A survey on Botnet: Classification, detection and defense (PDF ...

2015 International Electronics Symposium (IES)

A Survey on Botnet: Classification, Detection and Defense Pedram Amini

Muhammad Amin Araghizadeh

Dept. of Information and Communications Technology Malek-Ashtar University of Technology Tehran, Iran [email protected]

Dept. of Electrical and Computer Engineering University of Tehran Tehran, Iran [email protected]

Reza Azmi Dept. of Technical and Engineering Alzahra University Tehran, Iran [email protected] Although there are several surveys on the Botnets, they usually do not include a complete review on Botnet. The surveys use distinct taxonomy, which builds comparisons hardly. Each survey presented a taxonomy that is different from other surveys taxonomy. A survey calls honeypot as a method and another calls technique [4, 5]. Most surveys focus on a few features. They tend to focus on well-known articles. Then, they do not reference enough papers to have a correct comparison. Our survey aims at knowing and understanding Botnets phenomenon and eliminates these limitations.

Abstract—In recent years, Botnets have become an important security problem on the Internet. Botnets have been used for many attacks, such as banking information theft, spam, distributed denial-of-service, identity theft and phishing. Then, they have been proposed as a major research topic in the network security. Although there are several surveys on the Botnets, they usually do not include a complete review on Botnet phenomenon. This paper is a survey on Botnets and provides a brief of classifications, techniques and algorithms of Botnet detection and defense. In this survey, we provide a comparison on existing research. We present an overview of studies on Botnet and discuss in detail including topologies, architectures, communication protocols, infection mechanisms, attacks, purposes, prevention techniques, detection sources and data, detection techniques and algorithms, and response techniques.

The rest of the paper is organized as follows. Section 2 discusses on previous surveys and introduces the goal of this article. In section 3, we analyze Botnet phenomenon. Section 4 proposes a novel classification on Botnets. Section 5 analyzes the most relevant detection and defense papers. Finally, section 6 presents conclusions.

Keywords—Network Security, Botnet, Botnet Classification, Botnet Detection, Bonet Defense, Survey.

II. PREVIOUS SURVEYS

I. INTRODUCTION

There are several surveys on Botnets. These surveys mostly have analyzed detection methods. Table 1 illustrates a novel comparison and summary of previous surveys. In this comparison, we are showing detail, advantage(s) and disadvantage(s) of the surveys. The analysis of the surveys shows these limitations:

Malwares are a key tool for digital crime and impose serious threats to the modern society. Among the various forms of malwares, Botnets have become an important threat on the Internet. The concept of a Botnet evolved in 1993 by introducing the first Botnet called Eggdrop [1]. The bot is an intelligent program that operates automatically as an agent for different goals. The bot term denotes to an infected computer by malicious code which often exploits software vulnerabilities on the computer to allow a malicious party to control the computer from a remote location [2]. A Botnet is a network of infected computers under the remote command and control of an operator called Botmaster [3]. The main distinction between Botnet and other type of malwares abbreviates in existence of Command-and-Control (C&C) organization.

• The surveys use different taxonomies and terminologies. Each survey presented a taxonomy that is different from other surveys taxonomy. •

• Most surveys tend to focus on well-known articles rather than having a comprehensive look. So, they have not a correct comparison.

Bots use different methods to infect systems. They usually look for assailable and unprotected machines to compromise them; and then forward a report to the botmaster. The Bots keep hidden until they are aware by their botmaster to execute an attack or task [4].

978-1-4673-9345-4/15/$31.00 ©2015 IEEE

Most surveys focus on a few features. They have not a comprehensive look on different dimensions of Botnets.

• There are no previous surveys on Botnet prevent and defense methods.

233

TABLE I.

Survey

SURVEY COMPARISON

Advantage

Disadvantage

[5]

This survey proposed a novel approach for Botnet detection.

This survey focused on a dimension. It proposed an uncompleted assortment for Botnet. It has a few papers as reference that they are not enough.

[6]

It has a comprehensive look.

This survey has a few papers as reference that they are not enough.

[7]

It has a comprehensive look.

This survey does not study on prevent and defense methods. It has a few papers as reference that they are not enough.

[8]

This survey proposed a novel approach.

