A Taxonomy of botnet behavior, detection, and defense

IEEE Communications Surveys and Tutorials

Volumn 16, Issue 2, 2014, Pages 898-924

  Khattak, Sheharbano ^a   Ramay, Naurin Rasheed ^b   Khan, Kamran Riaz ^b   Syed, Affan A ^b   Khayam, Syed Ali ^c  

^a UNIVERSITY OF CAMBRIDGE   (United Kingdom)

^b NATIONAL UNIVERSITY OF COMPUTER AND EMERGING SCIENCES   (Pakistan)

^c PLUMgrid Inc   (United States)

Author keywords

bot; bot family; botmaster; botnet; C C; complex event processing; cyberfraud; cyberwarfare; DDoS; DNS flux; fast flux service network; IP flux; spam; spambot; stepping stone

Indexed keywords

COMPLEX NETWORKS; INTERNET PROTOCOLS; NETWORK SECURITY;

BOT; BOT FAMILY; BOTMASTER; BOTNET; COMPLEX EVENT PROCESSING; CYBERFRAUD; CYBERWARFARE; DDOS; SERVICE NETWORK; SPAM; SPAMBOT; STEPPING STONE;

TAXONOMIES;

EID: 84901245716     PISSN: None     EISSN: 1553877X     Source Type: Journal    
DOI: 10.1109/SURV.2013.091213.00134     Document Type: Article

References (162)

