital Library
Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., and Eaton, G. 2009b. Real-time detection of fast flux service networks. In Proceedings of the Cybersecurity Applications and Technology Conference for Homeland Security (CATCH'09). 285--292. Google ScholarDigital Library
Calvet, J., Davis, C., and Bureau, P.-M. 2009. Malware authors don't learn, and that's good&excl; In Proceedings of the 4^th International Conference on Malicious and Unwanted Software (MALWARE'09). 88--97.Google Scholar
Chang, S. and Daniels, T. E. 2009. P2p botnet detection using behavior clustering and statistical tests. In Proceedings of the 2^nd ACM Workshop on Security and Artificial Intelligence (AISec'09). 23--30. Google ScholarDigital Library
Chen, C.-M., Ou, Y.-H., and Tsai, Y.-C. 2010. Web botnet detection based on flow information. In Proceedings of the International Computer Symposium (ICS'10). 381--384.Google Scholar
Chien, E. 2010. W32.stuxnet dossier. Tech. rep., Symantec. Septemeber. http://www.symantec.com/connect/blogs/w32stuxnet-dossier.Google Scholar
Cho, C. Y., Babic, D., Shin, E. C. R., and Song, D. 2010. Inference and analysis of formal models of botnet command and control protocols. In Proceedings of the 17^th ACM Conference on Computer and Communications Security (CCS'10). ACM Press, New York, 426--439. Google ScholarDigital Library
Choi, H., Lee, H., Lee, H., and Kim, H. 2007. Botnet detection by monitoring group activities in dns traffic. In Proceedings of the 7^th IEEE International Conference on Computer and Information Technology (CIT'07). 715--720. Google ScholarDigital Library
Collins, M. P., Shimeall, T. J., Faber, S., Janies, J., Weaver, R., Shon, M. D., and Kadane, J. 2007. Using uncleanliness to predict future botnet addresses. In Proceedings of the 7^th ACM SIGCOMM Conference on Internet Measurement (IMC'07). 93--104. Google ScholarDigital Library
Cormack, G. V. 2008. Email spam filtering: A systematic review. Foundat. Trends Inf. Retriev. 1, 4, 335--455. Google ScholarDigital Library
Coskun, B., Dietrich, S., and Memon, N. 2010. Friends of an enemy: Identifying local members of peer-to-peer botnets using mutual contacts. In Proceedings of the 26^th Annual Computer Security Applications Conference (ACSAC'10). ACM Press, New York, 131--140. Google ScholarDigital Library
Cremonini, M. and Riccardi, M. 2009. The dorothy project: An open botnet analysis framework for automatic tracking and activity visualization. In Proceedings of the European Conference on Computer Network Defense (EC2ND'09). 52--54. Google ScholarDigital Library
Dagon, D., Gu, G., Lee, C., and Lee, W. 2007. A taxonomy of botnet structures. In Proceedings of the 23^rd Annual Computer Security Applications Conference (ACSAC'07). 325--339.Google Scholar
Dagon, D., Zou, C. C., and Lee, W. 2006. Modeling botnet propagation using time zones. In Proceedings of the Network and Distributed System Security Symposium (NDSS'06).Google Scholar
Danchev, D. 2010. DIY botnet kit spotted in the wild. http://www.zdnet.com/blog/security/diy-botnet-kitspotted-in-the-wild/9440.Google Scholar
Daswani, N. and Stoppelman, M. 2007. The anatomy of clickbot.A. In Proceedings of the 1^st Conference on the 1^st Workshop on Hot Topics in Understanding Botnets. USENIX Association. 11. Google ScholarDigital Library
Davis, C., Fernandez, J., and Neville, S. 2009. Optimising sybil attacks against P2P-based botnets. In Proceedings of the 4^th International Conference on Malicious and Unwanted Software (MALWARE'09). 78--87.Google Scholar
Davis, C., Fernandez, J., Neville, S., and Mchugh, J. 2008. Sybil attacks as a mitigation strategy against the storm botnet. In Proceedings of the 3^rd International Conference on Malicious and Unwanted Software (MALWARE'08). 32--40.Google Scholar
Douligeris, C. and Mitrokotsa, A. 2004. DDoS attacks and defense mechanisms: Classification and state-of-the-art. Comput. Netw. 44, 5, 643--666. Google ScholarDigital Library
Duan, Z., Chen, P., Sanchez, F., Dong, Y., Stephenson, M., and Barker, J. 2009. Detecting spam zombies by monitoring outgoing messages. In Proceedings of the 28^th Conference on Computer Communications (INFOCOM'09). 1764--1772.Google Scholar
