Detection of Botnet Activities Through the Lens of a Large-Scale Darknet

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10638)


The growing cyber-threats from botnets compel us to devise proper countermeasures to detect infected hosts in an efficient and timely manner. In this paper, botnet-host identification is approached from a new perspective: by exploring the temporal coincidence in botnet activities visible in the darknet, botnet probing campaigns and botnet hosts can be detected with high accuracy and efficiency. The insights to botnet behavioral characteristics and automated detection results obtained from this study suggest a promising expedient for botnet take-down and host reputation management on the Internet.


Botnet detection Darknet analysis Abrupt change detection Pattern classification 


  1. 1.
    Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement (IMC 2006), pp. 41–52. ACM (2006).
  2. 2.
    Ban, T., Zhu, L., Shimamura, J., Pang, S., Inoue, D., Nakao, K.: Behavior analysis of long-term cyber attacks in the darknet. In: Huang, T., Zeng, Z., Li, C., Leung, C.S. (eds.) ICONIP 2012. LNCS, vol. 7667, pp. 620–628. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34500-5_73 CrossRefGoogle Scholar
  3. 3.
    Benson, K., Dainotti, A., Claffy, K., Aben, E.: Gaining insight into as-level outages through analysis of internet background radiation. In: Proceedings of the 2012 ACM Conference on CoNEXT Student Workshop, pp. 63–64 (2012)Google Scholar
  4. 4.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: 18th Annual Network and Distributed System Security Symposium, NDSS 2011, San Diego, CA, USA, 6–9 February 2011.
  5. 5.
    Cho, C.Y., Domagoj, B., Shin, E.C.R., Song, D.: Inference and analysis of formal models of botnet command and control protocols. In: Computer and Communications Security (CCS 2010), pp. 426–439. ACM (2010)Google Scholar
  6. 6.
    Choi, H., Lee, H., Lee, H., Kim, H.: Botnet detection by monitoring group activities in DNS traffic. In: Proceedings of the 7th IEEE International Conference on Computer and Information Technology, pp. 715–720 (2007)Google Scholar
  7. 7.
    Choi, H., Lee, H.: Identifying botnets by capturing group activities in DNS traffic. Comput. Netw. 56(1), 20–33 (2012). CrossRefGoogle Scholar
  8. 8.
    Choi, H., Lee, H., Kim, H.: Botgad: detecting botnets by capturing group activities in network traffic. In: Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE, COMSWARE 2009, pp. 2:1–2:8. ACM (2009).
  9. 9.
    Dagon, D., Gu, G., Lee, C.P.: A taxonomy of botnet structures. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. Advances in Information Security, vol. 36, pp. 143–164. Springer, Boston (2008). doi: 10.1007/978-0-387-68768-1_8 CrossRefGoogle Scholar
  10. 10.
    Dainotti, A., King, A., Claffy, K., Papale, F., Pescapè, A.: Analysis of a “/0” stealth scan from a botnet. In: Internet Measurement Conference, IMC 2012, pp. 1–14. ACM (2012)Google Scholar
  11. 11.
    Friess, N., Aycock, J., Vogt, R.: Black market botnets. In: Proceedings of the MIT Spam Conference, pp. 1–8 (2010)Google Scholar
  12. 12.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: detecting malware infection through ids-driven dialog correlation. In: USENIX Security Symposium, SS 2007, pp. 1–16. USENIX Association (2007)Google Scholar
  13. 13.
    Gu, G., Yegneswaran, V., Porras, P., Stoll, J., Lee, W.: Active botnet probing to identify obscure command and control channels. In: 2009 Annual Computer Security Applications Conference (ACSAC 2009), pp. 241–253 (2009)Google Scholar
  14. 14.
    Harder, U., Johnson, M.W., Bradley, J.T., Knottenbelt, W.J.: Observing internet worm and virus attacks with a small network telescope. Electr. Notes Theor. Comput. Sci. 151(3), 47–59 (2006)CrossRefGoogle Scholar
  15. 15.
    Hyslip, T., Pittman, J.: A survey of botnet detection techniques by command and control infrastructure. JDFSL 10(1), 7–26 (2015)Google Scholar
  16. 16.
    Inoue, D., Eto, M., Yoshioka, K., Baba, S., Suzuki, K., Nakazato, J., Ohtaka, K., Nakao, K.: Nicter: an incident analysis system toward binding network monitoring with malware analysis. In: Proceedings of the 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing, pp. 58–66 (2008)Google Scholar
  17. 17.
    Inoue, D., Yoshioka, K., Eto, M., Yamagata, M., Nishino, E., Takeuchi, J., Ohkouchi, K., Nakao, K.: An incident analysis system NICTER and its analysis engines based on data mining techniques. In: Köppen, M., Kasabov, N., Coghill, G. (eds.) ICONIP 2008. LNCS, vol. 5506, pp. 579–586. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-02490-0_71 CrossRefGoogle Scholar
  18. 18.
    Lai, T.L.: Sequential change-point detection in quality control and dynamical systems. J. R. Stat. Soc. Ser. B 57(4), 613–658 (1995)zbMATHGoogle Scholar
  19. 19.
    Mazzariello, C.: IRC traffic analysis for botnet detection. In: 2008 Fourth International Conference on Information Assurance and Security (ISIAS 2008), pp. 318–323 (2008)Google Scholar
  20. 20.
    Mizoguchi, S., Kugisaki, Y., Kasahara, Y., Hori, Y., Sakurai, K.: Implementation and evaluation of bot detection scheme based on data transmission intervals. In: 2010 6th IEEE Workshop on Secure Network Protocols (NPSec), pp. 73–78 (2010)Google Scholar
  21. 21.
    Nakao, K., Yoshioka, K., Inoue, D., Eto, M.: A novel concept of network incident analysis based on multi-layer ovservation of malware activities. In: Proceedings of The 2nd Joint Workshop on Information Security (JWIS07), pp. 267–279 (2007)Google Scholar
  22. 22.
  23. 23.
    Vapnik, V.N.: The Nature of Statistical Learning Theory. Springer, New York (1995). doi: 10.1007/978-1-4757-2440-0 CrossRefzbMATHGoogle Scholar
  24. 24.
    Yen, T.-F., Reiter, M.K.: Traffic aggregation for malware detection. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 207–227. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-70542-0_11 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.National Institute of Information and Communications TechnologyTokyoJapan
  2. 2.Unitec Institute of TechnologyAucklandNew Zealand
  3. 3.Clwit Inc.TokyoJapan

Personalised recommendations