1. D. Dagon, "Botnet Detection and Response-The network is the infection," Cooperative Association for Internet Data Analysis DNS-OARC Workshop, July, vol. 25, 2005.
2. T. Micro, "Taxonomy of botnet threats," Micro, pp. 1-15, November 2006. [Online]. Available: http://tinyurl.com/c7mlsjo
3. D. Dagon, G. Gu, C. P. Lee, and W. Lee, "A taxonomy of botnet structures," Twenty-Third Annual Computer Security Applications Conference ACSAC 2007, vol. 36, pp. 325-339, 2007. [Online]. Available: http://tinyurl.com/8kxuknw
4. J. Nazario, "Bot and botnet taxonomy," http://tinyurl.com/ 6bcthj, 2008, [Online; accessed 15-December-2011].
5. G. Ollmann, "Botnet Communication Topologies," 2009. [Online]. Available: http://tinyurl.com/8kosjv3
6. D. Plohmann, E. Gerhards-Padilla, and F. Leder, "Botnets: Detection, measurement, disinfection & defence," European Network and Information Security Agency, Tech. Rep., 2011.
7. P. Porras, H. Sadi, V. Yegneswaran, P. Porras, H. Sadi, and V. Yeg-neswaran, "A multi-perspective analysis of the storm (peacomm) worm. available at: http://www.cyber-ta.org/pubs/stormworm/report," 2007.
8. P. Wang, S. Sparks, and C. C. Zou, "An advanced hybrid peer-to-peer botnet," in Proc. first conference on First Workshop on Hot Topics in Understanding Botnets. Berkeley, CA, USA: USENIX Association, 2007, pp. 2-2. [Online]. Available: http://dl.acm.org/citation.cfm?id=1323128.1323130
9. A. Dainotti, A. King, k. Claffy, F. Papale, and A. Pescapè, "Analysis of a "/0" stealth scan from a botnet," in Proc. 2012 ACM conference on Internet measurement conference, ser. IMC '12. New York, NY, USA: ACM, 2012, pp. 1-14. [Online]. Available: http://doi.acm.org/10.1145/ 2398776.2398778
10. T. Chen, "Stuxnet, the real start of cyber warfare?" IEEE Network, vol. 24, no. 6, 2010.
11. J. Baltazar, J. Costoya, and R. Flores, "The real face of koobface: The largest web 2. 0 botnet explained," Trend Micro Threat Research, 2009. [Online]. Available: http://tinyurl.com/c95m86f
12. T. Werner, "The inside story of the kelihos botnet takedown," http://tinyurl.com/3gzmtzd, threatpost:The Kaspersky Lab Security News Service, 2011, [Online; accessed 2-December-2011].
13. S. Stover, D. Dittrich, J. Hernandez, and S. Dietrich, "Analysis of the storm and nugache trojans: P2P is here," in USENIX ;login, vol. 32, no. 6, 2007.
14. T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freilling, "Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm," in Proc. 1st Usenix Workshop on Large-Scale Exploitsand Emergent Threats (LEET, Berkeley, CA, USA, 2008.
15. P. Barford and V. Yegneswaran, "An Inside Look at Botnets," in Malware Detection, ser. Advances in Information Security, M. Christodorescu, S. Jha, D. Maughan, D. Song, and C. Wang, Eds. Boston, MA: Springer US, 2007, vol. 27, ch. 8, pp. 171-191. [Online]. Available: http://dx.doi.org/10.1007/978-0- 387-44599-1\-8
16. I. Arce, E. Levy, and E. Levy, "An analysis of the slapper worm," IEEE Security & Privacy, vol. 1, pp. 82-87, 2003.
17. J. Stewart, "Phatbot trojan analysis," http://tinyurl.com/ 9srw4gh, 2004, [Online; accessed 15-December-2011].
18. A. Nappa, A. Fattori, M. Balduzzi, M. Dell'Amico, and L. Cavallaro, Detection of Intrusions and Malware, and Vulnerability Assessment, ser. Lecture Notes in Computer Science. Springer Berlin/Heidelberg, 2010, ch. Take a Deep Breath: A Stealthy, Resilient and Cost-Effective Botnet Using Skype.
19. A. Berger and M. Hefeeda, "Exploiting sip for botnet communication," 2009 5th IEEE Workshop on Secure Network Protocols, pp. 31-36, 2009. [Online]. Available: http://tinyurl.com/8n9rkex
20. J. Caballero, P. Poosankam, C. Kreibich, and D. Song, "Dispatcher: Enabling active botnet infiltration using automatic protocol reverseengineering," in ACM Conference on Computer and Communications Security, Nov 2009.
