Botnet Detection Based on Network Behavior

  • W. Timothy Strayer
  • David Lapsely
  • Robert Walsh
  • Carl Livadas
Part of the Advances in Information Security book series (ADIS, volume 36)


False Negative Rate Packet Size Step Stone Network Behavior Correlation Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    US-CERT Vulnerability Notes Database. Scholar
  2. 2.
    Paul Barford and Vinod Yegneswaran. An inside look at botnets (to appear in series: Advances in information security, springer), 2006.Google Scholar
  3. 3.
    A. Blum, D. Song, and S. Venkataraman. Detection of interactive stepping stones: Algorithms and confidence bounds. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID ’04), September 2004.Google Scholar
  4. 4.
    David Dagon, Cliff Zou, and Wenke Lee. Modeling botnet propagation using time zones. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS ’06), February 2006.Google Scholar
  5. 5.
    Defense Security Service. Memorandum for facility security officers: Foreign-based threat to defense contractor unclassified networks, October 18, 2005.Google Scholar
  6. 6.
    Christian Dewes, Arne Wichmann, and Anja Feldmann. An analysis of internet chat systems. In IMC ’03: Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, pages 51–64, New York, NY, USA, 2003. ACM Press.Google Scholar
  7. 7.
    David L. Donoho, Ana Georgina Flesia, Umesh Shankar, Vern Paxson, Jason Coit, and Stuart Staniford. Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay. In Proc. International Symposium on Recent Advances in Intrusion Detection, pages 17–35, October 2002.Google Scholar
  8. 8.
    Richard O. Duda, Peter E. Hart, and David G. Stork. Pattern Classification. John Wiley & Sons, Inc., 2 edition, 2001.Google Scholar
  9. 9.
    T. He and L. Tong. Detecting encrypted stepping-stone connections. IEEE Transactions on Signal Processing, 2007.Google Scholar
  10. 10.
    Thorsten Holz. A Short Visit to the Bot Zoo. IEEE Security & Privacy, 3(3):76–79, May 2005.CrossRefGoogle Scholar
  11. 11.
    Kevin J. Houle and George M. Weaver. Trends in denial of service technology. CERT Coordination Center, October 2001.Google Scholar
  12. 12.
    A. Householder, Art Manion, Linda Pesante, George M. Weaver, and Rob Thomas. Managing the threat of denial-of-service attacks. CERT Coordination Center, October 2001.Google Scholar
  13. 13.
    S. Kandula, D. Katabi, M. Jacob, and A. Berger. Botz-4-sale: Surviving organized ddos attacks that mimic flash crowds. In Proceedings of the 2nd Symposium on Networked Systems Design and Implementation, May 2005.Google Scholar
  14. 14.
    Anestis Karasaridis, Brian Rexroad, and David Hoeflin. Wide-scale botnet detection and characterization. In Proceedings of the First Workshop on Hot Topics in Understanding Botnets, April 2007.Google Scholar
  15. 15.
    David Kotz and Tristan Henderson. CRAWDAD: A Community Resource for Archiving Wireless Data at Dartmouth. IEEE Pervasive Computing, 4(4), oct-dec 2006.Google Scholar
  16. 16.
    Elias Levy. The Making of a Spam Zombie Army. IEEE Security & Privacy, 1(4):58–59, July 2003.CrossRefMathSciNetGoogle Scholar
  17. 17.
    Carl Livadas, Robert Walsh, David Lapsley, and W. Timothy Strayer. Using Machine Learning Techniques to Identify Botnet Traffic. In Proceedings of the 2nd IEEE LCN Workshop on Network Security, 2006.Google Scholar
  18. 18.
    Bill McCarty. Automated Identity Theft. IEEE Security & Privacy, 1(5):89–92, September 2003.CrossRefGoogle Scholar
  19. 19.
    Bill McCarty. Botnets: Big and Bigger. IEEE Security & Privacy, 1(4):87–90, July 2003.CrossRefGoogle Scholar
  20. 20.
    Andrew W. Moore and Denis Zuev. Internet traffic classification using bayesian analysis techniques. In SIGMETRICS ’05: Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pages 50–60, New York, NY, USA, 2005. ACM Press.Google Scholar
