International Conference on Research Advances in Integrated Navigation Systems (RAINS - 2016),

April 06-07, 2016, R. L. Jalappa Institute of Technology, Doddaballapur, Bangalore, India

Analysis on Botnet Detection Techniques

Asha S Harsha T Soniya B
M.Tech Student M.Tech Student Associate Professor
Department of Computer Science Department of Computer Department of Computer
and Engineering Science and Engineering Science and Engineering
SCT College of Engineering SCT College of Engineering SCT College of Engineering
Trivandrum, India Trivandrum, India Trivandrum, India
harshat91@gmail.com soniya.balram@gmail.com
asha.kulathinkara@gmail.com

Abstract². Botnet detection plays an important role in network

security. Botnet are collection of compromised computers called
the bot. For detecting the presence of bots in a network, there are
many detection techniques available. Network based detection
method is the one of the efficient method in detecting bots. Paper
reviews four different botnet detection techniques and a
comparison of all these techniques are done.
Keywords²bots; botnet; C&C server; DNS; IRC server
I. INTRODUCTION
Internet have been frequently threatened by various types
of attacks such as viruses, worms etc. These attacks play a
negative impact on the network, which result in network
congestion, wastage of network bandwidth as well as
corruption on users' computers and data. In addition, some of
these attacks are used to control Internet hosts and then use
these hosts to launch denial-of-service (DoS) attacks against
other entities [1]. If an attacker can gain access to network
hosts, this can lead to enormous damage to the network such
as disrupting e-commerce sites, news outlets, network
infrastructure, routers and root name servers.
In modern life, malware, the malicious software has
occupied an important position. From the earliest use of
programmable systems, techniques to infect those systems
with software containing malicious code have existed but, in
the past the malware often had just limited or local impact [2].
The network success have became an initial point for reporting
the malicious infections which affects several million systems
around the world. Thus, the remotely controlled networks of
hijacked computers, so-called botnet, became popular. Botnets
are the collection of compromised, remotely controlled
computer systems. The main purpose of botnet includes the
distribution of email spam, DDoS (distributed DoS) attacks,
distribution of malicious software etc.
Botnet is a combination of two words 'robot' and 'work'.
Bots are vulnerable machine which gets infected by running
malicious code or bot binaries. Once the bot gets infected, it
tries to locale and connect with the C&C server. C&C server
is the command and control server which provides a channel
for communication between bots and its master. Bots are
controlled by a master known as botmaster or botherder. The
main aim of botnet is to perform malicious activities on behalf
of its server for making profit since bots are inexpensive and
easy to propagate. Communication architecture of botnet is the
key aspect of botnet. Bots communicate over legitimate
channel [3].
To identify the presence of botnet and to overcome from
their negative impact on network, many detection techniques
are available [4], [5], [6]. Network based botnet detection is
one of the effective detection technique. The other detection
techniques used for the review were signature-based
technique, anomaly-based technique and host-based technique.
II. LIFE CYCLE OF BOTNET
Bot life cycle passes through five different stages. In order
for a vulnerable machine to become active bot and to be a part
of botnet, the machine go through a cycle of phases.
The first phase is called the initial infection phase. Here
the machine is infected and becomes a potential bot. A
machine gets infected by unwanted downloading of malwares
from website, by using infected removable disk etc.
The second phase is the secondary injection phase. Here
the infected host runs a program that searches bot binaries in
the network database. Once the machine downloads and
execute the file the machine will start to behave like a real bot.
The third phase is the connection or rallying phase where
the bot tries to locate and connect to the command and control
server. Once it is connected it can receive and respond to the
commands from the botmaster. This phase occurs several
times in the bot life cycle. Bots become vulnerable during this
phase.
The fourth phase is the malicious phase where the bot tries
to perform series of malicious activities based on the
commands from its botmaster. The bot can perform several
disruptive attacks such as email spamming, distributed denial
of service attack, distributing malicious software etc.
The final phase is the maintenance and upgrading phase.
The botmaster tries to keep its bot under its control as long as
possible. Maintenance is required in order to keep the
botmaster with their army of bots up to date for further to
coordinated activities. In this phase the bot update their
behaviour and perform new malicious activities based on the
information received from the botmaster.