It has a few papers as reference that they are not enough.

[9]

It has a comprehensive look.

This survey has a few papers as reference that they are not enough.

[10]

This survey has a comprehensive look. It proposed a novel approach.

[4]

This survey proposed a novel approach.

This survey does not reference enough paper. It proposed an uncompleted assortment for Botnet. It does not reference enough paper rather than has a comprehensive look. It proposed an uncompleted assortment for Botnet.

[11]

This survey proposed a novel approach.

[12] [13] [14] [1]

It has not a comprehensive look.

This survey proposed a novel approach on the architecture of Botnet. This survey compared previous surveys. It proposed a novel approach on Botnet detection. This survey has a comprehensive look. It proposed a novel approach. It references many papers. This survey has a comprehensive look. It proposed a novel approach. It references many papers. It compares the papers.

It proposed an uncompleted assortment for Botnet. It has a few papers as reference that they are not enough. It has not a comprehensive look. It uses unusual taxonomy and terminology. It uses unusual taxonomy and terminology.

Botnet codebases: AgoBot, SDBot, SpyBot and GTBot. Ref. [17] identified key metrics to measure Botnet structures utility for various activities (e.g., spam, DDoS).

III. BOTNET The term Bot is an intelligent software application that runs via worms, Trojans or other malicious codes to perform a group of cyber operations over the Internet [15]. A large number of bots form a connected group called Botnet. Botnets act under the remote control of a human operator called Botmaster. Ref. [16] presented the process of codifying the capabilities of malware by dissecting four widely-used IRC

Botmasters can use mechanisms to trouble detecting Botnet: cryptography [18], obfuscated malicious code [19], fast-flux and domain-flux [20]. Fig.1 shows a new idea and universal on Botnet phenomenon that covers previous surveys. We studied previous surveys and proposed a new taxonomy on Botnets.

Fig. 1. A new taxonomy on Botnet

234

Botmaster uses Botnets for stealing information [32] such as banking information and complex calculations such as the largest prime number [5]. Botnets try to make a negative impact on service readiness and continuity [33]. Botnets steal people identity by fraud (e.g., fraudulent ads that lead to phishing attacks) [34]. They enhance software application (e.g., a legitimate add-on for Mozilla Firefox) and usually cannot be run independently. Botnets are used to spread new bots. For example, Zeus, which is one of the most popular Botnets, which is based on the HTTP protocol, is considered as the most wide-spreading Botnet on the internet: 3.6 million PCs are said to be infected in the US alone [35].

IV. CLASSIFICATION In this paper, we classify researches and studies on Botnet phenomenon into topology, architecture, communication protocol, infection mechanism, purpose and attack. A. Architecture A command and control architecture is a structure that issues commands to a Botnet and receives reports back from the co-opted computers. Botnet C&C architecture often exists in one of three structures: centralized, peer-to-peer, and unstructured. Botnets have lean on a centralized C&C communication organization [21]. In a P2P network, any node acts as both a client and a server [22]. Peer-to-peer and unstructured networks are much harder to interrupt against centralized networks. However, peer-to-peer and unstructured networks are a more complex, but there are typically no guarantees on message delivery or latency [7].

F. Attacks We classify Botnet attacks into phishing, DDoS, click fraud, spam, identity theft, information leakage, scareware, sniffing traffic, keylogging. In phishing attack, attackers use social engineering to reach goals. They exploit human vulnerabilities. Reference [36] described four popular DDoS bots, namely Agobot, SDBot, RBot and Spybot. Reference [37] presented a survey on DDoS attacks and the techniques that had been proposed for defense. Ref. [38] presented a survey of defense methods against DDoS flooding attacks. Click Fraud schemes aim to produce clicks for financial gain. One of the more insidious methods is to create bogus conversions to give the appearance that traffic is valuable [39]. The spam receiver is the victim who receives a larger number of spam mails. Symantec has reported that 85% of spam is from Botnet [40]. Zeus is a major Botnet that focuses on identity theft [41]. Information leakage occurs while a system that is designed to be frozen to an eavesdropper discloses some information to unauthorized members nevertheless [42]. Scareware displays fraud software that usually disguise as security software such as anti-malware application [43]. Bots are able to sniff the data that transmit by victim over the network. These data can be a text, voice message, image or even a video. The hacker will use this information to learn more about victim habits or gather victim private information for further social engineering attacks [44]. SpyEye is http-based Botnet, which it has capable of keylogging [45]. This service will collect all the keys pressed by the user on the keyboard.