  21. 21.
    21. R. Naraine. Botnet hunters search for ‘command and control’ servers. eWeek, June 17, 2005.Google Scholar
  22. 22.
    National Infrastructure Security Coordination Center. Targeted trojan email attacks. NISCC Briefing 08/2005, June 16, 2005.Google Scholar
  23. 23.
    Anirudh Ramachandran, Nick Feamster, and David Dagon. Revealing botnet membership using DNSBL counter-intelligence. In Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), 2006.Google Scholar
  24. 24.
    Matthew Roughan, Subhabrata Sen, Oliver Spatscheck, and Nick Duffield. Class-ofservice mapping for qos: a statistical signature-based approach to ip traffic classification. In IMC ’04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 135–148, New York, NY, USA, 2004. ACM Press.Google Scholar
  25. 25.
    Subhabrata Sen, Oliver Spatscheck, and Dongmei Wang. Accurate, scalable in-network identification of p2p traffic using application signatures. In WWW ’04: Proceedings of the 13th international conference on World Wide Web, pages 512–521, New York, NY, USA, 2004. ACM Press.Google Scholar
  26. 26.
    Alex C. Snoeren, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Beverly Schwartz, Stephen T. Kent, and W. Timothy Strayer. Single-packet IP traceback. ACM/IEEE Trans. on Networking, December 2002.Google Scholar
  27. 27.
    W. Timothy Strayer, Christine Jones, Beverley Schwartz, Sarah Edwards, Walter Mil-liken, and Alden Jackson. Efficient multi-dimensional flow correlation. In Proceedings of the 32st IEEE Conference on Local Computer Networks (LCN’07), November 2007. Submitted for publication.Google Scholar
  28. 28.
    W. Timothy Strayer, Christine Jones, Beverly Schwartz, Joanne Mikkelson, and Carl Livadas. Architecture for Multi-Stage Network Attack Traceback. In Proceedings of the IEEE LCN Workshop on Network Security (WoNS 2005), Sydney, Australia, November 2005.Google Scholar
  29. 29.
    W. Timothy Strayer, Robert Walsh, Carl Livadas, and David Lapsley. Detecting Botnets with Tight Command and Control. In Proceedings of the 31st IEEE Conference on Local Computer Networks (LCN’06), November 2006.Google Scholar
  30. 30.
    Symantec. Symantec Internet Security Threat Report. Trends for July – December 06, March 2007.Google Scholar
  31. 31.
    The Honeynet Project. Know Your Enemy : Learning about Security Threats. Addison-Wesley Professional; 2 edition (May 17, 2004), March 2004.Google Scholar
  32. 32.
    Rob Thormeyer. Hacker arrested for breaching dod systems with ‘botnets’. Government Computer News, November 4, 2005.Google Scholar
  33. 33.
    Xinyuan Wang, Douglas S. Reeves, and S. Felix Wu. Inter-packet delay based correlation for tracing encrypted connections through stepping stones. In Proc. European Symposium on Research in Computer Security, pages 244–263, October 2002.Google Scholar
  34. 34.
    Ian H. Witten and Eibe Frank. Data Mining: Practical Machine Learning Tools and Techniques (2nd Edition). Morgan Kaufmann, San Francisco, CA, 2005.zbMATHGoogle Scholar
  35. 35.
    Kunikazu Yoda and Hiroaki Etoh. Finding a connection chain for tracing intruders. In Proc. European Symposium on Research in Computer Security, pages 191–205, October 2000.Google Scholar
  36. 36.
    L. Zhang, A. G. Persaud, A. Johnson, and Y. Guan. Detection of stepping stone attacks under delay and chaff perturbations. In Proceedings of the 25th IEEE International Performance Computing and Communications Conference, April 2006.Google Scholar
  37. 37.
    Yin Zhang and Vern Paxson. Detecting stepping stones. In Proc. USENIX Security Symposium ’00, pages 171–184, August 2000.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  • W. Timothy Strayer
    • 1
  • David Lapsely
    • 1
  • Robert Walsh
    • 1
  • Carl Livadas
    • 2
  1. 1.BBN TechnologiesCambridge
  2. 2.Intel ResearchSanta Clara

Personalised recommendations