How to Achieve Early Botnet Detection at the Provider Level?

  • Christian Dietz
  • Anna Sperotto
  • Gabi Dreo
  • Aiko Pras
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9701)


Botnets are an enabler for many cyber-criminal activities and often responsible for DDoS attacks, banking fraud, cyber-espionage and extortion. Botnets are controlled by a botmaster that uses various advanced techniques to create, maintain and hide their complex and distributed C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. Both, the actions to increase the resilience and the prevention of signature based detection are counteractions against detection techniques. In contrast to existing approaches, our novel approach includes DNS registration behaviour, which we currently analyse for the .com, .net and .org domains, representing half of registered domains on the Internet. Hence, the goal of this PhD research is to enable early detection of the deployment and operation of botnets to facilitate proactive mitigation strategies, whereas current approaches usually detect botnets while these are already in active use. Consequently, this proactive approach prevents botnets to fully evolve their size and attack power. Moreover, as many end users are unable to detect and clean infected machines, our approach tackles the botnet phenomenon without requiring any end user involvement, by incorporating ISPs and domain name registrars. In addition, this will enable the discovery of similar behaviour of different connected systems, which allows detection in cases where bots are registered under domains that are not willing to cooperate.


Botnet Early detection Provider network DNS IP flow monitoring Coordinated cyber threats Domain registration behaviour 



This work is partially funded by EU FP7 Flamingo Network of Excellence Project (ICT-318488).


  1. 1.
    Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos, H.: Highly resilient peer-to-peer botnets are here: An Analysis of Gameover Zeus. In: 8th IEEE International Conference on Malicious and Unwanted Software (MALWARE) (2013)Google Scholar
  2. 2.
    Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou II, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: USENIX Security Symposium (2012)Google Scholar
  3. 3.
    Asghari, H., van Eeten, M.J., Bauer, J.M.: Economics of fighting botnets: Lessons from a decade of mitigation. IEEE Secur. Priv. 5, 16–23 (2015)CrossRefGoogle Scholar
  4. 4.
    François, J., Aib, I., Boutaba, R.: FireCol: a collaborative protection network for the detection of flooding DDoS attacks. IEEE/ACM Trans. Netw. (TON) 20(6), 1828–1841 (2012)CrossRefGoogle Scholar
  5. 5.
    Grill, M., Nikolaev, I., Valeros, V., Rehak, M.: Detecting DGA Malware using NetFlow. In: IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015)Google Scholar
  6. 6.
    Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., Hollenbeck, S.: Understanding the domain registration behavior of spammers. In: Proceedings of the 2013 Conference on Internet Measurement. ACM (2013)Google Scholar
  7. 7.
    Kwon, J., Lee, J., Lee, H., Perrig, A.: PsyBoG: a scalable botnet detection method for large-scale DNS traffic. Comput. Netw. 97, 48–73 (2016)CrossRefGoogle Scholar
  8. 8.
    Lone, Q., Moura, G.C.M., Van Eeten, M.: Towards incentivizing ISPs to mitigate botnets. In: Sperotto, A., Doyen, G., Latré, S., Charalambides, M., Stiller, B. (eds.) AIMS 2014. LNCS, vol. 8508, pp. 57–62. Springer, Heidelberg (2014)Google Scholar
  9. 9.
    McAfee: The Economic Impact of Cyber-crime. Accessed 05 Jan 2016
  10. 10.
    Mossburg, E.: A Deeper Look at the Financial Impact of Cyber Attacks. Accessed 05 Jan 2016
  11. 11.
    Nguyen, T.D., CAO, T.D., Nguyen, L.G: DGA botnet detection using collaborative filtering and density-based clustering. In: Proceedings of the Sixth International Symposium on Information and Communication Technology. ACM (2015)Google Scholar
  12. 12.
    Rossow, C., Dietrich, C.J.: ProVeX: detecting botnets with encrypted command and control channels. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 21–40. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  13. 13.
    Steinberger, J., Schehlmann, L., Abt, S., Baier, H.: Anomaly detection and mitigation at internet scale: a survey. In: Doyen, G., Waldburger, M., Čeleda, P., Sperotto, A., Stiller, B. (eds.) AIMS 2013. LNCS, vol. 7943, pp. 49–60. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  14. 14.
    Steinberger, J., Sperotto, A., Baier, H., Pras, A.: Collaborative attack mitigation and response: a survey. In: IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015)Google Scholar
  15. 15.
    Taylor, B.: Cyber Attacks Fallout Could Cost the Global Economy 3 Trillion Dollar by 2020. Accessed 05 Jan 2016
  16. 16.
    Van Eeten, M., Bauer, J.M., Asghari, H., Tabatabaie, S., Rand, D.: The role of internet service providers in botnet mitigation an empirical analysis based on spam data. TPRC (2010)Google Scholar
  17. 17.
    Yadav, S., Reddy, A.K.K., Ranjan, S., et al.: Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. IEEE/ACM Trans. Netw. 20(5), 1663–1677 (2012)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  • Christian Dietz
    • 1
    • 2
  • Anna Sperotto
    • 2
  • Gabi Dreo
    • 1
  • Aiko Pras
    • 2
  1. 1.Universität der Bundeswehr MünchenNeubibergGermany
  2. 2.University of TwenteEnschedeNetherlands

Personalised recommendations