B. Topology A network structure which organized for Botnet communications called Botnet topology. The topology of Botnet can be classified into four types: star, multiple-server, hierarchical and random [12]. The star structure depends upon a central agent to communicate with all bots. The hierarchical is the most popular structure which used for Botnets in the Internet [23]. Botmaster launches attack by posting command to the control and command server, and the control and command server then broadcasts the command to all the bots. The master represents the core of all operations. It can get multiple server connections and has the ability to enable and disable servers and clients. In multiple-server topology, botmaster send commands to bot clients through servers [24]. The random Botnets does not have the control and command server [25]. C. Communication Protocol Botnets are always classified according to their communication protocols into IRC, HTTP, P2P and DNS [10]. Internet chat is a real-time communication via text in virtual spaces, called chatroom or channels [26]. Centralized Botnets usually engage the IRC protocol. The Bot in HTTP Botnets query a designated webserver for new commands every couple of seconds [27]. Botnets used DNS protocol as a communication channel [28]. Attackers apply the P2P topology to beware centralized infrastructure [29].

V. DEFENSE A. Prevention The prevention limits the impacts of Botnet attacks, e.g. by quarantining the victims [46]. There are generally three approaches to prevention: vulnerability management, endpoint security and intrusion prevention systems (IPS). Vulnerability implies to a software, hardware, or process weakness that can create a backdoor for an attacker to enter a machine or network and have unauthorized access to resources within the environment [47]. Vulnerability management is a cyclical practice of identifying, classifying, and mitigating vulnerabilities. The biggest threats are insider threats. Endpoint security works by expanding control and security policies on various network devices [48]. Lee and Chiang believe that could use Snort intrusion detection and prevention system to prevent IRC Botnet [49].

D. Infection Mechanism Ref. [6] classified various types of methods to distribute a particular bot: web downloaded, mail attachment and automatically. Email attachment is a download-based method. Social engineering used for the propagation of malicious programs [30]. In automatic bots, they automatically scan, exploit and compromise to distribute themselves [31]. E. Purpose Botnets used for information collection, distributed computing, service disruption, fraud, add-on and spreading.

235

B. Detection In this section, we discuss on resources and mechanism of Botnet detection. Botnet detection mechanisms are proposed based on the different characteristics of the network traffic.

correlation, statistics and machine learning. Clustering algorthm arranges massive measure of network traffic by learning inherent templates without the require of labels to teach the algorithm [63]. Two approaches that focus on Botnet detection using clustering, proposed in references [64] and [65]. In decision tree, the paths from root to leaf represent classification rules. An approach that focuses on Botnet detection by using decision tree, proposed in reference [66]. Ref. [67] proposed an approach based on decision tree method for detecting Botnet. Ref. [68] proposed heuristic algorithms for detection of malwares made by Botnet coordinated attack. The importance advantage of heuristic algorithm is the extraction of solutions from multiple sides with no require for prior knowledge about system behavior [69]. A fuzzy logicbased Botnet detection system proposed in reference [70]. In this system, it derived a set of rational rules based on a wellknown Botnet specifications. Ref. [71] proposed a novel general detection method which currently concentrates on IRC based and P2P based Botnets by using similar communication and malicious activity templates within the same Botnet. Correlation improves reliability, sensitivity, and abstraction. Correlation develops specific patterns for detecting the known and detectable and develops nonspecific patterns for detecting the unknown and the undetectable. Statistical methods of collecting, summarizing, analyzing, and interpreting variable numerical data [72]. Ref. [73] introduced a novel flow-based detection system that relies on supervised machine learning for identifying Botnet network traffic. Machine learning studies pattern recognition and computational learning theory in artificial intelligence to explore the construction and study of algorithms that can learn from and make predictions on data [74].

