Transcription
IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 2, No 3, March 2013ISSN (Print): 1694-0814 ISSN (Online): 1694-0784www.IJCSI.org208Revealing the Criterion on Botnet Detection TechniqueRaihana Syahirah Abdullah 1, Mohd Faizal Abdollah2, Zul Azri Muhamad Noh3, Mohd Zaki Mas'ud4, Siti Rahayu Selamat5,Robiah Yusof61Faculty of Information and Communication TechnologyUniversiti Teknikal Malaysia Melaka,Hang Tuah Jaya, 76100 Durian Tunggal, Melaka, Malaysia23456Faculty of Information and Communication TechnologyUniversiti Teknikal Malaysia Melaka,Hang Tuah Jaya, 76100 Durian Tunggal, Melaka, MalaysiaAbstractBotnet have already made a big impact that need much attentionas one of the most emergent threats to the Internet security. Moreworst when the peer-to-peer (P2P) botnets take the inspirationand underlying P2P technology to exchange files making botnetsmuch harder to detect and shut down. It make botnets are thebiggest threat to internet stability and security. Hence, Botnetdetection and prevention has been an interesting research topic tobe highlighted. Various types of techniques have been proposedfor detection, prevention and mitigation for Botnet attack. Thus,this paper addresses the current trend of Botnet detectiontechniques and identifies the significant criteria in eachtechnique. Several existing techniques are analyzing from 45various researches and the capability criteria of Botnet detectiontechniques have been reviewed. The comparative analysis ofthese techniques have been shown on the selected detectioncriteria including; unknown Botnet detection, protocol andstructure independent, low false positive, low cost, low risk,encrypted bot detection, real-world detection, not require priorknowledge and reveal bot servers and C&C migration.Keywords: Botnet, P2P Botnet, IDS, Botnet Detection Criterion1. IntroductionNowadays people are heavily dependent on the Internet,however the advancement of the services offered by theInternet had exposed user to various threat. Cybercriminals are now capable of launching sophisticatedattack toward the network infrastructure via severalglobally remote hosts and the purpose of the exploitation iscertainly motivated by financial and political objectives.The global Botnet infections as reported by McAfeethreats stated overall messaging Botnet growth jumped upsharply from April 2011 to Mac 2012 as depicted in Fig. 1.Fig. 1: Global Botnet Infections from McAfee Threat [1]Meanwhile, according to Malaysian Computer EmergencyResponse Team (MyCERT) in Quarter 3 2012 they havehandled 228 reports related to malicious code activities,this represent 39.02% out of the total number of securityincidents [2], statistically illustrated in Fig. 2. Some of themalicious code security incidents handled is active Botnetcontrollers, hosting of malware or malware configurationfiles on compromised machines and malware infections tocomputers.Fig. 2: Percentage of Security Incidents Quarter 3 2012 from eSecurityMyCERT in Malaysia [2]The rapidly Botnet growth has given the bad impact andrequires continuous effort to ensure the Botnet detectiontechniques is comprehensive enough. Hence, the selectedCopyright (c) 2013 International Journal of Computer Science Issues. All Rights Reserved.
IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 2, No 3, March 2013ISSN (Print): 1694-0814 ISSN (Online): 1694-0784www.IJCSI.orgcriterion has been proposed as a basic for the success ofthe Botnet detection. This paper has provides thecomparison of Botnet detection based on the criterionsincluding; unknown Botnet detection, protocol andstructure independent, low false positive, low cost, lowrisk, encrypted bot detection, real-time/real-worlddetection, not require prior knowledge and reveal botservers and C&C migration. In order to increase thedetection rate, the use of these criterion is indispensable.209a report on the emerging cyber threat 2011 presented at theGeorgia Tech Information Security Center (GTISC)Security Summit 2010 has also listed Botnet as one of theemerging threat in the year 2011 [7]. Among of the caseshad mentioned in the report is the Mariposa Botnet thatcan steal financial credential where they found that almost800,000 financial related information was found inside theoperator’s home computers.2.2 IRC, HTTP and P2P BotnetThe rest of paper is organized as follows. Section 2provides details background on Botnet and selectedcriterion. Section 3 present the classification of Botnetdetection techniques. In this section, five categories ofBotnet detection techniques including anomaly-based,signature-based, DNS-based, data mining based, andhybrid-based are discussed respectively. The related workwith comprehensive comparison in each detection criteriaof Botnet detection technique are presented in Section 4.Finally, Section 5 concludes and discusses furtherdirections of this work.2. BackgroundIn order to construct further discussion and details, it isnecessarily to know some key terms about Botnet. Also, itis important to realize the cause and effect of Botnet in thereal world situation. This section discuss the key termsabout Botnet and P2P Botnet to compose a betterunderstanding about it.2.1 BotnetNowadays, the most serious manifestation of advancedmalware is Botnet [3]. Botnet are very real and quicklyevolving problem that is still not well understood orstudied. Botnet is a collection of computer that has beeninfected by malicious software and become bots, drones, orzombies, which have been assimilated into a greatercollective through a centralized command and control(C&C) infrastructure [4]. The C&C controlling the bots aremostly malicious in nature and can be illegally controls thecomputing resources. Botnet had exploit and recruitcomputer to become army for cyber attack and it can beused for spamming, fake websites, DDoS attacks, viruses,worms, backdoors, information harvesting phishing andscams [4]. The malicious behaviours of Botnet createwidespread security analysis and safety issues thatpropagating cyber crime.The combination of the Botnet with current technologysuch as IRC, HTTP and peer to peer (P2P) has made themsilently organize their hidden tactic in a benign application.Several researches has been done to detect IRC and HTTPBotnet through network monitoring analysis and most oftheir activity is easy to annihilate as each of the bot areconnecting to a central command and control server. Yet,the P2P is a bit harder to detect as it command and controlcentre are distributed same as the P2P leeches that sharefiles over the Internet.P2P Botnet are one of the most recent phenomenon’swhere Cyber defence needs new ComputationalIntelligence (CI) techniques because traditional methods ofintrusion detection are being foiled by P2P Botnet [8]. P2PBotnet imply that every compromised machine in theswarm acts as a peer for the others. This study use theanomaly detection which differentiate normal networktraffic and abnormal network traffic characteristic.However, misuse detection is insufficient for P2P Botnetdetection and classification because it requires advanceknowledge on specific characteristics of the malicioussoftware in order to create rules that can be used tomonitor the characteristics. The operation of the P2PBotnet operation is depicted in Fig. 3.Fig. 3: P2P Botnet Operation [9]According to SearchSecurity.com website, a report fromRussian-based Kaspersky Labs, Botnet currently pose thebiggest threat to the Internet and support by a report fromSymantec came to a similar conclusion [5, 6]. In addition,Copyright (c) 2013 International Journal of Computer Science Issues. All Rights Reserved.
IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 2, No 3, March 2013ISSN (Print): 1694-0814 ISSN (Online): BotnetDetectionBotnet detection technique is the technique used to detector identify the Botnet activities. The previous research hasproposed the different solutions to solve the Botnet attack.Initially, Botnet detection technique mainly divided intotwo approaches which are honeynet-based and IntrusionDetection System (IDS) based.The earlier informal studies about the Botnet attack isbased on setting up honeynet [10][11][12][13]. Most ofresearchers setting up honeynet to analyze bots, learn tools,tactics and motives of botmaster [21]. However, honeynetis only good for understanding Botnet characteristic andtechnology but cannot detect bot infection all the times.This situation make the researchers turned to IDStechniques that more useful to identify the existence ofBotnet. In general, Botnet detection in IDS technique canbe categorized into anomaly-based, signature-based andhybrid-based detection [3][14][15][16][17][18][19][20][21][59].210capable to detect the unknown Botnet and novel attacks.Unfortunately, it produces a high false positive alarm.3.1.1 DNS-basedThe DNS-based detection technique has been done bydoing the DNS monitoring and DNS traffic anomalies. Inorder to make this technique successful, it demands for theDNS information that generated by a Botnet [15]. Usually,bots send DNS queries to access bot servers. It is helpfulas bot used DNS to find the address of botmaster. At once,the carry out of DNS queries will help to locate inparticular bot server.3.1.2 Data Mining-basedThe data mining-based detection techniques was proposedto improve the accuracy [21]. It is one effective techniquefor Botnet detection since it can be used efficiently todetect Botnet C&C traffic by using machine learning,classification and clustering approach.3.1.3 Host-basedBotnet Detection TechniqueHoneynet-BasedHoneypotIntrusion Detection System (IDS)Behavior BasedDetectionHoneywallAnomaly-BasedDNS BasedDetectionData-miningBased sedActive MonitoringPassive MonitoringFig. 4: Botnet Detection TechniqueBased on previous worked, the characteristics of eachtechniques are as follows.3.1 Anomaly-based DetectionAnomaly-based detection technique is a part of behaviourbased detection. The anomaly-based is divided into DNSbased, data mining-based, host-based and network-based.This techniques attempt to detect Botnet based on severalnetwork traffic anomalies such as high network latency,high volumes of traffic, traffic on unusual ports andunusual system behaviour that could indicate presence ofmalicious bots in the network [3][19][20][22]. Means, ithave focuses on normal behaviour to overcome undetectedunknown attack. Thus, the anomaly-based technique isThe host-based approach will monitor the network trafficfor indications of bot-infected machines [59]. The hostbecome worse when bot had been activated lead thechanges on system registry and system files [21]. Then, theBotnet makes a series of systems and library calls.3.1.4 Network-basedMeanwhile, the network-based approach [21] [59] morefocus on monitoring network traffic in; (i) detection ofindividuals bots by checking for traffic patterns or contentthat can reveal the command and control (C&C) server ormalicious in bot-related activities, and (ii) analyzing thetraffic that indicate two or more hosts behave similarpatterns as bot to react in the same function. Monitoring innetwork-based can be done either in active or passivemode.3.2 Signature-based DetectionSimilarly to anomaly-based techniques, signature-baseddetection technique also as a part of behaviour-baseddetection. This techniques learn and gain knowledge ofuseful signatures or behaviours from existing Botnet[15][16]. This solution is useful for detection on knownBotnet accurately rather than the unknown bots. Inaddition, signature-based can make immediate detectionand impossibility of false positive. It require less amountof system resource to make the detection.Copyright (c) 2013 International Journal of Computer Science Issues. All Rights Reserved.
IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 2, No 3, March 2013ISSN (Print): 1694-0814 ISSN (Online): 1694-0784www.IJCSI.org3.3 Hybrid-based DetectionIn hybrid-based detection technique, two or more IDStechniques were combined. It can be the combination ofDNS-based with anomaly-based, signature-based withanomaly-based or data mining-based with anomaly-basedtechnique. Due to signature-based, DNS-based and datamining-based that have same capability where it is onlyable to detect known attack but cannot detect unknownattack. Instead, anomaly-based has this extra capabilities todetect unknown attack compare to other technique.Based on analysis by [14], the combination of IDStechnique will complement each other weaknesses.In summary, the 45 researchers of various Botnet detectiontechniques have been reviewed. Table 1shows the relatedliterature review in Botnet detection techniques.Table 1: Related Literature Review in Botnet Detection -basedHybrid-basedPaper Review Reference No.