Automatically Generating Models for Botnet Detection

  • Peter Wurzinger
  • Leyla Bilge
  • Thorsten Holz
  • Jan Goebel
  • Christopher Kruegel
  • Engin Kirda
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)


A botnet is a network of compromised hosts that is under the control of a single, malicious entity, often called the botmaster. We present a system that aims to detect bots, independent of any prior information about the command and control channels or propagation vectors, and without requiring multiple infections for correlation. Our system relies on detection models that target the characteristic fact that every bot receives commands from the botmaster to which it responds in a specific way. These detection models are generated automatically from network traffic traces recorded from actual bot instances. We have implemented the proposed approach and demonstrate that it can extract effective detection models for a variety of different bot families. These models are precise in describing the activity of bots and raise very few false positives.


Intrusion Detection System Detection Model Behavior Cluster Token Sequence Network Trace 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Anderson, D., Fleizach, C., Savage, S., Voelker, G.: Spamscatter: Characterizing Internet Scam Hosting Infrastructure. In: Usenix Security Symposium (2007)Google Scholar
  2. 2.
    Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.C.: The nepenthes platform: An efficient approach to collect malware. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 165–184. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Basseville, M., Nikiforov, I.V.: Detection of Abrupt Changes - Theory and Application. Prentice-Hall, Englewood Cliffs (1993)Google Scholar
  5. 5.
    Bayer, U.: Anubis: Analyzing Unknown Binaries,
  6. 6.
    Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, Behavior-Based Malware Clustering. In: Network and Distributed System Security Symposium, NDSS (2009)Google Scholar
  7. 7.
    Binkley, J., Singh, S.: An Algorithm for Anomaly-based Botnet Detection. In: Usenix Steps to Reducing Unwanted Traffic on the Internet Workshop, SRUTI (2006)Google Scholar
  8. 8.
    Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In: Usenix Steps to Reducing Unwanted Traffic on the Internet Workshop, SRUTI (2005)Google Scholar
  9. 9.
    Dagon, D., Gu, G., Lee, C., Lee, W.: A Taxonomy of Botnet Structures. In: Annual Computer Security Applications Conference, ACSAC (2007)Google Scholar
  10. 10.
    de Hoon, M., Imoto, S., Nolan, J., Miyano, S.: Open Source Clustering Software. Bioinformatics 20(9) (2004)Google Scholar
  11. 11.
    Freiling, F.C., Holz, T., Wicherski, G.: Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: de Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319–335. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Goebel, J., Holz, T.: Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation. In: Usenix Workshop on Hot Topics in Understanding Botnets, HotBots (2007)Google Scholar
  13. 13.
    Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B.H., Dagon, D.: Peer-to-Peer Botnets: Overview and Case Study. In: Usenix Workshop on Hot Topics in Understanding Botnets, HotBots (2007)Google Scholar
  14. 14.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In: Usenix Security Symposium (2008)Google Scholar
  15. 15.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: Usenix Security Symposium (2007)Google Scholar
  16. 16.
    Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In: Network and Distributed System Security Symposium, NDSS (2008)Google Scholar
  17. 17.
    John, J., Moshchuk, A., Gribble, S., Krishnamurthy, A.: Studying Spamming Botnets Using Botlab. In: Usenix Symposium on Networked Systems Design and Implementation, NSDI (2009)Google Scholar
  18. 18.
    Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale Botnet Detection and Characterization. In: Usenix Workshop on Hot Topics in Understanding Botnets, HotBots (2007)Google Scholar
  19. 19.
    Kim, H.A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Usenix Security Symposium (2004)Google Scholar
  20. 20.
    Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience. In: IEEE Symposium on Security and Privacy (2006)Google Scholar
  21. 21.
    Mahoney, M., Chan, P.: Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks. In: Conference on Knowledge Discovery and Data Mining, KDD (2002)Google Scholar
  22. 22.
    Moore, D., Voelker, G., Savage, S.: Inferring Internet Denial of Service Activity. In: Usenix Security Symposium (2001)Google Scholar
  23. 23.
    Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. In: IEEE Symposium on Security and Privacy (2005)Google Scholar
  24. 24.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31 (1999)Google Scholar
  25. 25.
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Internet Measurement Conference, IMC (2006)Google Scholar
  26. 26.
    Ramachandran, A., Feamster, N.: Understanding the Network-Level Behavior of Spammers. In: ACM SIGCOMM Conference (2006)Google Scholar
  27. 27.
    Yen, T.-F., Reiter, M.K.: Traffic aggregation for malware detection. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 207–227. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  28. 28.
    Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and Classification of Malware Behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  29. 29.
    Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Systems Administration Conference, LISA (1999)Google Scholar
  30. 30.
    Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Symposium on Operating System Design and Implementation, OSDI (2004)Google Scholar
  31. 31.
    Stinson, E., Mitchell, J.: Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods. In: Usenix Workshop on Offensive Technologies, WOOT (2008)Google Scholar
  32. 32.
    Wang, H., Zhang, D., Shin, K.G.: Change-Point Monitoring for Detection of DoS Attacks. IEEE Transactions on Dependable and Secure Computing 1(4) (December 2004)Google Scholar
  33. 33.
    Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically Generating Models for Botnet Detection (TR-iSeclab-0609-001) (2009),
  34. 34.
    Yan, G., Xiao, Z., Eidenbenz, S.: Catching instant messaging worms with change-point detection techniques. In: Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Peter Wurzinger
    • 1
  • Leyla Bilge
    • 2
  • Thorsten Holz
    • 1
    • 3
  • Jan Goebel
    • 3
  • Christopher Kruegel
    • 4
  • Engin Kirda
    • 2
  1. 1.Secure Systems LabVienna University of TechnologyAustria
  2. 2.Institute EurecomSophia Antipolis
  3. 3.University of MannheimGermany
  4. 4.University of CaliforniaSanta Barbara

Personalised recommendations