a) Source: We classify Botnet detection sources into real network, virtual network and honeypot traffic. Real network monitor is a professional solution to monitor the traffic with all information and statistics. Virtual networks are controlled networks that Botnets are manually installed [13]. A honeypot is an environment that created purposely to show attacks and their goals [4]. b) Data: According to the explanation in [7], several of the prevalent data types are DNS data, Netflow data, packet tap data, honeypot data and host data. We have another category for Botnet detection data. Approaches usually found similar groups between packet network payloads [50]. Security log analyzers allow organizations to analyze a massive number of system, network, and transaction log [51]. DNS is a query and response protocol, which responds to each query with corresponding pre-defined resource record. The simple but robust architecture of DNS attracts Botnets to abuse the system for different malicious activities [52]. Honeypot data allows administrators to detect Botnet activity [21]. A flow is introduced as a set of IP packets forwarding an certain part in the network to another part in the network during a determined time distance [53]. A darknet is an IP space that contains no active hosts and therefore no legitimate traffic. Any traffic that does find its way in is due to either misconfiguration or attack. c) Technique: We classify Botnet detection techniques into honeypot, signature and anomaly. Honeypot technique uses for exploring Botnets and their goals that creates a full understanding bot behaviors [4]. Signature-based Botnet detection technique would be no protection for a new bot before its patterns or signatures are identified [54]. The main advantage of anomaly detection is that it is good at discovering new infections [55]. But it will never send an alarm if malicious activity looks like normal traffic. Anomalybased detection techniques assort to data mining, behavioral analysis, DNS and statistical approaches. Ref. [56] used a method based on data mining to detecting Botnet. Ref. [57] proposed a novel method for tracking and detecting Botnets using network traffic behaviors. Ref. [58] presented several features of DNS traffic for detecting Botnet. Ref. [59] Identified Botnets using anomaly detection techniques applied to DNS traffic. Ref. [60] developed a mechanism for detecting such domain fluxes (DF) in DNS traffic by search for patterns inherent to domain names that are generated algorithmically. Ref. [61] presented a negative reputation system that considers the history of both suspicious group activities and suspicious failures in DNS traffic. Statistical approaches are mostly based on modeling data based on its statistical properties and using this information to estimate whether a test samples are bot or no [62].

C. Response In general, there are two basic reactions against Botnets: quarantining and null routing. The quarantine is used to separate and restrict the movement of computer; it is a state of enforced isolation. Ref. [75] proposed a method that quarantining suspicious data for a period of time to estimate the data is associated with malware. A null route is a path to real nowhere in network. According packets fall down rather than send. Null Routing operates like a type of very limited firewall. VI. CONCLUSION Although security is a relative affair, but is an impartible part of the communications field. Kaspersky Lab claims that is detecting 315,000 new malicious files every day. According to emerging cyber threats report 2014, one of top vulnerability in network security scope is Botnets detection [76]. In this paper, we have analyzed previous surveys and have compared their advantage(s) and disadvantage(s). We modified their limitations. We have illustrated an overview of research on Botnet and discussed in detail the Botnet including topologies, architectures, communication protocols, infection mechanisms, attacks and their purposes, prevention techniques, detection sources and data, detection techniques and algorithms and response techniques.

d) Algorithm: We classify Botnet detection algorithms into clustering, heuristic rules, fuzzy, pattern recognition,