21. C. Y. Cho, D. Babi ć, E. C. R. Shin, and D. Song, "Inference and analysis of formal models of botnet command and control protocols," in Proc. 17th ACM conference on Computer and communications security, ser. CCS '10. New York, NY, USA: ACM, 2010, pp. 426-439. [Online]. Available: http://doi.acm.org/10.1145/1866307.1866355
22. J. Nazario, "Twitter based botnet command and control," http://tinyurl.com/8ojo5wl, 2009, [Online; accessed 15-December-2011].
23. E. J. Kartaltepe, J. A. Morales, S. Xu, and R. Sandhu, "Social network-based botnet command-and-control: emerging threats and countermeasures," in Proc. 8th international conference on Applied cryptography and network security, ser. ACNS'10. Berlin, Heidelberg: Springer-Verlag, 2010, pp. 511-528. [Online]. Available: http://dl.acm.org/ citation.cfm?id=1894302.1894342
24. A. Lelli, "Trojan.whitewell: Whats your (bot) facebook status today?" http://tinyurl.com/yeb5rvb, 2009, [Online; accessed 15-December-2011].
25. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szyd-lowski, R. Kemmerer, C. Kruegel, and G. Vigna, "Your botnet is my botnet: Analysis of a botnet takeover," in Proc. 16th ACM conference on Computer and Communications Security (CCS), Nov 2009.
26. R. Westervelt, "Botnet masters turn to google, social networks to avoid detection," http://tinyurl.com/8ta9nly, 2009, [Online; accessed 15-December-2011].
27. Damballa, "The command structure of the operation aurora botnet: History, patterns, and findings," Tech. Rep., 2010.
28. R. Deibert, A. Manchanda, R. Rohozinski, N. Villeneuve, and G. Walton, "Tracking ghostnet: Investigating a cyber espionage network," Network, vol. JR02-2009, no. JR02-2009, p. 53, 2009. [Online]. Available: http://tinyurl.com/d5q3cj
29. A. Cole, M. Mellor, and D. Noyes, "Botnets: The rise of the machines," in Proc. on the 6th Annual Security Conference, 2007.
30. D. Wang, S. Savage, and G. M. Voelker, "Juice: A longitudinal study of an seo campaign," in NDSS, San Diego, CA, USA, 2013.
31. N. Lewis, "Zeus botnet analysis: Past, present and future threats," http://tinyurl.com/d3vwcll, 2010, [Online; accessed 15-December-2011].
32. A. Decker, D. Sancho, L. Kharouni, M. Goncharov, and R. McArdle, "Pushdo/cutwail botnet: A study of the pushdo/cutwail botnet," TrendMicro Labs, Tech. Rep., 2009.
33. I. Traynor, "Russia accused of unleashing cyberwar to disable estonia," http://tinyurl.com/5pmk5g, May 2007, [Online; accessed 12-December-2011].
34. B. Stone-Gross, G. S. T. Holz, and G. Vigna., "The underground economy of spam: A botmasters perspective of coordinating large-scale spam campaigns," in USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2011.
35. E. Athanasopoulos, A. Makridakis, S. Antonatos, D. Antoniades, S. Ioannidis, K. Anagnostakis, and E. Markatos, "Antisocial networks: turning a social network into a botnet," in Proc. 11th Information Security Conference, Taipei, Taiwan, 2008.
36. CWSandBox, "Cwsandbox," http://mwanalysis.org/, [Online; accessed 15-December-2011].
37. A. Mushtaq, "The dead giveaways of vm-aware malware," http://tinyurl.com/4ejusr2, Jan 2011, [Online; accessed 15-December-2011].
38. S. Shin and G. Gu, "Conficker and beyond: A large-scale empirical study," in Proc. Annual Computer Security Applications Conference (ACSAC), 2010.
39. L. T. Borup, "Peer-to-peer botnets: A case study on waledac," Master's thesis, Technical University of Denmark, Kongens Lyngby, Denmark, 2009.
40. M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon, "From throw-away traffic to bots: detecting the rise of dga-based malware," in Proc. 21st USENIX conference on Security symposium, ser. Security'12. Berkeley, CA, USA: USENIX Association, 2012, pp. 24-24. [Online]. Available: http://dl.acm.org/citation.cfm?id=2362793.2362817
41. V. Tiu, "Information about worm:win32/conficker.d," http://tinyurl.com/8c84vhl, March 2009, [Online; accessed 15-December-2011].