Egele, M., Wurzinger, P., Kruegel, C., and Kirda, E. 2009. Defending browsers against drive-by-downloads: Mitigating heap-spraying code injection attacks. In Proceedings of the 6^th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'09). Springer, 88--106. Google ScholarDigital Library
Enisa. 2011. Botnets: Detection, measurement, disinfection and defence. Tech. rep., European Network and Information Security Agency (ENISA). http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/botnets/presentations-from-the-workshop-botnets-measurement-detection-disinfection-and-defence.Google Scholar
Faghani, M. and Saidi, H. 2009. Malware propagation in online social networks. In Proceedings of the 4^th International Conference on Malicious and Unwanted Software (MALWARE'09). 8--14.Google Scholar
Fallmann, H., Wondracek, G., and Platzer, C. 2010. Covertly probing underground economy marketplaces. In Proceedings of the 7^th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'10). Springer, 101--110. Google ScholarDigital Library
Fbi. 2007. Over one million potential victims of botnet cyber crime. Tech. rep., FBI Press Release. June. http://www.fbi.gov/news/pressrel/press-releases/over-1-million-potential-victims-of-botnet-cyber-crime.Google Scholar
Fbi. 2010. Another pleads guilty in botnet hacking conspiracy. Tech. rep., FBI Press Release. June. http://www.fbi.gov/dallas/press-releases/2010/dl061010.htm.Google Scholar
Feily, M., Shahrestani, A., and Ramadass, S. 2009. A survey of botnet and botnet detection. In Proceedings of the 3^rd International Conference on Emerging Security Information, Systems and Technologies (SECURWARE'09). 268--273. Google ScholarDigital Library
Fortinet. 2010. Fortinet august threat landscape report shows return of ransomware and rise of “do-it-yourself” botnets. http://investor.fortinet.com/releasedetail.cfm&quest;releaseid=504094.Google Scholar
Franklin, J., Perrig, A., Paxson, V., and Savage, S. 2007. An inquiry into the nature and causes of the wealth of internet miscreants. In Proceedings of the 14^th ACM Conference on Computer and Communications Security (CCS'07). ACM Press, New York, 375--388. Google ScholarDigital Library
Freiling, F., Holz, T., and Wicherski, G. 2005. Botnet tracking: Exploring a root-cause methodology to prevent denial-of-service attacks. In Proceedings of the 10^th European Symposium on Research in Computer Security (ESORICS'05). 319--335. Google ScholarDigital Library
Goebel, J. and Holz, T. 2007. Rishi: identify bot contaminated hosts by IRC nickname evaluation. In Proceedings of the 1^st Conference on the 1^st Workshop on Hot Topics in Understanding Botnets. USENIX Association, Berkeley, CA. Google ScholarDigital Library
Govil, J. and Jivika, G. 2007. Criminology of botnets and their detection and defense methods. In Proceedings of the IEEE International Conference on Electro/Information Technology. 215--220.Google Scholar
Grizzard, J. B., Sharma, V., Nunnery, C., Kang, B. B., and Dagon, D. 2007. Peer-to-peer botnets: Overview and case study. In Proceedings of the 1^st Conference on the 1^st Workshop on Hot Topics in Understanding Botnets. USENIX Association, Berkeley, CA, 1--8. Google ScholarDigital Library
Gu, G., Perdisci, R., Zhang, J., and Lee, W. 2008a. BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In Proceedings of the 17^th USENIX Security Symposium (Security'08). 139--154. Google ScholarDigital Library
Gu, G., Porras, P., Yegneswaran, V., Fong, M., and Lee, W. 2007. BotHunter: Detecting malware infection through IDS-driven dialog correlation. In Proceedings of 16^th USENIX Security Symposium. 167--182. Google ScholarDigital Library
Gu, G., Yegneswaran, V., Porras, P., Stoll, J., and Lee, W. 2009. Active botnet probing to identify obscure command and control channels. In Proceedings of the Annual Computer Security Applications Conference (ACSAC'09). 241--253. Google ScholarDigital Library
Gu, G., Zhang, J., and Lee, W. 2008b. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15^th Annual Network and Distributed System Security Symposium (NDSS'08).Google Scholar
Ha, D., Yan, G., Eidenbenz, S., and Ngo, H. 2009. On the effectiveness of structural detection and defense against P2P-based botnets. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems Networks (DSN'09). 297--306.Google Scholar