236

[19] M. Rataj, "Simulation of Botnet C&C Channels," Ph.D Dissertation, Faculty of Electrical Engineering - Department of Computer Science and Engineering, Czech Technical University in Prague, 2014. [20] E. Passerini, R. Paleari, L. Martignoni, and D. Bruschi, "Fluxor: Detecting and monitoring fast-flux service networks," Detection of intrusions and malware, and vulnerability assessment, Springer Berlin Heidelberg, pp. 186-206, 2008. [21] B. Shirley, and Chad D. Mano, "Sub-Botnet coordination using tokens in a switched network," In Proceedings of the Global Telecommunications Conference (GLOBECOM), IEEE, pp. 1-5, 2008. [22] J.B. Grizzard, V. Sharma, C. Nunnery, B.B.H. Kang, and D. Dagon, "Peer-to-peer Botnets: Overview and case study," In Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, 2007. [23] C.C. Zou, and R. Cunningham, "Honeypot-aware advanced Botnet construction and maintenance," In Proceedings of the International Conference on Dependable Systems and Networks (DSN), IEEE, pp. 199-208, 2006. [24] P. Sinha, A. Boukhtouta, V.H. Belarde, and M. Debbabi, "Insights from the Analysis of the Mariposa Botnet," In Proceedings of the 5th International Conference on Risks and Security of Internet and Systems (CRiSIS), IEEE, pp. 1-9, 2010. [25] C.C. Zou, and R. Cunningham, "Honeypot-aware advanced Botnet construction and maintenance," In Proceedings of the International Conference on Dependable Systems and Networks (DSN), IEEE, pp. 199-208, 2006. [26] S. Gianvecchio, M. Xie, Z. Wu, and H. Wang, "Humans and bots in internet chat: measurement, analysis, and automated classification," IEEE/ACM Transactions on Networking (TON), vol. 19, no. 5, pp. 1557-1571, 2011. [27] P. Jaikumar, and A.C. Kak, "A graph‐theoretic framework for isolating Botnets in a network," Security and Communication Networks, 2012. [28] C.J. Dietrich, C. Rossow, F.C. Freiling, H. Bos, M. van Steen, and N. Pohlmann, "On Botnets that use DNS for Command and Control," In Proceedings of the 7th European Conference on Computer Network Defense, IEEE, pp. 9-16, 2011. [29] S.K. Noh, J.H. Oh, J.S. Lee, B.N. Noh, and H.C. Jeong, "Detecting P2P Botnets using a multi-phased flow model," In Proceedings of the 3rd International Conference on Digital Society(ICDS), IEEE, pp. 247-253, 2009. [30] S. Abraham, and I. Chengalur-Smith, "An overview of social engineering malware: Trends, tactics, and implications," Technology in Society, vol 32, no. 3, pp. 183-196, 2010. [31] D. Geer, "Malicious bots threaten network security," Computer, IEEE Computer Society, vol. 38, no. 1, pp. 18-20, 2005. [32] W. Lin, and D. Lee, "Traceback Attacks in Cloud--Pebbletrace Botnet," In Proceedings of the 32nd International Conference on Distributed Computing Systems Workshops (ICDCSW), IEEE, pp. 417-426, 2012. [33] V. Zlomislic, K. Fertalj, and V. Sruk, "Denial of service attacks: An overview," In Proceedings of the 9th Iberian Conference on Information Systems and Technologies (CISTI), IEEE, pp. 1-6, 2014. [34] N. Vratonjic, M.H. Manshaei, M. Raya, and J.P. Hubaux, "ISPs and ad networks against Botnet ad fraud," Decision and Game Theory for Security, Springer Berlin Heidelberg, pp. 149-167, 2010. [35] T. Cai, and F. Zou, "Detecting HTTP Botnet with clustering network traffic," In Proceedings of the 8th International Conference on Wireless Communications, Networking and Mobile Computing (WiCOM), IEEE, pp. 1-7, 2012. [36] V.L. Thing, M. Sloman, and N. Dulay, "A survey of bots used for distributed denial of service attacks," New Approaches for Security, Privacy and Trust in Complex Environments, Springer US, pp. 229-240, 2007. [37] T. Peng, C. Leckie, and K. Ramamohanarao, "Survey of network-based defense mechanisms countering the DoS and DDoS problems," ACM Computing Surveys (CSUR), vol. 39, no. 1, 2007. [38] S.T. Zargar, J. Joshi, and D. Tipper, "A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks,"

REFERENCES [1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16] [17]

[18]

