A Taxonomy of Botnet Structures

  • David Dagon
  • Guofei Gu
  • Christopher P. Lee
Part of the Advances in Information Security book series (ADIS, volume 36)


Random Graph Scale Free Network Small World Bandwidth Estimation Random Loss 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Waste: Anonymous, secure, encrypted sharing. http://waste.sourceforge. net/index.php?id=projects, 2007.Google Scholar
  2. 2.
    WineHQ: Windows API Implementation for Li5Dnux., 2007.Google Scholar
  3. 3.
    A.-L. Barabási and R. Albert. Science, 286(509), 1999.Google Scholar
  4. 4.
    R’eka Albert and Alert-László Barabási. Statistical mechanics of complex networks. Reviews of Modern Physics, 74(1), 2002.Google Scholar
  5. 5.
    Réka Albert, Hawoong Jeong, and Alert-Lászloó Barabási. Error and attack tolerance of complex networks. Nature, 406:378=382, 2000.Google Scholar
  6. 6.
    Mark Allman and Vern Paxson. On estimating end-to-end network path properties. In ACM Special Interest Group on Data Communication (SIGCOMM ’99), volume 29, 1999.Google Scholar
  7. 7.
    Michael Bacarella. TMetric bandwidth estimation tool. http://michael., 2007.Google Scholar
  8. 8.
    Paul Barford and Vinod Yegneswaran. An inside look at botnets. In In Series: Advances in Information Security. Springer Verlag, 2006.Google Scholar
  9. 9.
    V.H. Berk, R.S. Gray, and G. Bakos. Using sensor networks and data fusion for early detection of active worms. In Proceedings of the SPIE AeroSense, 2003.Google Scholar
  10. 10.
    B. Bollobás. Random Graphs. Academic Press, 1985.Google Scholar
  11. 11.
    David Brumley. Tracking hackers on IRC. ircmirc/TrackingHackersonIRC.htm, 2003.Google Scholar
  12. 12.
    Edwin Calimbo. Packetnews: The ultimate irc search engine. http://www., 2007.Google Scholar
  13. 13.
    Evan Cooke and Farnam Jahanian. The zombie roundup: Understanding, detecting, and disrupting botnets. In Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI ’05), 2005.Google Scholar
  14. 14.
    David Dagon. The network is the infection. oarc/200507/slides/oarc0507-D\agon.pdf, 2005.Google Scholar
  15. 15.
    David Dagon, Amar Takar, Guofei Gu, Xinzhou Qin, and Wenke Lee. Worm population control through periodic response. Technical report, Georgia Institute of Technology, June 2004.Google Scholar
  16. 16.
    David Dagon, Cliff Zou, and Wenke Lee. Modeling botnet propagation using time zones. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS’06), 2006.Google Scholar
  17. 17.
    Felix C. Freiling, Thorsten Holz, and Georg Wicherski. Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. Technical Report ISSN-0935-3232, RWTH Aachen, April 2005.Google Scholar
  18. 18.
    Jan Goebel and Thorsten Holz. Rishi: Identify bot contaminated hosts by irc nickname evaluation. In USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), 2007.Google Scholar
  19. 19.
    Julian B. Grizzard, Vikram Sharma, Chris Nunnery, Brent ByungHoon Kang, and David Dagon. Peer-to-peer botnets: Overview and case study. In USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), 2007.Google Scholar
  20. 20.
    Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, and Wenke Lee. Bothunter: Detecting malware infection through ids-driven dialog correlation. In 16th USENIX Security Symposium (Security’07), 2007.Google Scholar
  21. 21.
    Guofei Gu, Monirul Sharif, Xinzhou Qin, David Dagon, Wenke Lee, and George Riley. Worm detection, early warning and response based on local victim information. In 20th Annual Computer Security Applications Conference (ACSAC), 2004.Google Scholar
  22. 22.
    Christopher Hanna. Using snort to detect rogue IRC bot programs. Technical report, October 2004.Google Scholar
  23. 23.