978-1-4673-8819-8/16/$31.00 ©2016 IEEE

 International Conference on Research Advances in Integrated Navigation Systems (RAINS - 2016),
April 06-07, 2016, R. L. Jalappa Institute of Technology, Doddaballapur, Bangalore, India
III. EXISTING TAXONOMIES OF BOTNET
In order to detect and understand how botnets work
several studies have been conducted in this area [6]. During
earlier times, by setting up and installing honeypots on the
internet helps to capture malwares as well as to understand the
basic behaviour of botnet. Botnet technology and their
characteristics can be understand with the help of honeypots,
but do not necessarily detect bot infections [7], [8]. Botnet
detection techniques based on passive network monitoring and
analysis are useful, these techniques can be further classified
into signature-based technique, anomaly based technique,
DNS-based technique and mining-based technique.
Signature-based detection techniques were used for
detecting known form of bots, but they are not useful for
detecting unknown bots [9]. Anomaly-based detection
techniques[10] tries to detect botnets based on different
network traffic anomalies such as high volume of network
traffic, high network latency, traffic on unusual ports and
unusual system behaviour which indicate the presence of bots
in the network. Several anomaly-based detection techniques
are there [10]. DNS detection techniques uses DNS
information of the botnet [11]. Bots execute DNS queries for
locating their Command and Control server. In this way by
using DNS traffic, bots can be detected.
Several data mining techniques like machine learning,
classification, clustering etc can be used to efficiently detect
botnet. In [9], Geobl and Holz proposed Rishi, mainly based
on traffic monitoring of the network traffic in passive manner.
In [12], Strayer et al. showed that using the passive traffic
analysis, it is possible to extract the evidence of botnet
command and control activities from the network flow. In
[13], Livadas et al. suggested a machine learning based
approach for detecting the botnet using some general network
traffic features of chat like protocols.
IV. REVIEW OF BOTNET DETECTION TECHNIQUES
Botnet attack is done in a group for cyber crimes; they are
extremely dangerous and can crash any network, server,
organization, or internet as a whole [14]. As C&C traffic
appears as legitimate traffic among traditional botnet.
Therefore hard work has to be done to save network
organizations, data and economic losses by designing
algorithms and techniques, which can detect Botnet as it is
formed [15].
Data mining techniques which are used to extract, analyze,
recognize and discover the normal patterns and abnormalities
in huge volume of data. For this correlation, classification,
clustering etc can be used [15]. Honeynet project took the
first step in this regard for the recognition of Botnet
characteristics, while after that many used honeynet in
different forms to detect and know the behavior of Botnet [8],
[16]. Other botnet detection techniques such as Signature-
based techniques, Anomaly-based techniques, Host-based
techniques and Network-based techniques were discussed
below.
978-1-4673-8819-8/16/$31.00 ©2016 IEEE
To identify bot infected host machines Rishi [9] approach
is used. They are the signature based technique. They apply
signatures of current bots into IDS detection system. Signature
is a pattern that is seen inside a packet and it is seen in
different parts. From signature database, we perform the
necessary detection task by comparing every byte in the
packet. For each IRC connection a connection object is
created, which stores certain information in addition to an
additional identifier. This additional identifier consists of the
source IP address and destination IP address also the
destination port. Using this identifier it is possible to update an
already existing object with new parameters. Rishi listens for
the connection of infected machines to IRC server hosting the
botnet. Then they captures TCP packet contain the IRC
command [15]. From the captured packets certain information
are extracted and then analyze the extracted information.
Analysis focus on nickname extracted. Analysis function
implements a scoring [15].When the analysis is finished, the
connection object contains the final number of points for the
nickname and other related information. The higher the score
a nicknames receives, then there is more chance that it is a bot
infected machine which tries to contact its C&C server. The
main advantage of Rishi is that they can detect well known
bots. It has a disadvantage that it is not functional for
unknown bots. And also an effort is needed to update
knowledge base with new signature.
The anomaly detection technique [10] make use of
network behaviour to identify bots. Anomalies are the
unexpected behaviour in the network rather than the normal
behaviour. A comparison of network behaviour is made with
its previous behaviors. The new behavior is either accepted or
can be used to initiate events for anomaly detection. The IDS
engine helps in specifying network behavior. It model normal
or expected behaviour in a system and may detect deviation of
interest that may indicate a security breach or an attempted
attack. By examining the headers of the packets in the
network, bots can be detected. Unknown bots are also
detectable using this method.
Host based detection technique looks for signs of bot like
behaviour on a host. Schiller et al [18] suggested identifying
the infected host by monitoring the events and the firewall
details to determine the payload and the functions of the bot.
They also suggested a method to identify the location of the
malware by looking for the malicious start up processes.
Barford [19] specifies a deep analysis in bot source code taken
from infected hosts. A straight forward host based detection
technique monitors outbound packet from a host and compares
it with destination based white-lists. The white-lists contains
the list of uninfected PC.
Botnet detection based on network traffic behaviour [3] is
a network based detection technique. Here network traffic are