42. Tor, "Tor: Anonymity online," https://www.torproject.org/, [Online; accessed 20-December-2011].
43. D. Brown, "Resilient botnet command and control with tor." Presented at DEF CON 18, Las Vegas, Nevada, USA, 2010.
44. Tor, "Tor hidden services," https://www.torproject.org/docs/ hidden-services.html.en, [Online; accessed 12-November-2012].
45. D. Fisher, "Storm, nugache lead dangerous new botnet barrage," http://tinyurl.com/8folbmw, 2007, [Online; accessed 15-December-2011].
46. US-Cert, "Malware tunneling in ipv6." http://tinyurl.com/ 6zvv568, 2005, [Online; accessed 15-December-2011].
47. E. Cooke, F. Jahanian, and D. McPherson, "The zombie roundup: Understanding, detecting, and disrupting botnets," ACM USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet SRUTI, vol. 7, pp. 39-44, 2005. [Online]. Available: http://tinyurl.com/8h94o9u
48. G. Gu, R. Perdisci, J. Zhang, and W. Lee, "Botminer: Clustering analysis of network trafficfor protocol-and structure-independent botnet detection," in Usenix Security Symposium, 2008.
49. P. Wurzinger, L. Bilge, T. Holz, J. Gobel, C. Kruegel, and E. Kirda, "Automatically generating models for botnet detection," in European Symposium on Research in Computer Security (ESORICS), 2009.
50. J. Goebel and T. Holz, "Rishi: Identify bot contaminated hostsby irc nickname evaluation," in USENIX Workshop on HotTopics in Understanding Botnets (HotBots'07), 2007.
51. M. Roesch, "Snort-lightweight intrusion detection fornetworks," in Proc. USENIX LISA'99), 1999.
52. G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, "Bothunter: Detecting malware infection through ids-driven dialog correlation," in Usenix Security Symposium, 2007.
53. L. Zhuang, J. Dunagan, D. Simon, H. Wang, I. Osipkov, G. Hulten, and J. Tygar, "Characterizing botnets from email spam records," in USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008.
54. A. Ramachandran, N. Feamster, and D. Dagon, "Revealing botnet membership using dnsbl counter-intelligence," in Conference on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), 2006.
55. R. Villamarin-Salomon and J. Brustoloni, "Identifying botnets using anomaly detection techniques applied to dns traffic," in Proc. 5th IEEE Consumer Communications and Networking Conference (CCNC 2008), 2008.
56. H. Choi, H. Lee, H. Lee, and H. Kim, "Botnet detection by monitoring group activities in dns traffic," in Proc. 7th IEEE International Conference on Computer and Information Technology (CIT 2007), 2007.
57. J. Zhang, Y. Xie, F. Yu, D. Soukal, and W. Lee, "Intention and origination: An inside look at large-scale bot queries," in to appear in NDSS, 2013.
58. L. Aniello, G. Lodi, and R. Baldoni, "Inter-domain stealthy port scan detection through complex event processing," in Proc. the 13th European Workshop on Dependable Computing, ser. EWDC '11. New York, NY, USA: ACM, 2011, pp. 67-72. [Online]. Available: http://doi.acm.org/10.1145/1978582. 1978597
59. L. Aniello, G. A. Di Luna, G. Lodi, and R. Baldoni, "A collaborative event processing system for protection of critical infrastructures from cyber attacks," in Proc. 30th international conference on Computer safety, reliability, and security, ser. SAFECOMP'11. Berlin, Heidelberg: Springer-Verlag, 2011, pp. 310-323. [Online]. Available: http://dl.acm.org/ citation.cfm?id=2041619.2041651
60. F. Doelitzscher, C. Reich, M. Knahl, and N. Clarke, "Incident detection for cloud environments," in Proc. Third International Conference on Emerging Network Intelligence (EMERGING 2011), Nov 2011.
61. G. Gu, J. Zhang, and W. Lee, "Botsniffer: Detecting botnet command and control channels in network traffic," in Network and Distributed System Security Symposium (NDSS), 2008.
62. T. Wang and S.-Z. Yu, "Centralized botnet detection by traffic aggregation," in IEEE International Symposium on Parallel and Distributed Processing with Applications, 2009.