A. Karim, Ahmad, R.B. Salleh, M. Shiraz, S.A.A. Shah, I. Awan, and N.B. Anuar, "Botnet detection techniques: review, future trends and issues," Journal of Zhejiang University-SCIENCE C, vol. 15, no. 11, pp. 943-983, 2014. R. Borgaonkar, "An analysis of the asprox Botnet," In Proceedings of the 4th International Conference on Emerging Security Information Systems and Technologies (SECURWARE), IEEE, pp. 148-153, 2010. M.A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A multifaceted approach to understanding the Botnet phenomenon," In Proceedings of the 6th International Conference on Internet measurement, ACM, pp. 41-52, 2006. H.R. Zeidanloo, M.J.Z. Shooshtari, P.V. Amoli, M. Safari, and M. Zamani, "A taxonomy of Botnet detection techniques," In Proceedings of the 3rd International Conference on Computer Science and Information Technology (ICCSIT), IEEE, vol. 2, pp. 158-162, 2010. M. Feily, A. Shahrestani, and S. Ramadass, "A survey of Botnet and Botnet detection," In Proceedings of the 3rd International Conference on Emerging Security Information, Systems and Technologies (SECURWARE), IEEE, pp. 268-273, 2009. C. Li, W. Jiang, and X. Zou, "Botnet: Survey and case study," In Proceedings of the 4th International Conference on Innovative Computing, Information and Control (ICICIC), IEEE, pp. 1184-1187, 2009. M. Bailey, E. Cooke, F. Jahanian, Y. Xu, and M. Karir, "A survey of Botnet technology and defenses," In Proceedings of the Cybersecurity Applications & Technology Conference For Homeland Security (CATCH), IEEE, pp. 299-304, 2009. S. Liu, J. Gong, W. Yang, and A. Jakalan, "A survey of Botnet size measurement," In Proceedings of the 2nd International Conference on Networking and Distributed Computing (ICNDC), IEEE, pp. 36-40, 2011. L. Jing, X. Yang, G. Kaveh, D. Hongmei, and Z. Jingyuan, "Botnet: classification, attacks, detection, tracing, and preventive measures," In Proceedings of the 4th International Conference on Innovative Computing, Information and Control, IEEE Computer Society, pp. 1184-1187, 2009. Z. Zhu, G. Lu, Y. Chen, Z. Fu, P. Roberts, and K. Han, "Botnet research survey," In Proceedings of the 32nd Annual International Computer Software and Applications (COMPSAC), IEEE, pp. 967-972, 2008. L. Zhang, S. Yu, D. Wu, and P. Watters, "A survey on latest Botnet attack and defense," In Proceedings of the 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), IEEE, pp. 53-60, 2011. C.Y. Liu, C.H. Peng, and I.C. Lin, "A Survey of Botnet Architecture and Batnet Detection Techniques," International Journal of Network Security, vol. 16, no. 2, pp. 81-89, 2014. S. García, A. Zunino, and M. Campo, "Survey on network‐based Botnet detection methods," Security and Communication Networks, vol. 7, no. 5, pp. 878-903, 2014. S. Khattak, N.R. Ramay, K.R. Khan, A.A. Syed, and S.A. Khayam, "A Taxonomy of Botnet Behavior, Detection, and Defense," Journal of Communications Surveys & Tutorials, IEEE, Vol. PP, Issue 99, pp. 1-27, 2013. E. Alomari, S. Manickam, B. B. Gupta, S. Karuppayah, and R. Alfaris, "Botnet-based distributed denial of service (DDoS) attacks on web servers: classification and art," International Journal of Computer Applications, vol. 49, no. 7, pp. 24-32, 2012. P. Barford, and V. Yegneswaran, "An inside look at Botnets," Malware Detection, Springer US, pp. 171-191, 2007. D. Dagon, G. Gu, C.P. Lee, and W. Lee, "A taxonomy of Botnet structures," In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), IEEE, pp. 325-339, 2007. J.P. Chapman, E. Gerhards-Padilla, and F. Govaers, "Network traffic characteristics for detecting future Botnets," In Proceedings of the Communications and Information Systems Conference (MCC), IEEE, pp. 1-10, 2012.

237

[39]

[40]

[41]

[42]

[43]

[44]

[45]

[46]

[47]

[48]

[49]

[50]

[51]

[52]

[53]

[54]

[55]

[56]

[57]