analyzed for botnet detection. Traffic behavior analysis
methods can work with encrypted channels. If there are bots in
the network, then shutting down the IRC server is most
suitable measure to prevent from botnet. In network, botnet
are examined by splitting it into multiple time windows[20].
Then from each time window extract a set of attributes which
 International Conference on Research Advances in Integrated Navigation Systems (RAINS - 2016),
April 06-07, 2016, R. L. Jalappa Institute of Technology, Doddaballapur, Bangalore, India
is then used to classify malicious or non malicious traffic. Bots The host based method helps in efficient detection than
show similarities in there traffic which helps in detecting them signature based and anomaly based detection schemes but has
from the normal traffic. The common features that established very high processing overhead. In network based method, bot
by the bot within a botnet are their uniformity of traffic activities are identified directly from the network flow. This
behaviour, communication behaviour etc. The main idea is helps in detecting bots at its primary stage of development
that there exists a unique signature for flow behaviour of a itself. This method overcomes the problem in signature based
single bot. This signature can be used to detect many bots method by detecting unknown bots with high accuracy. But
within the same botnet. This technique make use of encryption this method cannot be used when payload of the packet is used
algorithms and is cheaper than other approaches. It is able to for malicious activities, since it do not inspect packet payload.
detect bot activity quickly by splitting individual flow into
multiple time windows. VI. CONCLUSION
BotFinder [17] without inspecting the packet content The four different botnet detection techniques for finding
detects bots. BotFinder compares the bot activity features, malwares have been mentioned in the paper. Even though
statistical, with previous results in the network traffic. Multi- several techniques are available for detecting the presence of
faceted models are created for C&C traffic. For this approach bot in the network, the network based technique is commonly
high level network information is required. The bots can be used. Network based technique finds both known as well as
detected even when they use encrypted form of C&C channels unknown bot. The detection becomes a challenge when the
for communicating with other bots. botnets change their C&C architecture. The main challenge in
botnet detection is the difficulty to testing the detection
V. RESULTS AND DISCUSSION approaches with real world datasets.
Four different botnet detection techniques are mentioned
in this paper. The comparison of botnet detection technique is ZĞĨĞƌĞŶĐĞƐ
shown in the TABLE1. The signature based detection method [1] 9,JXUHDQG5:LOOLDPV³7D[RQRPLHVRIDWWDFNVDQGYXOQHUDEilities in
mainly focuses on the signature of bots, which is useful for FRPSXWHUV\VWHPV´,(((&RPPXQ6XUYH\V7XWVYROQRSS±
known bots only. Anomaly based detection identifies the 19, 1st Quart. 2008.
abnormalities in the network traffic. The abnormal behavior [2] $&ROH00HOORUDQG'1R\HV³%RWQHWV7KHULVHRIWKHPDFKLQHV´
helps in detecting bots. This method cannot be used when the in Proc. on the 6th Annual Security Conference, 2007.
traffics are encrypted, since most of the botnet make use of [3] David Zhao, IssaTraore, BassamSayed, Wei Lu, SherifSaad, Ali
encrypted channel for communication nowadays identification *KRUEDQL DQG 'DQ *DUDQW´%RWQHW GHWHFWLRQ EDVHG RQ WUDIILF EHKDYLRU
of the host behavior is the principle behind host based DQDO\VLVDQGIORZLQWHUYDOV´(OVHYLHU&RPSXWHUV 6HFXULW\YROSS
2-16,November 2013.
detection.
[4] -/LX<;LDR.*KDERRVL+'HQJ-=KDQJ³%RWQHWFODVsification,
DWWDFNVGHWHFWLRQWUDFLQJDQGSUHYHQWLYHPHDVXUHV´(85$6,3-RXUQDO
TABLE1 COMPARISON OF VARIOUS DETECTION METHODS of Wireless Communication Networks 2009.
[5] ' 'DJRQ ³%RWQHW 'HWHFWLRQ DQG 5HVSRQVH-The network is the
Technique Feature Advantages Disadvantages LQIHFWLRQ´ &RRSHUDWLYH $VVRFLDWLRQ IRU ,QWHUQHW 'DWD $QDO\VLV '16-
OARC Workshop, July, vol. 25, 2005.
Detection [6] 7 6WUD\HU ' /DSVOH\ 5 :DOVK & /LYDGDV ³%RWQHW 'HWHFWLRQ
based on the &RXQWHULQJ WKH /DUJHVW 6HFXULW\ 7KUHDW´ 6SULQJHU &KDSWHU %RWQHW
Signature- signature of Detect known Cannot detect Detection Based on Network Behavior , vol. 36, 2008.
based bot bots unknown bots [7] P. Bacher, T. Holz, M. Kotter, G. Wicherski, Know Your Enemy:
Tracking Botnets (using honeynets to learn more about bots),Technical
Report, The Honeynet Project, 2008.
[8] / 6SLW]QHU ³7KH +RQH\QHW 3URMHFW 7UDSSLQJ WKH +DFNHUV´ ,(((
Identifies Analyze several
Security & Privacy, vol. 1, no. 2, 2003, pp. 15±23.
Anomaly- the network traffic Unable to scan
based abnormal irregularities encrypted channel [9] J. Goebel,T. Holz, Rishi: identify bot contaminated hosts by
behavior of IRCnickname evaluation, in: Proceedings of the first conference on First
network Workshop on Hot Topics in Understanding Botnets, USENIX
Association, Berkeley, CA, USA, p. 8.
Looks for [10] Este´vez-7DSLDGRU-0*DUFՍD-Teodoro P, 'ՍD]-Verdejo JE. Anomaly
the bot like Produces a low Processing detection methods in wired networks: a survey and taxonomy. Computer
Host-based behavior in false positive overhead Networks 2004;27(16):1569±84.
the host rate.
[11] Hyunsang Choi, Hanwoo Lee, Heejo Lee, Hyogon Kim. Botnet
Detection by Monitoring Group Activities in DNS Traffic. Computer
Monitors Detect bot and Information Technology, 2007. CIT 2007. 7th IEEE International
Network- the network activity at the Does not inspect Conference on, s. 715 ±720, oct. 2007.
based flow for the early stage the payload of
bot activity -detect packet [12] W. Strayer, R. Walsh, C. Livadas, D. Lapsley, Detecting botnets with
unknown bots tight command and control, in: Proceedings 2006 31st IEEE Conference
on Local Computer Networks, pp. 195±202.
[13] C. Livadas, R. Walsh, D. Lapsley, T. Strayer, "Using machine learning
techniques to identify botnet traffic," In Proceedings 2006 31st IEEE
Conference on Local Computer Networks, pp. 967-974, Nov. 2006.

