Title :
A Taxonomy of Botnet Behavior, Detection, and Defense
Author :
Khattak, Shahid ; Ramay, Naurin Rasheed ; Khan, Kaisar R. ; Syed, Affan A. ; Khayam, Syed Ali
Author_Institution :
Comput. Lab., Univ. of Cambridge, Cambridge, UK
fDate :
Second Quarter 2014
Abstract :
A number of detection and defense mechanisms have emerged in the last decade to tackle the botnet phenomenon. It is important to organize this knowledge to better understand the botnet problem and its solution space. In this paper, we structure existing botnet literature into three comprehensive taxonomies of botnet behavioral features, detection and defenses. This elevated view highlights opportunities for network defense by revealing shortcomings in existing approaches. We introduce the notion of a dimension to denote different criteria which can be used to classify botnet detection techniques. We demonstrate that classification by dimensions is particularly useful for evaluating botnet detection mechanisms through various metrics of interest. We also show how botnet behavioral features from the first taxonomy affect the accuracy of the detection approaches in the second taxonomy. This information can be used to devise integrated detection strategies by combining complementary approaches. To provide real-world context, we liberally augment our discussions with relevant examples from security research and products.
Keywords :
computer network security; invasive software; botnet behavior taxonomy; botnet detection technique; botnet phenomenon; complementary approach; integrated detection strategy; network defense mechanism; pattern classification; security; Electronic mail; IP networks; Malware; Protocols; Servers; Social network services; Taxonomy; C&C; DDoS; DNS flux; IP flux; bot; bot family; botmaster; botnet; complex event processing; cyberfraud; cyberwarfare; fast flux service network; spam; spambot; stepping-stone;
Journal_Title :
Communications Surveys & Tutorials, IEEE
DOI :
10.1109/SURV.2013.091213.00134
