Anomaly-Based Detection of IRC Botnets by Means of One-Class Support Vector Classifiers

  • Claudio Mazzariello
  • Carlo Sansone
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5716)


The complexity of modern cyber attacks urges for the definition of detection and classification techniques more sophisticated than those based on the well known signature detection approach. As a matter of fact, attackers try to deploy armies of controlled bots by infecting vulnerable hosts. Such bots are characterized by complex executable command sets, and take part in cooperative and coordinated attacks. Therefore, an effective detection technique should rely on a suitable model of both the envisaged networking scenario and the attacks targeting it.

We will address the problem of detecting botnets, by describing a behavioral model, for a specific class of network users, and a set of features that can be used in order to identify botnet-related activities. Tests performed by using an anomaly-based detection scheme on a set of real network traffic traces confirmed the effectiveness of the proposed approach.


Infected Host Control Channel Normal Channel Malicious User Anomaly Score 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. SIGCOMM Comput. Commun. Rev. 36(4), 291–302 (2006)CrossRefGoogle Scholar
  2. 2.
    Barford, P., Yegneswaran, V.: An inside look at botnets. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Special Workshop on Malware Detection. Advances in Information Security, vol. 27. Springer, Heidelberg (2007)Google Scholar
  3. 3.
    Puri, R.: Bots and botnets: An overview. Technical report, SANS institute (2003)Google Scholar
  4. 4.
    Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: NDSS, The Internet Society (2006)Google Scholar
  5. 5.
    Strayer, W.T., Walsh, R., Livadas, C., Lapsley, D.: Detecting botnets with tight command and control. In: Proceedings 2006 31st IEEE Conference on Local Computer Networks, November 2006, pp. 195–202 (2006)Google Scholar
  6. 6.
    Akiyama, M., Kawamoto, T., Shimamura, M., Yokoyama, T., Kadobayashi, Y., Yamaguchi, S.: A proposal of metrics for botnet detection based on its cooperative behavior. In: SAINT-W 2007: Proceedings of the 2007 International Symposium on Applications and the Internet Workshops, Washington, DC, USA, p. 82. IEEE Computer Society, Los Alamitos (2007)CrossRefGoogle Scholar
  7. 7.
    Binkley, J.R., Singh, S.: An algorithm for anomaly-based botnet detection. In: SRUTI 2006: Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, Berkeley, CA, USA, p. 7. USENIX Association (2006)Google Scholar
  8. 8.
    Cooke, E., Jahanian, F., Mcpherson, D.: The zombie roundup: Understanding, detecting, and disrupting botnets, June 2005, pp. 39–44 (2005)Google Scholar
  9. 9.
    Livadas, C., Walsh, R., Lapsley, D., Strayer, W.: Using machine learning technliques to identify botnet traffic. In:31st IEEE Conference on Local Computer Networks, pp. 967–974 (November 2006)Google Scholar
  10. 10.
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Almeida, J.M., Almeida, V.A.F., Barford, P. (eds.) Internet Measurement Conference, pp. 41–52. ACM, New York (2006)Google Scholar
  11. 11.
    Ramachandran, A., Feamster, N., Dagon, D.: Revealing botnet membership using dnsbl counter-intelligence. In: SRUTI 2006: Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, Berkeley, CA, USA, p. 8. USENIX Association (2006)Google Scholar
  12. 12.
    Giacinto, G., Perdisci, R., Del Rio, M., Roli, F.: Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Information Fusion 9(1), 69–82 (2008)CrossRefGoogle Scholar
  13. 13.
    Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by irc nickname evaluation. In: HotBots 2007: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, Berkeley, CA, USA, p. 8. USENIX Association (2007)Google Scholar
  14. 14.
    Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions, and reversals. Soviet Physics Doklady 10(8), 707–710 (1966)MathSciNetzbMATHGoogle Scholar
  15. 15.
    Mazzariello, C.: Irc traffic analysis for botnet detection. In: Fourth International Conference on Information Assurance and Security, IAS 2008, September 2008, pp. 318–323 (2008)Google Scholar
  16. 16.
    Schlkopf, B., Platt, J.C., Shawe-Taylor, J., Smola, A.J., Williamson, R.C.: Estimating the support of a high-dimensional distribution. Neural Computation 13(7), 1443–1471 (2001)CrossRefzbMATHGoogle Scholar
  17. 17.
    Vapnik, V.: Statistical Learning Theory. Wiley, Chichester (1998)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Claudio Mazzariello
    • 1
  • Carlo Sansone
    • 1
  1. 1.Dipartimento di Informatica e SistemisticaUniversity of Napoli Federico IINapoliItaly

Personalised recommendations