Harley, D., Vibert, R. S., Bechtel, K., Blanchard, M., Diemer, H., Lee, A., Muttik, I., and Zdrnja, B. 2007. AVIEN Malware Defense Guide for the Enterprise. Elsevier. Google ScholarDigital Library
Holz, T., Engelberth, M., and Freiling, F. 2009. Learning more about the underground economy: A case-study of keyloggers and dropzones. In Proceedings of the 14^th European Conference on Research in Computer Security (ESORICS'09). Springer, 1--18. Google ScholarDigital Library
Holz, T., Gorecki, C., Freiling, F., and Rieck, K. 2008a. Measuring and detecting fast-flux service networks. In Proceedings of the 15^th Network and Distributed System Security Conference (NDSS'08).Google Scholar
Holz, T., Steiner, M., Dahl, F., Biersack, E., and Freiling, F. 2008b. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In Proceedings of the 1^st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08). USENIX Association, 1--9. Google ScholarDigital Library
Honeynet Project. 2007. Know your enemy: Fast-flux service networks. Tech. rep., The Honeynet Project. July. http://www.honeynet.org/book/export/html/130.Google Scholar
Hund, R., Hamann, M., and Holz, T. 2008. Towards next-generation botnets. In Proceedings of the European Conference on Computer Network Defense. 33--40. Google ScholarDigital Library
Il Jang, D., Kim, M., Chul Jung, H., and Noh, B.-N. 2009. Analysis of HTTP2P botnet: Case study waledac. In Proceedings of the 9^th Malaysia International Conference on Communications (MICC'09). 409--412.Google Scholar
Jackson, A., Lapsley, D., Jones, C., Zatko, M., Golubitsky, C., and Strayer, W. 2009. Slingbot: A system for live investigation of next generation botnets. In Proceedings of the Cybersecurity Applications Technology Conference for Homeland Security (CATCH'09). 313--318. Google ScholarDigital Library
Ji, S., Im, C., Kim, M., and Jeong, H. 2008. Botnet detection and response architecture for offering secure internet services. In Proceedings of the International Conference on Security Technology (SECTECH'08). 101--104. Google ScholarDigital Library
Jian, G., Yang, Y., Zheng, K., and Hu, Z. 2010. Research of an innovative P2P-based botnet. In Proceedings of the International Conference on Machine Vision and Human-Machine Interface (MVHI'10). 214--218. Google ScholarDigital Library
Jordan, C., Chang, A., and Luo, K. 2009. Network malware capture. In Proceedings of the Cybersecurity Applications and Technology Conference for Homeland Security (CATCH'09). 293--296. Google ScholarDigital Library
Juniper. 2012. 2011 Mobile threats report. Tech. rep., Juniper Networks. February. http://www.juniper. net/us/en/local/pdf/additional-resources/jnpr-2011-mobile-threats-report.pdf.Google Scholar
Kang, B. B., Chan-Tin, E., Lee, C. P., Tyra, J., Kang, H. J., Nunnery, C., Wadler, Z., Sinclair, G., Hopper, N., Dagon, D., and Kim, Y. 2009a. Towards complete node enumeration in a peer-to-peer botnet. In Proceedings of the 4^th International Symposium on Information, Computer, and Communications Security (ASIACCS'09). ACM Press, New York, 23--34. Google ScholarDigital Library
Kang, J. and Song, Y.-Z. 2010. Detecting new decentralized botnet based on kalman filter and multichart cusum amplification. In Proceedings of the 2^nd International Conference on Networks Security Wireless Communications and Trusted Computing (NSWCTC'10). Vol. 1. 7--10. Google ScholarDigital Library
Kang, J., Zhang, J.-Y., Li, Q., and Li, Z. 2009b. Detecting new P2P botnet with multi-chart cumsum. In Proceedings of the International Conference on Networks Security, Wireless Communications and Trusted Computing (NSWCTC'09). Vol. 1. 688--691. Google ScholarDigital Library
Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., and Savage, S. 2008a. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the 15^th ACM Conference on Computer and Communications Security (CCS'08). ACM Press, New York, 3--14. Google ScholarDigital Library
Kanich, C., Levchenko, K., Enright, B., Voelker, G. M., and Savage, S. 2008b. The heisenbot uncertainty problem: Challenges in separating bots from chaff. In Proceedings of the 1^st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08). USENIX Association, 1--9. Google ScholarDigital Library
Kanich, C., Weaver, N., McCoy, D., Halvorson, T., Kreibich, C., Levchenko, K., Paxson, V., Voelker, G. M., and Savage, S. 2011. Show me the money: Characterizing spam-advertised revenue. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