    Petter Holme, Beom Jun Kim, Chang No Yoon, and Seung Kee Han. Attack vulnerability of complex networks. Phys. Rev., E65(056109), 2002.Google Scholar
  24. 24.
    John Horrigan. Broadband adoption at home in the united states: Growing but slowing., 2005.Google Scholar
  25. 25.
    Manish Jain and Constantinos Dovrolis. End-to-end available bandwidth: Measurement. methodology, dynamics, and relation with tcp. In Special Interest Group on Data Communication (SIGCOMM ’02), 2002.Google Scholar
  26. 26.
    Xuxian Jiang, Dongyan Xu, Helen J. Wang, and Eugene H. Spafford. Virtual playgrounds for worm behavior investigation. Technical Report CERIAS Technical Report (2005-24), Purdue University, February 2005.Google Scholar
  27. 27.
    C. Kalt. Internet relay chat: Architecture., 2000.Google Scholar
  28. 28.
    Anestis Karasaridis, Brian Rexroad, and David Hoeflin. Wide-scale botnet detection and characterization. In USENIX Workshop on Hot Topics in Understanding Botnets (Hot-Bots’07), 2007.Google Scholar
  29. 29.
    Kevin Killourhy, Roy Maxion, and Kymie Tan. A defense-centric taxonomy based on attack manifestations. In International Conference on Dependable Systems and Networks (ICDS’04), 2004.Google Scholar
  30. 30.
    Carl E. Landwehr, Alan R. Bull, John P. McDermott, and William S. Choi. A taxonomy of computer program security flaws, September 1994.Google Scholar
  31. 31.
    Ulf Lindqvist and Erland Jonsson. How to systematically classify computer security intrusions. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, pages 154–163, 1997.Google Scholar
  32. 32.
    LURHQ. Zindos worm analysis., 2004.Google Scholar
  33. 33.
    Qin Lv, Pei Cao, Edith Cohen, Kai Li, and Scott Shenker. Search and replication in unstructured peer-to-peer networks. In ICS ’02: Proceedings of the 16th international conference on Supercomputing, pages 84–95, New York, NY, USA, 2002. ACM Press.Google Scholar
  34. 34.
    MaxMind LLC. Maxmind - ip geolocation and online fraud prevention., 2007.Google Scholar
  35. 35.
    Trend Micro. Taxonomy of botnet threats. Technical report, Trend Micro White Paper, November 2006.Google Scholar
  36. 36.
    S. Milgram. The small world problem. Psychology Today, 2(60), 1967.Google Scholar
  37. 37.
    D. Moore. Code-red: A case study on the spread and victims of an internet worm., 2002.Google Scholar
  38. 38.
    D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. IEEE Magazine on Security and Privacy, 1(4), July 2003.Google Scholar
  39. 39.
    D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of the IEEE INFOCOM 2003, March 2003.Google Scholar
  40. 40.
    Shishir Nagarja and Ross Anderson. The topology of covert conflict. Technical Report UCAM-CL-TR-637, University of Cambridge, July 2005.Google Scholar
  41. 41.
    Jose Nazario. Botnet tracking: Tools, techniques, and lessons learned. In Black Hat, 2007.Google Scholar
  42. 42.
    M.E.J. Newman, S.H. Strogatz, and D.J. Watts. Random graphs with arbitrary degree distributions and their applications. Phys. Rev., E64(026118), 2001.Google Scholar
  43. 43.
    Nielsen NetRatings. Average web usage. http://www.nielsen-netratings. com/reports.jsp?section=pub_reports&repor%t=usage&period= weekly, 2007.Google Scholar
  44. 44.
    Janak J Parekh. Columbia ids worminator project., 2004.Google Scholar
  45. 45.
    L. Qin, C. Pei, E. Cohen, L. Kai, and S. Scott. Search and replication in unstructured peer-to-peer networks. In 16th ACM International Conference on Supercomputing, 2002.Google Scholar
  46. 46.
    Moheeb Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the 6th ACM SIGCOMM on Internet Measurement (IMC), pages 41–52, 2006.Google Scholar
  47. 47.