[20], [23], [24], [25], [26], [27],[28], [29], [30], [31], [32], [33],[34], [35], [36], [37], [44], [45],[48], [49], [50], [51], [52], [53],[54], [55], [62][38], [39], [40], [41], [42], [43],[46][28], [29], [39], [44], [45], [47],[48], [49], [51], [62]4. Proposed Criterion for Botnet DetectionTechniquesThe Botnet detection and prevention have been aninteresting research topic to be highlighted. Various typeof techniques have been proposed for detection, preventionand mitigation for Botnet attacks. Botnet detectiontechniques is not an easy task. Technically, the detection ofBotnet only can be done when Botnet are communicate ina large scale of network. This section provides acomprehensive comparison of Botnet detection techniques.The comparison has been made regardless to the detectioncriteria. The comparison is summarized as Table 2 inAppendix-A.This detection criteria is responsible for the success of theBotnet detection. The specified criterion has made basedon the actual goals of significant Botnet detection. Thelevel of detection rate in the botnet detection technique canbe measured by these criterions. These criterions canmeasure how far a technique can be applied and practicedin real situation. These criterions can also help researchers211analyze the advantages and limitations of such a techniquein distinguishing among other techniques.Furthermore, these criterion considered as an indicator foreffectively and efficiency of the technique. Therefore, thispaper utilizes this criterion in differentiating among othertechniques. There are some researchers who evaluate theBotnet detection technique using some of this criterion. Inline with that, [15] has covered out the five similarcriterion from nine criterion as listed below. A list of ninedetection criteria as description below:Table 3: Detection CriteriaCriterionUnknown BotnetDetectionProtocol andStructureIndependentLow FalsePositiveLow CostLow RiskEncrypted BotDetectionReal-Time/RealWorld DetectionNot Require PriorKnowledgeReveal BotServers and C&CMigrationDescriptionIndicates the detection on newintrusion and novel attackIndicates the identification of botnetC&C traffic even though botmasterschange their C&C communicationprotocol and structureIndicates the value on low rate of falsepositive alarmIndicates the exploration in a simplewayIndicates the performing detection inpassive mode monitoringIndicates the detection on encryptedC&C botnet communicationIndicates the real situation of networktraces detection by turn into activemodeIndicates that it does not require anyBotnet specific information to makethe detectionIndicates that it can discover the botservers respectivelyAs shown in table 2, most of researchers used the anomalybased technique to make detection on unknown [33][34][35][36][37][62] while the signature-based techniques can onlydetect on known Botnet [38][39][40][41][42][43][46].This indicates that the detection of Botnet attempts toestimate the normal behaviour of system to be protectedand the detection of Botnet have been made based ontraffic anomalies. Thus, the detection will cover on thecurrent and future Botnet.Nevertheless, there are some of Botnet detectiontechniques [26][28][48][51] that can detect Botnet in spiteof its protocol and structure independent. These techniqueswill be effective even though botmasters have changedtheir C&C communication protocol and structure [15].Among all detection techniques, only a few of Botnetdetection technique [23][48][60] can reveal Botnet serversCopyright (c) 2013 International Journal of Computer Science Issues. All Rights Reserved.
IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 2, No 3, March 2013ISSN (Print): 1694-0814 ISSN (Online): 1694-0784www.IJCSI.organd C&C migration. Taking down the bot C&C serverallows the Botnet attacks can be thwarted directly from itsbeginning with gain access and shutdown the centralcomponent.On the other hand, most of researchers 8][51][59] produce avery low false positive rate in simple and realisticscenarios. Meanwhile, sometimes a low cost technique[23][26][27][28][29][39][40] can be as effective wayalthough explored in a simple way. The researchers alsouses a low risk approach in their detection techniques[23][26][27][28][29][39][40] by performing detection inpassive mode monitoring. Consequently, this situationswill not allowing detection occurs in real network traces.In overall, these techniques [24][27][28][44][45][46][47][48][51][59] currently have simply detects encrypted C&CBotnet communication. The encryption will immediatelymake content signature useless where sequentially makedetection analysis at the difficult task. Recently, most ofBotnet detection techniques [28][34][35][37][47][50][55][57][58][59] allows real-time or real-world detection.However, the analyses for detection have done in a passivemode before it can really be tested in a real scenario thatprovides active countermeasures. This is due to activecountermeasures run the risk of false positives [15].Moreover, there are several techniques [20][27][28][36][37][53][55][57] that attempt to distinguish from othersimilar works by implementing a technique that not needprior knowledge of Botnet detection such as Botnetsignature. In the other word, it does not require any Botnetspecific information to make the detection. As a result,these technique have choose the anomaly-based and datamining-based as their approaches.According to the briefly comparison, the only Botnetdetection technique in [48] can detect real-world Botnetirrespective of Botnet protocol and structure that reveal thebot C&C server and encrypted Botnet with a very low falsepositive rate which similar claimed by [15]. However, thedeveloping techniques based on Hybrid-SA, thecombination of signature-based with anomaly-baseddetection technique proposed by [14] has beencomprehensive approach to fight against Botnet threat inthe real world situation. It is because the combination ofthis two techniques have complement each other in dealwith known and unknown Botnet including detection onencrypted bot, reduce false positive and negative alert,real-world detection and reveal the bot C&C servers.Signature-based has the ability to immediate detection andimpossibility of false positives. But signature-based is only212capable to be used for detection of well-known Botnet.More important, very similar bots with slightly differentsignature may be missed-out to be detected. However, theanomaly-based technique faced with the problem ofdetecting unknown Botnet through show existence of botsin the network. Anomaly-based technique also has theextra capabilities in terms of reducing false negative alertand detecting multistep attack [14]. Nevertheless, it cannotreduce the false positive alert which can only be reducedby using signature-based technique. Hence, this has givenan implication that there are complement each otherweaknesses.5. ConclusionsIn this study, the researchers have reviewed andsummarized the different approaches for existing Botnetdetection techniques. Then, researchers also make thecomparison between Botnet detection techniques bydetection criteria whereas unknown Botnet detection,protocol and structure independent, low false positive, lowcost, low risk, encrypted bot detection, real-time/realworld detection, not require prior knowledge and revealbot servers and C&C migration. Thus, the comparativeanalysis towards Botnet detection techniques have beenpresented by these factors. This research is preliminaryworked for Botnet detection. This will contribute ideas indevelopment of a new Botnet detection technique byfinding the gap between this existing Botnet detectiontechniques.AppendixAppendix-A as Table 2 below.AcknowledgmentsThe authors would like to express the appreciation toInforslab Group of Universiti Teknikal Malaysia Melaka(UTeM) and MyBrain15 Programme by Ministry ofHigher Education Malaysia (MoHE) for their invaluablesupports either technically and financing in encouragingthe authors to publish this paper.ReferencesMcAfee Threats Report: First Quarter 2012, [Online]Retrieved on June 2012 from terly-threat-q1-2012.pdf[2] eSecurity Cyber Security Malaysia, MyCert 3rd Quarter2012 Summary Report. Volume 32 [Online] Retrieved tin/vol32-Q312.pdf[3] Zeidanloo, H.R.; Shooshtari, M.J.Z.; Amoli, P.V.; Safari,M.; Zamani, M.; , "A taxonomy of Botnet detectiontechniques," Computer Science and Information Technology[1]Copyright (c) 2013 International Journal of Computer Science Issues. All Rights Reserved.
IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 2, No 3, March 2013ISSN (Print): 1694-0814 ISSN (Online): 2][13][14][15][16][17][18][19](ICCSIT), 2010 3rd IEEE International Conference on ,vol.2, no., pp.158-162, 9-11 July 2010Mielke, C.J.; Hsinchun Chen; , "Botnet, and thecybercriminal underground," Intelligence and SecurityInformatics, 2008. ISI 2008. IEEE International Conferenceon , vol., no., pp.206-211, 17-20 June rieved on January 2011 from http://searchsecurity.techtarget.comWestervelt R. (2009). Conficker Botnet Ready to be Split,Sold SeachSecurity.com [Online] Retrieved on om/news/article/0,289142,sid14 gci1349282 mem1,00.htmlGEORGIA TECH INFORMATION SECURITY CENTER(GTISC). Emerging Cyber Threat Report 2011. SecuritySummit 2011Estrada, V.C.; Nakao, A.; , "A Survey on the Use of TrafficTraces to Battle Internet Threats," Knowledge Discoveryand Data Mining, 2010. WKDD '10. Third InternationalConference