Ant-Based Botnet C&C Server Traceback

  • Chia-Mei Chen
  • Gu-Hsin Lai
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 733)


Botnets can cause significant security threat and huge loss to organizations, and are difficult to discover their existence; therefore they have become one of the most severe threats on the Internet. The core component of botnets is their command and control server (C2 server or C&C server) through which the bot herder instructs zombie machines to launch attacks. A commonly used protocol, such as IRC (Internet Relay Chat) or HTTP, is adopted to communicate between bot ma-chines and the server. In addition, some advanced botnets might have multiple C2 servers to evade detection and to extend the life time. Therefore, identifying the C2 server is important to prevent botnet attacks or further damage. In this paper, detection scheme based on ant colony optimization algorithm is proposed to identify the paths from bot machines to the C2 server. The results show that the proposed detection can identify botnet servers efficiently.


Botnet Anomaly detection Ant colony optimization 



The study is based on the work sponsored by the Ministry of Science and Technology under the grant MOST 106-2221-E-110-017-MY3.


  1. 1.
    Akiyama, M., Kawamoto, T., Shimamura, M., Yokoyama, T., Kadobayashi, Y., Yamaguchi, S.: A proposal of metrics for botnet detection based on its cooperative behavior. In: SAINT Workshops, p. 82 (2007)Google Scholar
  2. 2.
    AsSadhan, B., Moura, J.M.F., Lapsley, D.E.: Periodic behavior in botnet command and control channels traffic. In: GLOBECOM, pp. 1–6 (2009)Google Scholar
  3. 3.
    Choi, H., Lee, H., Kim, H.: BotGAD: detecting botnets by capturing group activities in network traffic. In: Proceedings of the Fourth International ICST Conference on Communication System Software and Middleware (2009)Google Scholar
  4. 4.
    Dorigo, M., Maniezzo, V., Colorni, A.: The ant system: optimization by a colony of cooperating agents. J. IEEE Trans. Syst. 26(1), 1–13 (1996)Google Scholar
  5. 5.
    Kondo, S., Sato, N.: Botnet traffic detection techniques by C&C session classification using SVM. In: International Workshop on Security, pp. 91–104 (2007)Google Scholar
  6. 6.
    Lai, G.H., Chen, C.M., Jeng, B.C., Chao, W.: Ant-based IP traceback. Exp. Syst. Appl. 34(4), 3071–3080 (2008)CrossRefGoogle Scholar
  7. 7.
    Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: SIGCOMM, pp. 217–228 (2005)Google Scholar
  8. 8.
    Livadas, C., Walsh, R., Lapsley, D.E., Strayer, W.T.: Using machine learning techniques to identify botnet traffic. In: 31st IEEE Conference on Local Computer Networks, pp. 967–974 (2006)Google Scholar
  9. 9.
    Lu, W., Rammidi, G., Ghorbani, A.A.: Clustering botnet communication traffic based on n-gram feature selection. In: Proceedings of Computer Communications, pp. 502–514 (2011)Google Scholar
  10. 10.
    McGrath, D.K., Kalafut, A.J., Gupta, M.: Phishing infrastructure fluxes all the way. IEEE Secur. Priv. Mag. 7(5), 21–28 (2009)CrossRefGoogle Scholar
  11. 11.
    Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: Proceedings of the 3th International Malicious and Unwanted Software (Malware), pp. 24–31 (2008)Google Scholar
  12. 12.
    Ranjan, S., Swaminathan, R., Uysal, M., Nucci, A., Knightly, E.: DDoS-shield: DDoS-resilient scheduling to counter application layer attacks. IEEE/ACM Trans. Networking 17(1), 26–39 (2009)CrossRefGoogle Scholar
  13. 13.
    Strayer, W.T., Walsh, R., Livadas, C., Lapsley, D.E.: Detecting botnets with tight command and control. In: 31st IEEE Conference on Local Computer Networks, pp. 95–202 (2006)Google Scholar
  14. 14.
    Subramanian, D., Druschel, P., Chen, J.: Ants and reinforcement learning: a case study in routing in dynamic networks. In: Proceedings of International Joint Conference on Artificial Intelligence, pp. 832–839 (1997)Google Scholar
  15. 15.
    Trend Micro, Botnet threats and solutions: phishing (2006).
  16. 16.
    Wang, P., Lin, H.T., Wang, T.S.: A revised ant colony optimization scheme for discovering attack paths of botnet. In: IEEE International Conference on Parallel and Distributed Systems, pp. 918–923 (2011)Google Scholar
  17. 17.
    Wu, J., Zhang, L., Liang, J., Qu, S., Ni, Z.: A comparative study for fast-flux service networks detection. In: Sixth International Conference on Networked Computing and Advanced Information Management, pp. 346–350 (2010)Google Scholar
  18. 18.
    Yen, T.F., Reiter, M.K.: Traffic aggregation for malware detection. In: Lecture Notes in Computer Science, pp. 207–227 (2008)Google Scholar
  19. 19.
    Zhu, Z., Lu, G., Chen, Y., Fu, Z., Roberts, P., Han, K.: Botnet research survey. In: 32nd Annual IEEE International Conference in Computer Software and Application, pp. 967–972 (2008)Google Scholar
  20. 20.
    Upton, G.: An ant colony optimization algorithm for the stable roommates (2002).
  21. 21.
    Huang, C.Y.: Effective bot host detection based on network failure models. Comput. Netw. 57(2), 514–525 (2013)CrossRefGoogle Scholar
  22. 22.
  23. 23.
  24. 24.
  25. 25.

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Department of Information ManagementNational Sun Yat-sen UniversityKaohsiungTaiwan
  2. 2.Department of Technology Crime InvestigationTaiwan Police CollegeTaipeiTaiwan

Personalised recommendations