63. T. Strayer, R. Walsh, C. Livadas, and D. Lapsley, "Detecting botnets with tight command and control," in Proc. 2006 31st IEEE Conference on Local Computer Network, 2006.
64. T. Strayer, D. Lapsley, R. Walsh, and C. Livadas, Botnet detection based on network behavior, ser. Advances in Information Security. Springer, 2008, vol. 36, pp. 1-24.
65. T.-F. Yen and M. K. Reiter, "Traffic aggregation for malware detection," in Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2008.
66. L. Liu, S. Chen, G. Yan, and Z. Zhang, "Bottracer:execution-based bot-like malware detection," in 11th Information Security Conference, 2008.
67. E. Stinson and J. C. Mitchell, "Characterizing bots' remote control behavior," in International Conference on Detectionof Intrusions & Malware, and Vulnerability Assessment (DIMVA), 2007.
68. W. Lu, M. Tavallaee, and A. A. Ghorbani, "Automatic discovery of botnet communities on large-scale communication networks," in Proc. 4th International Symposium on Information, Computer, and Communications Security, ser. ASIACCS '09. New York, NY, USA: ACM, 2009, pp. 1-10. [Online]. Available: http://doi.acm.org/10.1145/1533057.1533062
69. J. Binkley and S. Singh, "An algorithm for anomaly-based botnet detection," in Usenix Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2006.
70. A. Karasaridis, B. Rexroad, and D. Hoeflin, "Wide-scale botnet detection and characterization," in Proc. first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots'07), 2007.
71. T.-F. Yen and M. K. Reiter, "Are your hosts trading or plotting? telling p2p file-sharing and bots apart," in International Conference on Distributed Computing Systems, 2010.
72. E. Passerini, R. Paleari, L. Martignoni, and D. Bruschi, "Fluxor: Detecting and monitoring fast-flux service networks," Detection of Intrusions and Malware and Vulnerability Assessment, pp. 186-206, 2008. [Online]. Available: http://tinyurl.com/c735zn9
73. T. Holz, C. Gorecki, K. Rieck, and F. Freiling, "Detection and Mitigation of Fast-Flux Service Networks," in Proc. NDSS 2008, San Diego, CA, USA, Feb. 2008. [Online]. Available: http://tinyurl.com/9q64vk5
74. G. Gu, V. Yegneswaran, P. Porras, J. Stoll, and W. Lee, "Active botnet probing to identify obscure command and control channels," in Proc. 26th Annual Computer Security Applications Conference (ACSAC), 2010.
75. M. Neugschwandtner, P. M. Comparetti, and C. Platzer, "Detecting malware's failover c&c strategies with squeeze." in ACSAC, R. H. Zakon, J. P. McDermott, and M. E. Locasto, Eds. ACM, 2011, pp. 21-30. [Online]. Available: http://tinyurl.com/9wz2uvj
76. R. Perdisci, W. Lee, and N. Feamster, "Behavioral clusteringof http-based malware and signature generation using malicious network traces," in USENIX Symposium on Networked Systems Design & Implementation (NSDI), 2010.
77. C. Rossow and C. J. Dietrich, "Provex: Detecting botnets with encrypted command and control channels," in DIMVA, 2013, pp. 21-40.
78. T. Nguyen and G. Armitage, "A survey of techniques for internet traffic classification using machine learning," IEEE Commun. Surveys Tutorials, vol. 10, no. 4, pp. 56-76, 2008. [Online]. Available: http://tinyurl.com/9hpoa3d
79. C. Livadas, R. Walsh, D. Lapsley, and W. Strayer, "Using machine learning technliques to identifybotnet traffic," in Proc. 2nd IEEELCN Workshop on Network Security, Nov 2006.
80. G. Jacob, R. Hund, T. Holz, and C. Kruegel, "Jackstraws: Picking command and control connections from bot traffic," in USENIX Security Symposium, 2011.
81. S. Savage, D. Wetherall, A. R. Karlin, and T. E. Anderson, "Practical network support for ip traceback," Computer Communication Review, vol. 30, pp. 295-306, 2000.
82. D. X. Song and A. Perrig, "Advanced and authenticated marking schemes for ip traceback," in IEEE INFOCOM, 2001, pp. 878-886. (Pubitemid 32478418)