[58] H. Choi, H. Lee, H. Lee, and H. Kim, "Botnet detection by monitoring group activities in DNS traffic," In Proceedings of the 7th International Conference on Computer and Information Technology (CIT), IEEE, pp. 715-720, 2007. [59] R. Villamarín-Salomón, and J.C. Brustoloni, "Identifying Botnets using anomaly detection techniques applied to DNS traffic," In Proceedings of the 5th Consumer Communications and Networking Conference (CCNC), IEEE, pp. 476-481, 2008. [60] S. Yadav, A.K.K. Reddy, A.L. Reddy, and S. Ranjan, "Detecting algorithmically generated malicious domain names," In Proceedings of the 10th conference on Internet measurement, ACM SIGCOMM, pp. 48-61, 2010. [61] R. Sharifnya, and M. Abadi, "DFBotKiller: Domain-flux Botnet detection based on the history of group activities and failures in DNS traffic," Digital Investigation, vol. 12, pp. 15-26, 2015. [62] J. Zhang, R. Perdisci, W. Lee, U. Sarfraz, and X. Luo, "Detecting stealthy P2P Botnets using statistical traffic fingerprints," In Proceedings of the 41st International Conference on Dependable Systems & Networks (DSN), IEEE/IFIP, pp. 121-132, 2011. [63] V.C. Estrada, and A. Nakao, "A survey on the use of traffic traces to battle internet threats," In Proceedings of the 3rd International Conference on Knowledge Discovery and Data Mining (WKDD), IEEE, pp. 601-604, 2010. [64] C.J. Dietrich, C. Rossow, and N. Pohlmann, "CoCoSpot: Clustering and recognizing Botnet command and control channels using traffic analysis," Computer Networks, vol. 57, no. 2, pp. 475-486, 2013. [65] G. Cherubin, I. Nouretdinov, A. Gammerman, R. Jordaney, Z. Wang, D. Papini, and L. Cavallaro, "Conformal Clustering and Its Application to Botnet Traffic," Statistical Learning and Data Sciences, Springer International Publishing, pp. 313-322, 2015. [66] W.T. Strayer, R. Walsh, C. Livadas, and D. Lapsley, "Detecting Botnets with tight command and control," In Proceedings of the 31st Conference on Local Computer Networks, IEEE, pp. 195-202, 2006. [67] W.H. Liao, and C.C. Chang, "Peer to peer Botnet detection using data mining scheme," In Proceedings of the International Conference on Internet Technology and Applications, IEEE, pp. 1-4, 2010. [68] K. Kuwabara, H. Kikuchi, M. Terada, and M. Fujiwara, "Heuristics for detecting Botnet coordinated attacks," In Proceedings of the International Conference on Availability, Reliability, and Security, IEEE, pp. 603-607, 2010. [69] I.A. Saeed, A. Selamat, A.M. Abuagoub, and S.B. Abdulaziz. "A Survey on Malware and Malware Detection Systems," International Journal of Computer Applications, vol. 67, no. 16, pp. 25-31 2013. [70] B. Al-Duwairi, and L. Al-Ebbini, "BotDigger: a fuzzy inference system for Botnet detection," In Proceedings of the Fifth International Conference on Internet Monitoring and Protection (ICIMP), IEEE, pp. 16-21, 2010. [71] H.R. Zeidanloo, and A.B.A. Manaf, "Botnet detection by monitoring similar communication patterns," International Journal of Computer Science and Information Security, vol. 7, no. 3, pp. 36-45, 2010. [72] G. Gu, J. Zhang, J., and W. Lee, "BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic," In Proceedings of the 15th Annual Network and Distributed System Security Symposium, 2008. [73] M. Stevanovic, and J.M. Pedersen, "An efficient flow-based Botnet detection using supervised machine learning," In Proceedings of the International Conference on Computing, Networking and Communications (ICNC), IEEE, pp. 797-801, 2014. [74] E.B. Beigi, H. H. Jazi, N. Stakhanova, and A.A. Ghorbani, "Towards effective feature selection in machine learning-based Botnet detection approaches," In Proceedings of the Conference on Communications and Network Security (CNS), IEEE, pp. 247-255, 2014. [75] M.G. Bishop, R.J. Tiddy, I. Muttik, A.J. Hinchliffe, and C.C. Williams, "Dynamic quarantining for malware detection," U.S. Patent 8,914,886, 2014. [76] D. Plohmann, and E. Gerhards-Padilla, "Case study of the miner Botnet," In Proceedings of the 4th International Conference on Cyber Conflict (CYCON), IEEE, pp. 1-16, 2012.