Leder, F. and Werner, T. 2009. Know your enemy: Containing conficker. Tech. rep., The Honeynet Project. April. http://www.honeynet.org/files/KYE-Conficker.pdf.Google Scholar
Leder, F., Werner, T., and Martini, P. 2009. Proactive botnet countermeasures an offensive approach. In Proceedings of the 1^st Conference on Cyber Warfare (CCDECEO'09).Google Scholar
Lee, J.-S., Jeong, H., Park, J.-H., Kim, M., and Noh, B.-N. 2008. The activity analysis of malicious httpbased botnets using degree of periodic repeatability. In Proceedings of the International Conference on Security Technology (SECTECH'08). 83--86. Google ScholarDigital Library
Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Felegyhe Zi, M., Grier, C., Halvorson, T., Kanich, C., Kreibich, C., Liu, H., McCoy, D., Weaver, N., Paxson, V., Voelker, G. M., and Savage, S. 2011. Click trajectories: End-to-end analysis of the spam value chain. In Proceedings of the IEEE Symposium on Security and Privacy. 431--446. Google ScholarDigital Library
Li, C., Jiang, W., and Zou, X. 2009a. Botnet: Survey and case study. In Proceedings of the 4^th International Conference on Innovative Computing, Information and Control (ICICIC'09). 1184--1187.Google Scholar
Li, R., Gan, L., and Jia, Y. 2009b. Propagation model for botnet based on conficker monitoring. In Proceedings of the 2^nd International Symposium on Information Science and Engineering (ISISE'09). 185--190. Google ScholarDigital Library
Li, Z., Goyal, A., Chen, Y., and Paxson, V. 2009c. Automating analysis of large-scale botnet probing events. In Proceedings of the 4^th International Symposium on Information, Computer, and Communications Security (ASIACCS'09). 11--22. Google ScholarDigital Library
Liao, W.-H. and Chang, C.-C. 2010. Peer to peer botnet detection using data mining scheme. In Proceedings of the International Conference on Internet Technology and Applications. 1--4.Google Scholar
Liu, J., Xiao, Y., Ghaboosi, K., Deng, H., and Zhang, J. 2009. Botnet: Classification, attacks, detection, tracing, and preventive measures. EURASIP J. Wirel. Comm. Netw. 2009, 1. Google ScholarDigital Library
Masud, M. M., Gao, J., Khan, L., Han, J., and Thuraisingham, B. 2008. Peer to peer botnet detection for cyber-security: A data mining approach. In Proceedings of the 4^th Annual Workshop on Cyber Security and Information Intelligence Research: Developing Strategies to Meet the Cyber Security and Information Intelligence Challenges Ahead (CSIIRW'08). 1--2. Google ScholarDigital Library
Mazzariello, C. 2008. IRC traffic analysis for botnet detection. In Proceedings of the 4^th International Conference on Information Assurance and Security. 318--323. Google ScholarDigital Library
Mcaffe. 2009. Mcafee threats report: First quarter 2009. http://resources.mcafee.com/content/AvertReportQ109.Google Scholar
Mcelroy, W. 2007. In child porn case, technology entraps the innocent. Tech. rep., Fox News.Google Scholar
Mirkovic, J., Dietrich, S., Dittrich, D., and Reiher, P. 2004. Internet Denial of Service. Attack and Defense Mechanisms. Prentice Hall. Google ScholarDigital Library
Mirkovic, J. and Reiher, P. 2004. A taxonomy of ddos attack and ddos defense mechanisms. SIGCOMM Comput. Comm. Rev. 34, 2, 39--53. Google ScholarDigital Library
Molnar, D., Egelman, S., and Christin, N. 2010. This is your data on drugs: Lessons computer security can learn from the drug war. In Proceedings of the Workshop on New Security Paradigms (NSPW'10). ACM Press, New York, 143--149. Google ScholarDigital Library
Motoyama, M., McCoy, D., Levchenko, K., Savage, S., and Voelker, G. M. 2011. An analysis of underground forums. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC'11). ACM Press, New York, 71--80. Google ScholarDigital Library
Nagaraja, S., Mittal, P., Hong, C.-Y., Caesar, M., and Borisov, N. 2010. BotGrep: Finding P2P bots with structured graph analysis. In Proceedings of the 19^th USENIX Conference on Security. USENIX Association, Berkeley, CA, 95--110. Google ScholarDigital Library
Namestnikov, Y. 2009. The economics of botnets. Tech. rep., Securelist. July. http://www.securelist.com/en/downloads/pdf/ynam_botnets_0907_en.pdf.Google Scholar