978-1-4673-8819-8/16/$31.00 ©2016 IEEE

 International Conference on Research Advances in Integrated Navigation Systems (RAINS - 2016),
April 06-07, 2016, R. L. Jalappa Institute of Technology, Doddaballapur, Bangalore, India
[14] Basil AsSadhan, Jose M.F. MourD ³ $Q (IILFLHQW PHWKRG WR GHWHFW
SHULRGLFEHKDYLRXULQERWQHWWUDIILFE\DQDO\]LQJFRQWUROSODQHWUDIILF´
in Proc.Elsevier, 2013.
[15] P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, E. Kirda,
Automatically generating models for botnet detection, in: M. Backes, P.
Ning (Eds.), Computer Security ± ESORICS 2009, Lecture Notes in
Computer Science, vol. 5789, Springer, Berlin/Heidelberg,2009, pp.
232±249.
[16] Y. Kugisaki, Y. Kasahara, Y. Hori, K. Sakurai, Bot detection based on
traffic analysis, in: The 2007 International Conference on Intelligent
Pervasive Computing, IPC, 2007, pp. 303±306.
[17] Florian Tegeler, Xiaoming Fu, Giovanni Vigna, Christopher Kruegel,
BotFinder: Finding bots in network traffic without deep packet
inspection, ACM 2012.
[18] Schiller, C., Binkley, J., Evron, G., Willems, C.: Botnets ± The killer
web app. Syngress, 179±208 (February 2007).
[19] Barford, P., Yegneswaran, V.: An inside look at BotNets. In:
Proceedings of Special Workshop on Malware Detection. Advances in
Information Security. Springer, Heidelberg (2006).
[20] + 5 =HLGDQORR DQG  $]L]DK %W $EGXO 0DQDI ³ %RWQHW 'HWHFWLRQ E\
0RQLWRULQJ 6LPLODU &RPPXQLFDWLRQ 3DWWHUQV´ ,Q ,QWHUQDWLRQDO -RXUQDO
of Computer Science and Information Security, Vol. 7, No. 3, pp. 36-45,
2010.

978-1-4673-8819-8/16/$31.00 ©2016 IEEE