BotRevealer: Behavioral Detection of Botnets based on Botnet Life-cycle



Department of Computer Engineering and Information Technology, Amirkabir University of Technology, Tehran, Iran


Nowadays, botnets are considered as essential tools for planning serious cyber attacks. Botnets are used to perform various malicious activities such as DDoS attacks and sending spam emails. Different approaches are presented to detect botnets; however most of them may be ineffective when there are only a few infected hosts in monitored network, as they rely on similarity in bots activities to detect the botnet. In this paper, we present a host-based method that can detect individual bot-infected hosts. This approach is based on botnet life-cycle, which includes common symptoms of almost all types of botnet despite their differences. We analyze network activities of each process running on the host and propose some heuristics to distinguish behavioral patterns of bot process from legitimate ones based on statistical features of packet sequences and evaluating an overall security risk for it. To show the effectiveness of the approach, a tool named BotRevealer has been implemented and evaluated using real botnets and several popular applications. The results show that in spite of diversity of botnets, BotRevealer can effectively detect the bot process among other active processes.


[1] W. Lee, C. Wang, and D. Dagon, Botnet detection: countering the largest security threat. Springer, 2008.
[2] J. Goebel and T. Holz, “Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation,” in First Workshop on Hot Topics in Understanding Botnets (HotBots’07), 2007.
[3] G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. Lee, and M. Park, “BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation,” in Proceedings of the 16th USENIX Security Symposium (Security’07), 2007.
[4] G. Gu, R. Perdisci, J. Zhang, and W. Lee, “Bot-Miner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection,” in Proceedings of the 17th USENIX Security Symposium (Security’08), 2008.
[5] M. Eslahi, M. Yousefi, M. V. Naseri, Y. Yussof, N. Tahir, and H. Hashim, “Cooperative Network Behaviour Analysis Model for Mobile Botnet Detection,” in IEEE Symposium on Computer Applications & Industrial Electronics (ISCAIE), 2016, pp.107–112.
[6] C. Dietz, A. Sperotto, G. Dreo, and A. Pras, “How to Achieve Early Botnet Detection at the Provider Level?,” in IFIP International Conference on Autonomous Infrastructure, Management and Security, 2016, pp. 142–146.
[7] R. Aryan, and H.R. Shahriari, “Botnet detection based on network behavioral and anomaly detection,” 18th National CSI Computer Conference, Iran (Islamic Republic of), 12-15 March 2013
[8] F. Giroire, J. Chandrashekar, N. Taft, E.Schooler, and D. Papagiannaki, “Exploiting Temporal Persistence to Detect Covert Botnet Channels,” in 12th International Symposium on Recent Advances in Intrusion Detection (RAID’09), Springer Berlin Heidelberg, 2009, pp. 326–345.
[9] G. Fedynyshyn, M. C. Chuah, and G. Tan, “Detection and Classification of Different Botnet C&C Channels,” in Autonomic and Trusted Computing, Springer Berlin Heidelberg, 2011, pp.228–242.

[10] L. Cavallaro, C. Kruegel, and G. Vigna, “Mining the Network Behavior of Bots,” Tech. Rep. 2009-12, Department of Computer Science, University of California at Santa Barbara (UCSB), CA, USA, 2009. .
[11] G. Kirubavathi and R. Anitha, “Botnet detection via mining of traffic flow characteristics,” Computers & Electrical Engineering, vol. 50, pp.91–101, 2016.
[12] R. A. Rodríguez-Gómez, G. Maciá-Fernández, and P. García-Teodoro, “Analysis of Botnets throuth Life-Cycle,” in Proceedings of International Conference on Security and Cryptography(SECRYPT), 2011, pp. 257–262.
[13] N. Hachem, Y. Ben Mustapha, G. G. Granadillo, and H. Debar, “Botnets: Lifecycle and Taxonomy,”in Conference on Network and Information Systems Security (SAR-SSI), IEEE, 2011,pp. 1–8.
[14] F. Naseem, U. Sabir, M. Shafqat, and A.Shahzad, “A Survey of Botnet Technology and Detection,” International Journal of Video & Image Processing and Network Security (IJVIPNSIJENS),vol. 10, no. 1, pp. 13–17, 2010.
[15] S. García, V. Uhlír, and M. Rehak, “Identifying and Modeling Botnet C & C Behaviors,” in In Proceedings of the 1st International Workshop on Agents and CyberSecurity, ACM, 2014.
[16] “CVUT Malware Capture Facility Project,”, [Accessed: 10- Oct-2016].
[17] R. S. Abdullah, M. F. Abdollah, Z. Azri, M.Noh, M. Zaki, and S. R. Selamat, “Revealing the Criterion on Botnet Detection Technique,” IJCSI International Journal of Computer Science, vol.10, no. 2, pp. 208–215, 2013.