Nappa, A., Fattori, A., Balduzzi, M., Dellamico, M., and Cavallaro, L. 2010. Take a deep breath: A stealthy, resilient and cost-effective botnet using skype. In Proceedings of the 7^th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'10). Springer, 81--100. Google ScholarDigital Library
Nazario, J. 2009. Twitter-based botnet command channel. Tech. rep., Arbor SERT. August. http://ddos. arbornetworks.com/2009/08/twitter-based-botnet-command-channel/.Google Scholar
Nazario, J. and Holz, T. 2008. As the net churns: Fast-flux botnet observations. In Proceedings of the 3^rd International Conference on Malicious and Unwanted Software (MALWARE'08). 24--31.Google Scholar
Nvd. 2010. Vulnerabilities in the last three years. Tech. rep., National Vulnerability Database. http://nvd.nist.gov/.Google Scholar
Oberheide, J., Cooke, E., and Jahanian, F. 2008. CloudAV: N-version antivirus in the network cloud. In Proceedings of the 17^th Conference on Security Symposium (SS'08). USENIX Association, Berkeley, CA, 91--106. Google ScholarDigital Library
Passerini, E., Paleari, R., Martignoni, L., and Bruschi, D. 2008. FluXOR: Detecting and monitoring fast-flux service networks. In Proceedings of the 5^th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'08). 186--206. Google ScholarDigital Library
Perdisci, R., Corona, I., Dagon, D., and Lee, W. 2009. Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Proceedings of the Annual Computer Security Applications Conference (ACSAC'09). 311--320. Google ScholarDigital Library
Pham, V.-H. and Dacier, M. 2009. Honeypot traces forensics: The observation viewpoint matters. In Proceedings of the 3^rd International Conference on Network and System Security (NSS'09). 365--372. Google ScholarDigital Library
Pointer, R. 1993. Home page of eggdrop botnet. http://s23.org/wiki/Eggdrop.Google Scholar
Polychronakis, M., Mavrommatis, P., and Provos, N. 2008. Ghost turns zombie: Exploring the life cycle of web-based malware. In Proceedings of the 1^st USENIX Workshop on Large-Scale Exploits and Emergent Threats. USENIX Association, Berkeley, CA, 11:1--11:8. Google ScholarDigital Library
Popov, I. V., Debray, S. K., and Andrews, G. R. 2007. Binary obfuscation using signals. In Proceedings of the 16^th USENIX Security Symposium. USENIX Association, 275--290. Google ScholarDigital Library
Porras, P., Saidi, H., and Yegneswaran, V. 2009. A foray into Conficker's logic and rendezvous points. In Proceedings of the 2^nd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET'09). USENIX Association, 1--9. Google ScholarDigital Library
Porras, P., Saidi, H., and Yegneswaran, V. 2007. A multiperspective analysis of the storm (peacomm) worm. Tech. rep., Cyber-ta project page. http://www.cyber-ta.org/pubs/StormWorm/SRITechnical-Report-10-01-Storm-Analysis.pdf.Google Scholar
Priestley, M. B. 1982. Spectral Analysis and Time Series. Academic Press.Google Scholar
Provos, N. 2004. A virtual honeypot framework. In Proceedings of the 13^th USENIX Security Symposium (SSYM'04). Vol. 13. USENIX Association, 1--14. Google ScholarDigital Library
Provos, N., Mavrommatis, P., Rajab, M. A., and Monrose, F. 2008. All your IFRAMES point to us. In Proceedings of the 17^th Conference on Security Symposium. USENIX Association, Berkeley, CA, 1--15. Google ScholarDigital Library
Provos, N., McNamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. 2007. The ghost in the browser analysis of web-based malware. In Proceedings of the 1^st Conference on the 1^st Workshop on Hot Topics in Understanding Botnets. USENIX Association, Berkeley, CA, USA. Google ScholarDigital Library
Provos, N., Rajab, M. A., and Mavrommatis, P. 2009. Cybercrime 2.0: When the cloud turns dark. Comm. ACM 52, 42--47. Google ScholarDigital Library
Radianti, J. 2010. A study of a social behavior inside the online black markets. In Proceedings of the 4^th International Conference on Emerging Security Information Systems and Technologies (SECURWARE'10). 189--194. Google ScholarDigital Library
Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. 2007. My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging. In Proceedings of the 1^st Conference on the 1^st Workshop on Hot Topics in Understanding Botnets. USENIX Association. Google ScholarDigital Library