on , vol., no., pp.601-604, 9-10 Jan. 2010Wen-Hwa Liao; Chia-Ching Chang; , "Peer to Peer BotnetDetection Using Data Mining Scheme," Internet Technologyand Applications, 2010 International Conference on , vol.,no., pp.1-4, 20-22 Aug. 2010Honeynet Project and Research Alliance: Know YourEnemy-Tracking Botnet [Online] Retrieved on June 2012from http://www.honeynet.org/papers/botsBaecher, P., Koetter, M., et al.: The Nepenthes Platform:An Efficient Approach to Collect Maiware Proceedingsof International Symposium on Recent Advances inIntrusion Detection (RAID), 2006.Freiling, F., Holz, T., and Wicherski, G.,: Botnet Tracking:Exploring a Root-cause Methodology to Prevent Denialof Service Attacks, Proceedings of 10th EuropeanSymposium on Research in Computer Security (ESORICS),2005.Provos, N.,: A Virtual Honeypot Framework, Proceeding13th USENIX Security Symposium, 2004Robiah Y, Siti Rahayu S., Mohd Zaki M., Shahrin S., FaizalM. A., Marliza R.: A New Generic Taxonomy on HybridMalware Detection Technique. (IJCSIS) InternationalJournal of Computer Science and Information Security,Vol. 5, No. 1, 2009Feily, M., A. Shahrestani, et al.: A Survey of Botnet andBotnet Detection. Third International Conference onEmerging Security Information, Systems and Technologies(SECURWARE), 2009.Zeidanloo, H. R., Hosseinpour, F. and Eternad, F.F.: NewApproach for Detection of IRC and P2P Botnet.International Journal of Computer and ElectricalEngineering Vol. 2(No. 6): 1793-8163, 2010Rahim, A., Muhaya, F.T., et al.: Discovering the BotnetDetection Techniques, 2010Chao, L., J. Wei, et al.: Botnet: Survey and Case Study.Fourth International Conference on Innovative Computing,Information and Control (ICICIC), 2009.Garcia-Teodoro, P., J. Diaz-Verdejo, et al.: Anomaly-basednetwork intrusion detection: Techniques, systems andchallenges. Computers & Security 28: 18-28, 2009213[20] Zeidanloo, H. R. a. A., A.B.: Botnet Detection [33][34][35]Monitoring Similar Communication Patterns. (IJCSIS)International Journal of Computer Science and InformationSecurity Vol. 7(No. 3): 36-45, 2010Jeong, O. K., Kim, C., et al.: Botnet: Threats andResponses. International Journal of Web InformationSystems Vol. 7( Iss: 1): pp.6 - 17, 2011Saha B. and Gairola A.: Botnet: An Overview. CERT-InWhite Paper CIWP-2005-05, 2005Binkley, J. R. and Singh, S.: An algorithm for anomalybased Botnet detection, Proceeding USENIX: Steps toReducing Unwanted Traffic on the Internet Workshop(SRUTI), 2006Karasaridis, A., Rexroad, B., and Hoeflin, D.: Wide ScaleBotnet Detection and Characeristics, Proceeding 1stWorkshop on Hot Topics in Understanding Botnet, 2007Stinson, E. and Mitchell, J. C.; Characterizing Bots, RemoteControl Behaviour, Proceedings of the 4th GI InternationalConference on Detection of Intrusions and Malware andVulnerability Assessment (DIMVA), 2007Gu, G., Porras, P. et al.: BotHunter: Detecting MalwareInfection throufh IDS-Driven Dialog Correlation,Proceedings of the 16th USENIX Security Symposium,Boston, 2007Gu, G., Zhang, J., et al.: BotSniffer: Detecting BotnetCommand and Control Channels in Network Traffic.Proceedings of the 15th Annual Network and DistributedSystem Security Symposium (NDSS), 2008.Guofei, G., P. Roberto, et al.: BotMiner: Clustering analysisof network traffic for protocol-and-structure-independentBotnet detection. Proceedings of the 17th conference onSecurity symposium. San Jose, CA, USENIX Association,.2008Strayer, W., D. Lapsely, et al.: Botnet Detection Based onNetwork Behavior Botnet Detection, Springer US. 36: 1-24.,2008Liu, L., S. Chen, et al.: BotTracer: Execution-Based BotLike Malware Detection Information Security, SpringerBerlin /Heidelberg. 5222: 97-113, 2008Guofei, G., V. Yegneswaran, et al.: Active Botnet Probingto Identify Obscure Command and Control Channels.Annual Computer Security Applications Conference(ACSAC), 2009.Ricardo, V., S. n, et al.: Bayesian bot detection based onDNS traffic similarity. Proceedings of the 2009 ACMsymposium on Applied Computing. Honolulu, Hawaii,ACM, 2009Wei, L., T. Mahbod, et al.; Automatic discovery of Botnetcommunities on large-scale communication networks.Proceedings of the 4th International Symposium onInformation, Computer, and Communications Security.Sydney, Australia, ACM, 2009Su, C. and E. D. Thomas: P2P Botnet detection usingbehavior clustering and statistical tests. Proceedings of the2nd ACM workshop on Security and artificial intelligence.Chicago, Illinois, USA, ACM., 2009Yuanyuan, Z., H. Xin, et al.: Detection of Botnet usingCombined Host-and Network-Level Information. IEEE/IFIPInternational Conference on Dependable Systems andNetworks (DSN), 2010.Copyright (c) 2013 International Journal of Computer Science Issues. All Rights Reserved.
IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 2, No 3, March 2013ISSN (Print): 1694-0814 ISSN (Online): 1694-0784www.IJCSI.org[36] Al-Hammadi, Y. and U. Aickelin: Behavioural ][47][48][49][50][51][52]for Detecting P2P Bots. Second International Conferenceon Future Networks (ICFN ), 2010.Arshad, S., M. Abbaspour, et al.: An anomaly-based Botnetdetection approach for identifying stealthy Botnet. IEEEInternational Conference on Computer Applications andIndustrial Electronics (ICCAIE), 2011Snort IDS [Online] Retrieved on January 2013 fromhttp://www.snort.orgJan, G. and H. Thorsten.: Rishi: Identify bot contaminatedhosts by IRC nickname evaluation. Proceedings of the firstconference on First Workshop on Hot Topics inUnderstanding Botnet. Cambridge, MA, USENIXAssociation, 2007Yinglian, X., Y. Fang, et al.: Spamming Botnet: Signaturesand Characteristics. Proceedings of the ACM SIGCOMMConference on Data Communication. Seattle, WA, USA,2008Wei, W., F. Binxing, et al.: A Novel Approach to DetectIRC-Based Botnet. International Conference on NetworksSecurity, Wireless Communications and Trusted Computing(NSWCTC), 2009.Behal, S., Brar, A.S., et al.: Signature-based BotnetDetection and Prevention, 2009Konrad, R., S. Guido, et al.: Botzilla: Detecting The"Phoning Home" Of Malicious Software. Proceedings of theSymposium on Applied Computing. Sierre, Switzerland,ACM, 2010Kristoff, J.: Botnet." 32nd Meeting of the North AmericanNetwork Operators Group, 2004Dagon, D.: Botnet Detection and Response, The Network isthe Infection." OARC Workshop, 2005.Van Helmond, D.J., and Schonewille, A.: The DomainName Service as an IDS, Master Project University ofAmsterdam, Netherlands, 2006Ramachandran, A. Feamster, N. and Dagon, D.: RevealingBotnet membership using DNSBL counter-intelligence,Proceedings of the 2nd Conference on Steps to ReducingUnwanted Traffic on the Internet (SRUTI), San Jose, 2006Hyunsang, C., L. Hanwoo, et al.: Botnet Detection byMonitoring Group Activities in DNS Traffic. 7th IEEEInternational Conference on.Computer and InformationTechnology (CIT), 2007.Villamarin-Salomon, R. and J. C. Brustoloni.: IdentifyingBotnet Using Anomaly Detection Techniques Applied toDNS Traffic. 5th IEEE Consumer Communications
Botnet detection technique is the technique used to detect . or identify the Botnet activities. The previous research has proposed the different solutions to solve the Botnet attack. Initially, Botnet detection technique mainly divided into two approaches which are honeynet-based and Intrusion Detection System (IDS) based.
