BotOnus: an online unsupervised method for Botnet detection




Botnets are recognized as one of the most dangerous threats to the Internet infrastructure. They are used for malicious activities such as launching distributed denial of service attacks, sending spam, and leaking personal information. Existing botnet detection methods produce a number of good ideas, but they are far from complete yet, since most of them cannot detect botnets in an early stage of their lifecycle; moreover, they depend on a particular command and control (C&C) protocol. In this paper, we address these issues and propose an online unsupervised method, called BotOnus, for botnet detection that does not require a priori knowledge of botnets. It extracts a set of flow feature vectors from the network traffic at the end of each time period, and then groups them to some flow clusters by a novel online fixed-width clustering algorithm. Flow clusters that have at least two members, and their intra-cluster similarity is above a similarity threshold, are identified as suspicious botnet clusters, and all hosts in such clusters are identified as bot infected. We demonstrate the effectiveness of BotOnus to detect various botnets including HTTP-, IRC-, and P2P-based botnets using a testbed network. The results of experiments show that it can successfully detect various botnets with an average detection rate of 94.33% and an average false alarm rate of 3.74%.


[1] P. Wang, S. Sparks, and C. Zou, "An Advanced Hybrid Peer-to-Peer Botnet", IEEE Transactions on Dependable and Secure Computing, 7(2):113-127, 2010.

[2] Damballa Top 10 Botnet Threat Report - 2010,

[3] X. Li, H. Duan, W. Liu, and J. Wu, "Under- standing the Construction Mechanism of Botnets", in Proceedings of the 6th International Conference on Ubiquitous Intelligence and Computing, Brisbane, Australia, July 2009.

[4] M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon", in Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeriro, Brazil, October 2006.

[5] B. Jansen,"Click Fraud", Computer, 40(7):85-86, 2007.

[6] W. Lu, G. Rammidi, and A. Ghorbani, "Clustering Botnet Communication Traffic Based on N-gram Feature Selection", Computer Communications, 34(3):502-514, 2011.

[7] C. Livadas, R. Walsh, D. Lapsley, and W. Strayer, "Using Machine Learning Techniques to Identify Botnet Traffic", in Proceedings of the 31st Annual IEEE Conference on Local Computer Networks, Florida, USA, November 2006.

[8] J. Goebel and T. Holz, "Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation", in Proceedings of 1st Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, USA, April 2007.

[9] W. Wang, B. Fang, Z. Zhang, and C. Li, "A Novel Approach to Detect IRC-Based Botnets", in Proceedings of the International Conference on Networks Security, Wireless Communications and Trusted Computing, Wuhan, Hubei, China, April 2009.

[10] G. Gu, R. Perdisci, J. Zhang, and W. Lee, "Bot- Miner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection", in Proceedings of the 17th USENIX Security Symposium, San Jose, CA, USA, July 2008.

[11] I. Castle and E. Buckley, "The Automatic Discovery, Identification and Measurement of Botnets", in Proceedings of the 2nd International Conference on Emerging Security Information, Systems and Technologies, Cap Esterel, France, August 2008.

[12] J. Lee, H. Jeong, J. Park, M. Kim, and B. Noh, "The Activity Analysis of Malicious HTTP- Based Botnets Using Degree of Periodic Repeatability", in Proceedings of the International Conference on Security Technology, Sanya, Hainan Island, China, December 2008.

[13] H. Choi, H. Lee, and H. Kim, "BotGAD: Detecting Botnets by Capturing Group Activities in Network Traffic", in Proceedings of the 4th International ICST Conference on Communication System Software and Middleware, Dublin, Ireland, June 2009.

[14] Y. Xiaocong, D. Xiaomei, Y. Ge, Q. Yuhai, and Y. Dejun, "Data-Adaptive Clustering Analysis for Online Botnet Detection", in Proceedings of the 3th IEEE International Joint Conference on Computational Science and Optimization, Anhui, China, May 2010.

[15] G. Gu, J. Zhang, and W. Lee, "BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic", in Proceedings of the 15th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, February 2008.

[16] Argus - Auditing Network Activity,

[17] Alexa - The Web Information Company,

[18] X1machine - Internet security and programming related blog,

[19] Hack Forums,

[20] G. Gu, V. Yegneswaran, P. Porras, J. Stoll, and W. Lee, "Active Botnet Probing to Identify Obscure Command and Control Channels", in Proceedings of the 25th Annual Computer Security Applications Conference, Honolulu, HI, USA, December 2009.