Ramachandran, A., Feamster, N., and Dagon, D. 2006. Revealing botnet membership using DNSBL counter-intelligence. In Proceedings of the 2^nd Conference on Steps to Reducing Unwanted Traffic on the Internet. Vol. 2. USENIX Association, 49--54. Google ScholarDigital Library
Rodionov, E. and Matrosov, A. 2011. The evolution of tdl: Conquering x64. Tech. rep.,ESET. June. http://go.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf.Google Scholar
Shin, S. and Gu, G. 2010. Conficker and beyond: A large-scale empirical study. In Proceedings of the 26^th Annual Computer Security Applications Conference (ACSAC'10). ACM Press, New York, 151--160. Google ScholarDigital Library
Shin, S., Lin, R., and Gu, G. 2011. Cross-analysis of botnet victims: New insights and implications. In Proceedings of the 14^th International Symposium on Recent Advances in Intrusion Detection (RAID'11). Google ScholarDigital Library
Shin, S., Xu, Z., and Gu, G. 2012. EFFORT: Efficient and effective bot malware detection. In Proceedings of the 31^st Annual IEEE Conference on Computer Communications (INFOCOM'12).Google Scholar
Sinclair, G., Nunnery, C., and Kang, B.-H. 2009. The waledac protocol: The how and why. In Proceedings of the 4^th International Conference on Malicious and Unwanted Software (MALWARE'09). 69--77.Google Scholar
Solomon, A. and Evron, G. 2006. The world of botnets. Virus Bull. 10--12. http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf.Google Scholar
Starnberger, G., Kruegel, C., and Kirda, E. 2008. Overbot: A botnet protocol based on kademlia. In Proceedings of the 4^th International Conference on Security and Privacy in Communication Networks (SecureComm'08). 1--9. Google ScholarDigital Library
Stewart, J. 2004a. Bobax trojan analysis. Tech. rep., SecureWorks. http://www.secureworks.com/research/threats/bobax/.Google Scholar
Stewart, J. 2004b. Phatbot trojan analysis. Tech. rep., SecureWorks. http://www.secureworks.com/research/threats/phatbot/.Google Scholar
Stewart, J. 2006. Spamthru trojan analysis. Tech. rep., SecureWorks. http://www.secureworks.com/cyber-threat-intelligence/threats/spamthru/.Google Scholar
Stewart, J. 2009. Sinit p2p trojan analysis. Tech. rep., SecureWorks. http://www.secureworks.com/research/threats/sinit/.Google Scholar
Stewart, J. 2010. Zeus banking trojan report. Tech. rep., SecureWorks. http://www.secureworks.com/cyber-threat-intelligence/threats/zeus/.Google Scholar
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. 2009. Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16^th ACM Conference on Computer and Communications Security (CCS'09). ACM Press, New York, 635--647. Google ScholarDigital Library
Stone-Gross, B., Cova, M., Gilbert, B., Kemmerer, R., Kruegel, C., and Vigna, G. 2011. Analysis of a botnet takeover. IEEE Secur. Privacy 9, 1, 64--72. Google ScholarDigital Library
Stover, S., Dittrich, D., Hernandez, J., and Dietrich, S. 2007. Analysis of the storm and nugache trojans: P2P is here. USENIX 32, 6, 46--63.Google Scholar
Strayer, W., Lapsely, D.,Walsh, R., and Livadas, C. 2008. Botnet detection based on network behavior. In Botnet Detection. Advances in Information Security Series, vol. 36, Springer, 1--24.Google Scholar
Symantec. 2008. Symantec global internet security threat report, trends for july- december 07. Tech. rep. http://eval.symantec.com/mktginfo/enterprise/white papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf.Google Scholar
Symantec. 2010. Symantec global internet security threat report trends of 2009. Tech. rep. DIY kit of Turkojan, Symantec. TURKOJAN. http://www.turkojan.com/eng/.Google Scholar
van der Merwe, A., Loock, M., and Dabrowski, M. 2005. Characteristics and responsibilities involved in a phishing attack. In Proceedings of the 4^th International Symposium on Information and Communication Technologies (WISICT'05). 249--254. Google ScholarDigital Library
Villamarin-Salomon, R. and Brustoloni, J. C. 2008. Identifying botnets using anomaly detection techniques applied to DNS traffic. In Proceedings of the 5^th IEEE Consumer Communications and Networking Conference (CCNC'08). 476--481.Google Scholar
Wang, P., Sparks, S., and Zou, C. 2010a. An advanced hybrid peer-to-peer botnet. IEEE Trans. Dependable Secure Comput. 7, 2, 113--127. Google ScholarDigital Library