83. S. M. Bellovin, M. Leech, and T. Taylor, "ICMP traceback messages," Obsolete Internet draft, February 2003. [Online]. Available: http://tinyurl.com/be2sa93
84. A. Mankin, D. Massey, C. long Wu, S. F. Wu, and L. Zhang, "On design and evaluation of "intention-driven" icmp traceback," in International Conference on Computer Communications and Networks, 2001.
85. A. Belenky and N. Ansari, "Ip traceback with deterministic packet marking," 2003.
86. A. Yaar, A. Perrig, and D. Song, "Pi: A path identification mechanism to defend against ddos attacks," in IEEE Symposium on Security and Privacy, 2003, pp. 93-107.
87. D. Ramsbrock, X. Wang, and X. Jiang, "A first step towards live botmaster traceback," in Proc. 11th international symposium on Recent Advances in Intrusion Detection, ser. RAID '08. Berlin, Heidelberg: Springer-Verlag, 2008, pp. 59-77. [Online]. Available: http://dx.doi.org/10. 1007/978-3-540-87403-4-4
88. A. C. Snoeren, "Hash-based ip traceback," Computer Communication Review, vol. 31, pp. 3-14, 2001. (Pubitemid 32981950)
89. S. Staniford-Chen and L. T. Heberlein, "Holding intruders accountable on the internet," in Proc. 1995 IEEE Symposium on Security and Privacy, ser. SP '95. Washington, DC, USA: IEEE Computer Society, 1995, pp. 39-. [Online]. Available: http://dl.acm.org/citation. cfm?id=882491.884246
90. Y. Zhang and V. Paxson, "Detecting stepping stones," in USENIX Security Symposium, 2000.
91. X. Wang, D. S. Reeves, and S. F. Wu, "Inter-packet delay based correlation for tracing encrypted connections through stepping stones," in European Symposium on Research in Computer Security (ESORICS), 2002, pp. 244-263.
92. D. L. Donoho, A. G. Flesia, U. Shankar, V. P. J. Coit, S. Stani-ford, J. Coit, and S. Staniford, "Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay," in Proc. of The 5th International Symposium on Recent Advances in Intrusion Detection (RAID). Springer, 2002, pp. 17-35.
93. A. Blum, D. Song, and S. Venkataraman, "Detection of interactive stepping stones: Algorithms and confidence bounds," in Conference of Recent Advance in Intrusion Detection (RAID), (Sophia Antipolis, French Riviera. Springer, 2004, pp. 258-277. (Pubitemid 39741898)
94. L. Zhang, A. G. Persaud, A. Johnson, and Y. Guan, "Detection of stepping stone attack under delay and chaff perturbations," in International Performance, Computing, and Communications Conference, 2006.
95. X. Wang and D. S. Reeves, "Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays," in Proc. 10th ACM conference on Computer and communications security, ser. CCS '03. New York, NY, USA: ACM, 2003, pp. 20-29. [Online]. Available: http://doi.acm.org/10.1145/948109.948115 (Pubitemid 40673785)
96. W. T. Strayer, C. E. Jones, I. Castineyra, J. B. Levin, and R. R. Hain, "An integrated architecture for attack attribution," Tech. Rep. BBN REPORT-8384, Dec 2003.
97. K. Yoda and H. Etoh, "Finding a connection chain for tracing intruders," in Proc. 6th European Symposium on Research in Computer Security (ESORICS), 2000, pp. 191-205.
98. X. Wang, X. Wang, D. S. Reeves, D. S. Reeves, S. F. Wu, S. F. Wu, J. Yuill, and J. Yuill, "Sleepy watermark tracing: An active network-based intrusion response framework," in Proc. 16th International Information Security Conference, 2001, pp. 369-384.
99. J. B. Grizzard and T. Johns, "Peer-to-peer botnets: Overview and case study," in USENIX Workshop on Hot Topics in Understanding Botnets (HotBots07), 2007.
100. M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A multifaceted approach to understanding the botnet phenomenon," in ACM Internet Measurement Conference(IMC), 2006.
101. M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "My botnetis bigger than yours (maybe, better than yours): Why size estimates remain challenging," in USENIX Workshop on Hot Topics in Understanding Botnet, 2007.
