Detection of Botnet Command and Control Traffic by the Identification of Untrusted Destinations

  • Pieter BurghouwtEmail author
  • Marcel Spruit
  • Henk Sips
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 152)


We present a novel anomaly-based detection approach capable of detecting botnet Command and Control traffic in an enterprise network by estimating the trustworthiness of the traffic destinations. A traffic flow is classified as anomalous if its destination identifier does not origin from: human input, prior traffic from a trusted destination, or a defined set of legitimate applications. This allows for real-time detection of diverse types of Command and Control traffic. The detection approach and its accuracy are evaluated by experiments in a controlled environment.


Botnets Network intrusion detection Anomaly detection 


  1. 1. Alexa, the web information company. Accessed March 2013
  2. 2.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: finding malicious domains using passive dns analysis. In: NDSS (2011)Google Scholar
  3. 3.
    Blum, A., Wardman, B., Solorio, T., Warner, G.: Lexical feature based phishing url detection using online learning. In: Proceedings of the 3rd ACM workshop on Artificial intelligence and security, pp. 54–60. ACM (2010)Google Scholar
  4. 4.
    Burghouwt, P., Spruit, M., Sips, H.: Detection of covert botnet command and control channels by causal analysis of traffic flows. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds.) CSS 2013. LNCS, vol. 8300, pp. 117–131. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  5. 5.
    Contagio: Skynet tor botnet/trojan.tbot samples. Accessed February 2014
  6. 6.
    DeependResearch: Trojan nap aka kelihos/hlux. Accessed February 2013
  7. 7.
    Gu, G.: Correlation-based botnet detection in enterprise networks. ProQuest (2008)Google Scholar
  8. 8.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.C.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. LEET 8, 1–9 (2008)Google Scholar
  9. 9.
    Jarmoc, J., Unit, D.S.C.T.: Ssl/tls interception proxies and transitive trust. Black Hat Europe (2012)Google Scholar
  10. 10.
    Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: learning to detect malicious web sites from suspicious urls. In: Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 1245–1254. ACM (2009)Google Scholar
  11. 11.
  12. 12.
    Nazario, J.: Twitter-based botnet command channel, August 2009. Accessed October 2013
  13. 13.
    Olmedilla, D., Rana, O.F., Matthews, B., Nejdl, W.: Security and trust issues in semantic grids. Semantic Grid 5271 (2005)Google Scholar
  14. 14.
    Roesch, M., et al.: Snort: lightweight intrusion detection for networks. In: LISA, vol. 99, pp. 229–238 (1999)Google Scholar
  15. 15.
    Strayer, W.T., Lapsely, D., Walsh, R., Livadas, C.: Botnet detection based on network behavior. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. Advances in Information Security, vol. 36, pp. 1–24. Springer, New York (2008) CrossRefGoogle Scholar
  16. 16.
    Whyte, D., Kranakis, E., van Oorschot, P.C.: Dns-based detection of scanning worms in an enterprise network. In: NDSS (2005)Google Scholar
  17. 17.
    Zhang, H., Banick, W., Yao, D., Ramakrishnan, N.: User intention-based traffic dependence analysis for anomaly detection. In: 2012 IEEE Symposium on Security and Privacy Workshops (SPW), pp. 104–112. IEEE (2012)Google Scholar

Copyright information

© Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2015

Authors and Affiliations

  1. 1.Parallel and Distributed Systems GroupDelft University of TechnologyDelftThe Netherlands

Personalised recommendations