Botdetection

BotMiner: Clustering Analysis of Network Traffic for

Protocol- and Structure-Independent Botnet Detection

Guofei Gu† , Roberto Perdisci‡ , Junjie Zhang† , and Wenke Lee†

†

College of Computing, Georgia Institute of Technology

‡

Damballa, Inc. Atlanta, GA 30308, USA

{guofei,jjzhang,wenke}@cc.gatech.edu, perdisci@damballa.com

Abstract

Botnets are now the key platform for many Internet

attacks, such as spam, distributed denial-of-service

(DDoS), identity theft, and phishing. Most of the current

botnet detection approaches work only on specific

botnet command and control (C&C) protocols (e.g.,

IRC) and structures (e.g., centralized), and can become

ineffective as botnets change their C&C techniques. In

this paper, we present a general detection framework that

is independent of botnet C&C protocol and structure,

and requires no a priori knowledge of botnets (such as

captured bot binaries and hence the botnet signatures,

and C&C server names/addresses). We start from the

definition and essential properties of botnets. We define

a botnet as a coordinated group of malware instances

that are controlled via C&C communication channels.

The essential properties of a botnet are that the bots

communicate with some C&C servers/peers, perform

malicious activities, and do so in a similar or correlated

way. Accordingly, our detection framework clusters

similar communication traffic and similar malicious

traffic, and performs cross cluster correlation to identify

the hosts that share both similar communication patterns

and similar malicious activity patterns. These hosts

are thus bots in the monitored network. We have

implemented our BotMiner prototype system and

evaluated it using many real network traces. The results

show that it can detect real-world botnets (IRC-based,

HTTP-based, and P2P botnets including Nugache and

Storm worm), and has a very low false positive rate.

1 Introduction

Botnets are becoming one of the most serious threats to...