Wang, P., Wu, L., Aslam, B., and Zou, C. C. 2009a. A systematic study on peer-to-peer botnets. http://www.eecs.ucf.edu/&sim;czou/research/P2P-Botnet-ICCCN09.pdf.Google Scholar
Wang, P., Wu, L., Cunningham, R., and Zou, C. C. 2010b. Honeypot detection in advanced botnet attacks. Int. J. Inf. Comput. Secur. 4, 30--51. Google ScholarDigital Library
Wang, W., Fang, B., Zhang, Z., and Li, C. 2009b. A novel approach to detect IRC-based botnets. In Proceedings of the International Conference on Networks Security, Wireless Communications and Trusted Computing. Vol. 1. 408--411. Google ScholarDigital Library
Weber, T. 2007. Criminals may overwhelm the web. Tech. rep., BBC News. http://news.bbc.co.uk/2/hi/business/6298641.stm.Google Scholar
Wilbur, K. C. and Zhu, Y. 2009. Click fraud. Market. Sci. 28, 293--308. Google ScholarDigital Library
Wilson, C. 2007. Botnets, cybercrime, and cyberterrorism: Vulnerabilities and policy issues for congress. Tech. rep., CRS Report for Congress. http://www.fas.org/sgp/crs/terror/RL32114.pdf.Google Scholar
Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., and Kirda, E. 2009. Automatically generating models for botnet detection. In Proceedings of the 14^th European Conference on Research in Computer Security (ESORICS'09). Springer, 232--249. Google ScholarDigital Library
Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G., and Osipkov, I. 2008. Spamming botnets: Signatures and characteristics. In Proceedings of the ACM SIGCOMM Conference on Data Communication (SIGCOMM'08). 171--182. Google ScholarDigital Library
Yadav, S., Reddy, A. K. K., Reddy, A. N., and Ranjan, S. 2010. Detecting algorithmically generated malicious domain names. In Proceedings of the 10^th Annual Conference on Internet Measurement (IMC'10). ACM Press, New York, 48--61. Google ScholarDigital Library
Yadav, S. and Reddy, A. N. 2011. Winning with DNS failures: Strategies for faster botnet detection. In Proceedings of the 7^th International ICST Conference on Security and Privacy in Communication Networks (SecureComm'11).Google Scholar
Yan, W., Zhang, Z., and Ansari, N. 2008. Revealing packed malware. IEEE Secur. Privacy 6, 5, 65--69. Google ScholarDigital Library
Yu, F., Xie, Y., and Ke, Q. 2010a. Sbotminer: Large scale search bot detection. In Proceedings of the 3^rd ACM International Conference on Web Search and Data Mining (WSDM'10). 421--430. Google ScholarDigital Library
Yu, X., Dong, X., Yu, G., Qin, Y., and Yue, D. 2010b. Data-adaptive clustering analysis for online botnet detection. In Proceedings of the 3^rd International Joint Conference on Computational Science and Optimization (CSO'10). Vol. 1. 456--460. Google ScholarDigital Library
Zeidanloo, H., Shooshtari, M., Amoli, P., Safari, M., and Zamani, M. 2010. A taxonomy of botnet detection techniques. In Proceedings of the 3^rd IEEE International Conference on Computer Science and Information Technology (ICCSIT'10). Vol. 2, 158--162.Google Scholar
Zeng, Y., Hu, X., and Shin, K. G. 2010. Detection of botnets using combined host- and network-level information. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'10). 291--300.Google Scholar
Zetter, K. 2009. Trick or tweet&quest; Malware abundant in twitter urls. Tech. rep., Kaspersky. http://www.wired.com/threatlevel/2009/10/twitter malware/.Google Scholar
Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., and Luo, X. 2011. Detecting stealthy p2p botnets using statistical traffic fingerprints. In Proceedings of the 41^st IEEE/IFIP International Conference on Dependable Systems Networks (DSN'11). 121--132. Google ScholarDigital Library
Zhao, Y., Xie, Y., Yu, F., Ke, Q., Yu, Y., Chen, Y., and Gillum, E. 2009. BotGraph: Large scale spamming botnet detection. In Proceedings of the 6^th USENIX Symposium on Networked Systems Design and Implementation (NSDI'09). USENIX Association, Berkeley, CA, 321--334. Google ScholarDigital Library
Zhu, Z., Lu, G., Chen, Y., Fu, Z., Roberts, P., and Han, K. 2008. Botnet research survey. In Proceedings of the 32^nd Annual IEEE International Computer Software and Applications (COMPSAC'08). 967--972. Google ScholarDigital Library
Zhuge, J., Holz, T., Song, C., Guo, J., Han, X., and Zou, W. 2008. Studying malicious websites and the underground economy on the chinese web. In Proceedings of the Workshop on the Economics of Information Security (WEIS'08).Google Scholar