102. J. Zhang, X. Luo, R. Perdisci, G. Gu, W. Lee, and N. Feamster, "Boosting the scalability of botnet detection using adaptive traffic sampling," in Proc. 6th ACM Symposium on Information, Computer and Communications Security, ser. ASIACCS '11. New York, NY, USA: ACM, 2011, pp. 124-134. [Online]. Available: http://doi.acm.org/10.1145/1966913.1966930
103. FireEye, "Next generation threat protection-fireeye inc." http://www.fireeye.com/, [Online; accessed 12-December-2011].
104. Damballa, "Damballa::homepage," http://www.damballa.com/, [Online; accessed 12-December-2011].
105. T. Holz, M. Engelberth, and F. Freiling, "Learning more about the underground economy: A case-study of keylog-gers and dropzones," in European Symposium on Research in Computer Security (ESORICS), 2009.
106. C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage, "Spamalytics: An empirical analysis of spam marketing conversion," in Proc. 15th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, Oct 2008, pp. 3-14.
107. R. Ford and S. Gordon, "Cent, five cent, ten cent, dollar: hitting botnets where it really hurts," in Proc. 2006 Workshop on New Security Paradigms (NSPW'06). New York, NY, USA: ACM, 2007, p. 310.
108. URIBL, "uribl-website," http://www.uribl.com/, [Online; accessed 12-December-2011].
109. T. A. Meyer and B. Whateley, "SpamBayes: Effective open-source, Bayesian based, email classification system," in Proc. First Conference on Email and Anti-Spam (CEAS), 2004.
110. A. Pitsillidis, K. Levchenko, C. Kreibich, C. Kanich, G. Voelker, V. Paxson, N. Weaver, and S. Savage," Botnet Judo: Fighting Spam with Itself," in Proc. 17th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, March 2010.
111. T. Peng, C. Leckie, and K. Ramamohanarao, "Survey of network-based defense mechanisms countering the dos and ddos problems," ACM Comput. Surv., vol. 39, April 2007.
112. P. Bright, "How Operation b107 decapitated the Rustock botnet," http://tinyurl.com/4bajdjx, 2011, [Online; accessed 10-December-2011].
113. B. Furfie, "Laws must change to combat botnets Kaspersky," http://tinyurl.com/9tpdyj5, Feb 2011, [Online; accessed 10-December-2011].
114. A.-P. E. C. AEC, "Guide on Policy and Technical Approaches against Botnet," http://tinyurl.com/9b68qmj, Dec 2008, [Online; accessed 10-December-2011].
115. J. Leyden, "Botnet-harbouring survey fails to accounts for sinkholes," http://tinyurl.com/cgohqqg, Oct 2010, [Online; accessed 10-December-2011].
116. G. L. Orgill, G. W. Romney, M. G. Bailey, and P. M. Orgill, "The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems," in Proc. 5th conference on Information technology education, ser. CITC5 '04. New York, NY, USA: ACM, 2004, pp. 177-181. (Pubitemid 41190110)
117. N. Mody, M. O'Reirdan, S. Masiello, and J. Zebek, "Common best practices for mitigating large scale bot infections in residential networks," MAAWG, july 2009.
118. T. Ormerod, L. Wang, M. Debbabi, A. Youssef, H. Binsalleeh, A. Boukhtouta, and P. Sinha, "Defaming botnet toolkits: A bottom-up approach to mitigating the threat," in Proc. 4th International Conference on Emerging Security Information, Systems and Technologies (SECURWARE), 2010.
119. SecuriTeam, "Sasser worm remote ftpd buffer overflow exploit code (port 5554)," http://tinyurl.com/cdeyuy6, 2004, [Online; accessed 15-December-2011].
120. C. Y. Cho and J. Caballero, "Botnet infiltration: Finding bugs in botnet command and control," http://tinyurl.com/cz4j2z4, [Online; accessed 15-December-2011].
121. J. R. Douceur, "The sybil attack," in Proc. International workshop on Peer-To-Peer Systems (IPTPS), March 2002.
122. A. Singh, T.-W. J. Ngan, P. Druschel, and D. S. Wallach, "Eclipse attacks on overlay networks: Threats and defenses," in IEEE International Conference on Computer Communications (Infocom), 2006.