    Moheeb Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging. In USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), 2007.Google Scholar
  48. 48.
    S. Ratnasamy, P. Francis, M. Handley, R. Karp, and S. Shenker. A scalable content-addressable network. In Proceedings of the ACM Conference of the Special Interest Group on Data Communication (SIGCOMM), pages 161–172, August 2001.Google Scholar
  49. 49.
    M. Ripeanu, I. Foster, and A. Iamnitchi. Mapping the gnutella network: Properties of large-scale peer-to-peer systems and implications for system design. IEEE Internet Computing Journal, 6(1), 2002.Google Scholar
  50. 50.
    Colleen Shannon and David Moore. The spread of the witty worm. Security & Privacy Magazine, 2(4):46–50, 2004.CrossRefGoogle Scholar
  51. 51.
    Atul Singh, Tsuen-Wan Ngan, Peter Druschel, and Dan Wallach. Eclipse attacks on overlay networks: Threats and defenses. In Proceedings of INFOCOM’06, April 2006.Google Scholar
  52. 52.
    Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, and Hari Balakrishnan. Chord: A scalable peer-to-peer lookup service for internet applications. In Proceedings of the ACM SIGCOMM ’01 Conference, San Diego, California, August 2001.Google Scholar
  53. 53.
    Ryan Vogt and John Aycock. Attack of the 50 foot botnet. Technical report, Department of Computer Science, University of Calgary, August 2006.Google Scholar
  54. 54.
    Ryan Vogt, John Aycock, and Michael Jacobson. Army of botnets. In Proceedings of NDSS’07, 2007.Google Scholar
  55. 55.
    Ping Wang, Sherri Sparks, and Cliff C. Zou. An advanced hybrid peer-to-peer botnet. In USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), 2007.Google Scholar
  56. 56.
    D.J. Watts and S.H. Strogatz. Nature, 393(440), 1998.Google Scholar
  57. 57.
    N. Weaver, V. Paxson, S. Staniford, and R. Cunningham. A taxonomy of computer worms. In 2003 ACM Workshop on Rapid Malcode (WORM’03). ACM SIGSAC, October 2003.Google Scholar
  58. 58.
    Yinglian Xie, Hyang-Ah Kim, David R. O’Hallaron, Michael K. Reiter, and Hui Zhang. Seurat: A pointillist approach to network security, 2004.Google Scholar
  59. 59.
    Y. Zhang and V. Paxson. Detecting stepping stones. In Proceedings of the 9th USENIX Security Symposium, August 2000.Google Scholar
  60. 60.
    C. C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and early warning for internet worms. In Proceedings of 10th ACM Conference on Computer and Communications Security (CCS’03), October 2003.Google Scholar
  61. 61.
    C. C. Zou, W. Gong, and D. Towsley. Code red worm propagation modeling and analysis. In Proceedings of 9th ACM Conference on Computer and Communications Security (CCS’02), October 2002.Google Scholar
  62. 62.
    C. C. Zou, W. Gong, and D. Towsley. Worm propagation modeling and analysis under dynamic quarantine defense. In Proceedings of ACM CCS Workshop on Rapid Malcode (WORM’03), October 2003.Google Scholar
  63. 63.
    C.C. Zou, D. Towsley, W. Gong, and S. Cai. Routing worm: A fast, selective attack worm based on ip address information. Technical Report TR-03-CSE-06, Umass ECE Dept., November 2003.Google Scholar
  64. 64.
    Cliff Zou and Ryan Cunningham. Honeypot-aware advanced botnet construction and maintenance. In International Conference on Dependable Systems and Networks (DSN), pages 199–208, June 2006.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  • David Dagon
    • 1
  • Guofei Gu
    • 1
  • Christopher P. Lee
    • 2
  1. 1.School of Computer Science, Georgia Institute of TechnologyAtlanta
  2. 2.School of Electrical and Computer Engineering, Georgia Institute of TechnologyAtlanta

Personalised recommendations