Index Terms

Survey and taxonomy of botnet research through life-cycle
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Your botnet is my botnet: analysis of a botnet takeover
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is ...
Read More
A Survey of Botnet and Botnet Detection
SECURWARE '09: Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies

Among the various forms of malware, botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical ...
Read More
A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions
In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious ...
Read More

Reviews

Reviewer: Soon Ae Chun

A botnet is a network of infected machines (bots) that are controlled and ordered by the botmaster to execute diverse attacks, such as denial-of-service (DoS), spam distribution, and phishing. The life cycle of a botnet begins with the conception stage, followed by the recruitment stage, the interaction stage, and the marketing stage, and concludes with attack execution. The authors use this botnet life cycle to build a taxonomy of research works. Research on the conception stage includes studies on specific botnet infiltration strategies such as honeypots or domain name predictions, the study of botnet actions or general network characteristics, and the design of new botnets. For the recruitment (infection) stage, research focuses on botnet probes and spreading models, location- and time-dependent propagation models, drive-by download infections, malicious content injections, and the detection of recruitment operations. The interaction stage involves the internal and external communications between the botmaster and among the bots. Here, the research focuses on command and control (C&C) server detection and identification. This may be done by collecting bot behavior data or analyzing communication protocols, or by the disruption of malware interactions using pollution attacks or content poisoning. In the marketing stage, the botmaster needs to advertise the botnet for profit, especially in the underground economy. The research studies in this area address advertisement analysis by crawling and monitoring the marketing channels, such as black market forums and social networks, and monetization analysis by estimating the botnet purchase volumes, including the purchase of botnet source codes and do-it-yourself (DIY) kits and botnet rental. Finally, in the execution stage, the research studies include detection of botnet members, query log analysis to identify stealthy bot traffic, spam botnet detection, or distributed DoS detection. Other work focuses on the detection of hiding mechanisms common in botnets, such as multihopping, ciphering, binary obfuscation, polymorphism, Internet protocol (IP) spoofing, email spoofing, and fast-flux networks. The authors offer some suggestions for future research, including botnet prediction techniques, impact estimation, and attacks against mobile technologies. This paper will be a useful reference for software developers, who will gain an understanding of the possible botnet attacks and the known defense mechanisms for more secure software design. It provides an excellent literature survey for graduate students and researchers, as well as for industry information security managers. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

ACM Computing Surveys Volume 45, Issue 4
August 2013
490 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/2501654
Issue’s Table of Contents

Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 August 2013
- Revised: 1 July 2012
- Accepted: 1 July 2012
- Received: 1 July 2011
Published in csur Volume 45, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Attack
botnet
defense
detection
survey
taxonomy
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 72
  Total Citations
  View Citations
- 2,530
  Total Downloads
- Downloads (Last 12 months)79
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Survey and taxonomy of botnet research through life-cycle

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Your botnet is my botnet: analysis of a botnet takeover

A Survey of Botnet and Botnet Detection

A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions

Reviews

Access critical reviews of Computing literature here

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Survey and taxonomy of botnet research through life-cycle

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Your botnet is my botnet: analysis of a botnet takeover

A Survey of Botnet and Botnet Detection

A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions

Reviews

Access critical reviews of Computing literature here

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media