Communications Surveys & Tutorials, IEEE, vol. 15, no. 4, pp. 20462069, 2013. B. Kitts, J.Y. Zhang, G. Wu, and R. Mahato, "Click fraud Botnet detection by calculating mix adjusted traffic value: A method for de-cloaking click fraud attacks that is resistant to spoofing," In Proceedings of the International Conference on Intelligence and Security Informatics (ISI), IEEE, pp. 151-153, 2013. H.S. Nair, and S.E.V. Ewards, "A Study on Botnet Detection Techniques," International Journal of Scientific and Research Publications, vol. 2, no. 4, 2012. K. Hannah, and S. Gianvecchio, "Zeuslite: a tool for Botnet analysis in the classroom." Journal of Computing Sciences in Colleges, vol. 30, no. 3, pp. 109-116, 2015. K. Roebuck, "Electronic Signature: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors, " Emereo Publishing, 2012. R.K. Shahzad, and N. Lavesson, "Detecting scareware by mining variable length instruction sequences," In Proceedings of the Information Security South Africa (ISSA), IEEE, pp. 1-8, 2011. A. Sadeghian, and M. Zamani, "Detecting and preventing DDoS attacks in Botnets by the help of self triggered black holes," In Proceedings of the Asia-Pacific Conference on Computer Aided System Engineering (APCASE), IEEE, pp. 38-42, 2014. U. Wijesinghe, U. Tupakula, and V. Varadharajan, "An Enhanced Model for Network Flow Based Botnet Detection," In Proceedings of the 38th Australasian Computer Science Conference (ACSC), vol. 27, p. 30, pp. 101-110, 2015. J. Kok, and B. Kurz, "Analysis of the Botnet ecosystem," In Proceedings of the 10th Conference of Telecommunication, Media and Internet Techno-Economics (CTTE), IEEE, pp. 1-10, 2011. K. Dahbur, B. Mohammad, and A.B. Tarakji, "A survey of risks, threats and vulnerabilities in cloud computing," In Proceedings of the International conference on intelligent semantic Web-services and applications, ACM, p. 12, 2011. J. Clark, S. Leblanc, and S. Knight, "Compromise through usb-based hardware trojan horse device," Future Generation Computer Systems, vol. 27, no. 5, pp. 555-563, 2011. N.Y. Lee, and H.J. Chiang, "The research of Botnet detection and prevention," In Proceedings of the International Computer Symposium (ICS), IEEE, pp. 119-124, 2010. P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, and E. Kirda, "Automatically generating models for Botnet detection," Computer Security–ESORICS, Springer Berlin Heidelberg, pp. 232-249, 2009. X. Shu, J. Smiy, D. Yao, and H. Lin, "Massive distributed and parallel log analysis for organizational security," In Proceedings of the Globecom Workshops (GC Wkshps), IEEE, pp. 194-199, 2013. H. Binsalleeh, M. Mannan, A. Youssef, and M. Debbabi, "Detection of malicious payload distribution channels in DNS," In Proceedings of the International Conference on Communications (ICC), IEEE, pp. 853-858, 2014. R. Hofstede, P. Celeda, B. Trammell, I. Drago, R. Sadre, A. Sperotto, and A. Pras, "Flow monitoring explained: from packet capture to data analysis with netFlow and IPFIX," Communications Surveys & Tutorials, IEEE, vol. 16, no. 4, pp. 2037-2064, 2014. K. Wang, C.Y. Huang, L.Y. Tsai, and Y.D. Lin, "Behavior‐based Botnet detection in parallel," Security and Communication Networks, vol. 7, no. 11, pp. 1849-1859, 2014. G. Fedynyshyn, M.C. Chuah, and G. Tan, "Detection and classification of different botnet C&C channels." Autonomic and Trusted Computing, Springer Berlin Heidelberg, pp. 228-242, 2011. P. Amini, R. Azmi, and M.A. Araghizadeh, "Botnet Detection using NetFlow and Clustering," Advances in Computer Science: an International Journal, vol. 3, no. 2, pp. 139-149, 2014. S. Saad, I. Traore, A. Ghorbani, B. Sayed, D. Zhao, W. Lu, J. Felix, and P. Hakimian, "Detecting P2P Botnets through network behavior analysis and machine learning," In Proceedings of the 9th Annual International Conference on Privacy, Security and Trust (PST), IEEE, pp. 174-180, 2011.

238