This document discusses botnet detection techniques. It begins by defining what a botnet is and how botnets are used to conduct cybercrimes. It then outlines several botnet detection methods including signature-based detection, anomaly-based detection, DNS-based detection, mining-based detection, and using honeypots and honeynets. Specific examples of botnets and worst affected countries are also provided. The document concludes by emphasizing the threat posed by botnets and importance of detecting and preventing botnet attacks.

1. Botnet Detection
Safiullah – 1018052094
Md. Nafiul Alam Nipu – 1018052092
Department of Computer Science and Engineering
Bangladesh University of Engineering and Technology(BUET), Dhaka, Bangladesh
1

2. What is BotNet
 BotNet comes from two words Robot and Network.
 A network of compromised machines used to commit cyber crimes.
 A PC is botted through
• drive by download
• install Trojan horse on the computer or
• using infected removable disk
 Bots are Remotely controlled by BotMaster
 Communcates via C&C server
 Operates without users knowledge
2

3. What to do with Botnet
Platforms to launch various Attacks
— Email spam campaigns
— Denial-of-service attacks
— Spreading adware/spyware
— Data theft (financial information, online identities and user logins)
— Ransomware attack
Some Botnets
– EarthLink Spammer – 2000 : Khan K. Smith sent 1.25 million email using EarthLink
network and was sued for $25 million
– Grum – 2008 : It was capable of sending 39.9 million messages per day, or 18% of the
world’s spam
– Mirai – 2016 : Infected over 600000 devices to launch DDoS attack to well known
websites in U.S East Coast
3

4. Worst Botnet Affected Countries
.
2880713
1984434
1118990
809561
745829 715622
396679 377124
0
500000
1000000
1500000
2000000
2500000
3000000
3500000
India China iran Vietnam Brazill Thailand Pakistan Russia
4

5. Architecture
• Centralised
— HTTP
— IRC
• Decentralised
—P2P
5
IRC Centralised Botnet is Popular for its Simplicity

6. Life Cycle of Botnet
Basic
Infection
Bot
Injection
Rallying
Command
Execution
Maintenace
& Update
6

7. Botnet Detection Techniques
☼ Signature Based
☼ Anomaly Based
☼ DNS Based Detection
☼ Mining Based Detection
☼ Honey-Nets
7

8. Signature Based Botnet Detection
• If any packet is matched with signature
database where malicious pattern are
stored, then it is botnetted.
• Immediate detection possible and easier to
implement
• Need to update signature database
regularly and DB would be robust
• Works only for known botnets
Monitoring
network traffic
Intrution
Detection
System
New Signature
Development
Filtering of
Network Traffic
Signature
DataBase
8

9. Anomaly Based Detection
• A baseline is created consisting of all traffic behavior of all componets in the network
• considers several different network traffic anomalies
– high network latency,
– high traffic volume,
– traffic on unusual ports, and
– unusual system behavior
• Detect unknown botnets
 Two types
1. Host based: monitors and analyzes the internals of a computer system instead of
network traffics on its external interfaces. If suspicious activity is detected ,alert the user
or administrator.
2. Network Based: detect Botnets by monitoring network traffics.
9

10. DNS Based Botnet Detection
• Bots will have to send DNS queries to know the IP address of C&C server
• Monitoring DNS traffic and detecting unusual or unexpected DNS query, can
pave a way to detect botnets.
• C&C servers are distributed in present botnets
• Bots use dynamic DNS entries with a very short “time to live“ field
• In DGA botnet if the domain of C&C server is detected and blocked all
connections to these addresses, the botnet has not been eliminated
completely. Botmaster just registers a new address in domain dataset and
the bot will still operate as normal.
10

11. DNS Based Botnet Detection
11

12. Mining Based Botnet Detection
• Anomaly Detections are based on Network Behavior
Anomaly
• C&C traffic does not reveal Anomalous Behavior
• Anomaly Based Techniques are not useful
• Data Mining Based techniques are introduced to solve the
problem
12

13. Mining Based Detection Techniques
• Detect Botnet C&C traffic by passive analysis applied on
network flow information
• Based on flow characteristics (i.e. duration, bytes/second,
TCP flags)
• Decision Trees, Naive Bayes and Bayesina Net
Algorithms are used to classify network flows
13

14. Mining Based Detection Techniques (Continued..)
• Detect botnet communication patterns analyzing payload
and flow
• Classify the network traffic into diffeent application by
using traffic payload signatures
• Perform Clustering to detect anmalous behavior
14

15. Mining Based Detection Techniques (Continued..)
• Cluster similar coomunication traffic and similar malicious
traffic
• Correlated these two cross clusters to identify patterns
• Possible to identify structures embedded in network
• BotMiner can detect botnets including IRC-based, HTTP-
based and P2P botnets with a very low false positive rate
15

16. Botnet Detection: Honeypot and Honeynet
• Can be defined as an environment where vulnerabilities have
been deliberately introduced to observe attacks and intrusions
• Used to - detect securiyt threats
- collect malware signatures
- understand the motivation and technique behind the
threat used by the perpetrator
• Different size of honeypots form honeynet
• Honeynets based on Linux are preferred for rich toolbox
contents
• Classified as High-interaction and Low-interaction
16

17. Different Kinds of Honeypots
• High Interaction can simulate all aspects of a real OS.
Low Interaction can simulate only important features of
real OS
• High Interaction allows intruders to gain full control of the
OS but low-interaction does no allow it.
• Physical Honeypot is a real machine running a real OS
whereas, Virtual Honeypot is an emulation of a real
machine on virtualization host.
17

18. Potential Honeypot Trap
18

19. Preventing Botnet Infections
 Use a Firewall
 Patch regularly and promptly
 Use Antivirus (AV) software
 Report Unusual Behavior
Avoid visiting Suspicious sites
Avoid Opening Suspicious mail attachments
Avoid installing software from un-trusted sources
19

20. Conclusion
• Botnets pose a significant and growing threat against cyber
security
• It provides key platform for many cyber crimes (DDOS)
• As network security has become integral part of our life and
botnets have become the most serious threat to it
• It is very important to detect botnet attack and find the solution
for it
20

21. References...
• Van Tong and Giang Nguyen “A Method for Detecting DGA Botnet Based on Semantic and
Cluster Analysis”
• Shing-han li, Yu-cheng kao, and Zong-cyuan zhang, “A Network Behavior-Based Botnet
Detection Mechanism Using K-means”
• Peer to Peer Botnet detection for cyber-security: A data mining approach - ACM Portal
Mohammad M. Masud, Jing Gao, Latifur Khan, Jiawei Han, Bhavani Thuraisingham
• Honeynet-based Botnet Scan Traffic Analysis Zhichun Li, Anup Goyal, and Yan Chen
Northwestern University, Evanston, IL 60208
• Detecting Botnets Using Command and Control Traffic AsSadhan, B.; Moura, J.M.F.;
Lapsley, D.; Jones, C.; Strayer, W.T.; Network Computing and Applications, 2009. NCA 2009.
Eighth IEEE International Symposium. Publication Year: 2009 , Page(s): 156 – 162 IEEE
CONFERENCES
• A Survey of Botnet and Botnet Detection - Feily, M; Shahrestani, A. ; Ramadass, S.
21