123. E. Karamatli, "Modern botnets: A survey and future directions," http://tinyurl.com/cesnb7e, Bogazici University, Turkey, 2011.
124. G. Ollmann, "Serial variant evasion tactics," 2009. [Online]. Available: http://tinyurl.com/93jnurm
125. K. Bong and J. Brozyck, "Managing large botnets," http://tinyurl.com/blcuxbo, 2007, [Online; accessed 15-December-2011].
126. M. Bailey, E. Cooke, F. Jahanian, Y. Xu, and M. Karir, "A survey of botnet technology and defenses," in Proc. 2009 Cybersecurity Applications & Technology Conference for Homeland Security. Washington, DC, USA: IEEE Computer Society, 2009, pp. 299-304. [Online]. Available: http://dl.acm.org/ citation.cfm?id=1524292. 1524347
127. M. Feily, A. Shahrestani, and S. Ramadass, "A survey of botnet and botnet detection," 2009 Third International Conference on Emerging Security Information Systems and Technologies, pp. 268-273, 2009. [Online]. Available: http://tinyurl.com/9njpehq
128. H. R. Zeidanloo, M. J. Z. shooshtari, M. Safari, P. V. Amoli, and M. Zamani, "A taxonomy of botnet detection techniques," 3rd IEEE International Conference on Computer Science and Information Technology (ICCSIT), pp. 158-162, 2010. [Online]. Available: http://tinyurl.com/9ttpjwm
129. S. Axelsson, "Intrusion Detection Systems: A Survey and Taxonomy," Chalmers Univ., Tech. Rep. 99-15, Mar. 2000. [Online]. Available: http://tinyurl.com/coej8xx
130. E. Stinson and J. C. Mitchell, "Towards systematic evaluation of the evadability of bot/botnet detection methods," in Proc. 2nd conference on USENIX Workshop on offensive technologies. Berkeley, CA, USA: USENIX Association, 2008, pp. 5:1-5:9. [Online]. Available: http://dl.acm.org/citation. cfm?id=1496702.1496707
131. S. García, A. Zunino, and M. Campo, "Survey on network-based botnet detection methods," Security Comm. Networks, p. n/a, Jun. 2013. [Online]. Available: http://dx.doi.org/10.1002/sec.800
132. F. Leder, T. Werner, and P. Martini, "Proactive botnet countermeasures an offensive approach," in Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia, March 2009.
133. S. Stankovic and D. Simic, "Defense strategies against modern botnets," International J. Computer Science and Information Security, vol. 2, no. 1, 2009.
134. I. Ullah, N. Khan, and H. A. Aboalsamh, "Survey on botnet: Its architecture, detection, prevention and mitigation," in ICNSC, 2013, pp. 660-665.
135. M. Eslahi, R. Salleh, and N. B. Anuar, "Bots and botnets: An overview of characteristics, detection and challenges," in Proc. 2012 IEEE International Conference on Control System, Computing and Engineering (ICCSCE), 2012, pp. 349-354.
136. Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts, and K. Han, "Botnet research survey," in Proc. 2008 32nd Annual IEEE International Computer Software and Applications Conference, ser. COMPSAC '08. Washington, DC, USA: IEEE Computer Society, 2008, pp. 967-972. [Online]. Available: http://dx.doi.org/10.1109/COMPSAC.2008.205
137. S. S. C. Silva, R. M. P. Silva, R. C. G. Pinto, and R. M. Salles, "Botnets: A survey," Computer Networks, Oct. 2012. [Online]. Available: http://dx.doi.org/10.1016/j.comnet.2012.07.021
138. L. Bilge, D. Balzarotti, W. Robertson, E. Kirda, and C. Kruegel, "Disclosure: Detecting botnet command and control servers through large-scale netflow analysis," in ACSAC, 2012. [Online]. Available: http://www.iseclab.org/papers/disclosure.pdf
139. SecurityFocus, "Zeus botnet finds hold in amazon cloud," http://www.securityfocus.com/brief/1046, 2009, [Online; accessed 12-November-2012].
140. I. Burke, "Who needs botnets if you have google?" Presented at ZaCon2, Johannesburg, South Africa, 2010.
141. K. P. Clark, M. Warnier, and F. M. T. Brazier, "Botclouds-the future of cloud-based botnets," in CLOSER, F. Leymann, I. Ivanov, M. van Sinderen, and B. Shishkov, Eds. SciTePress, 2011, pp. 597-603. [Online]. Available: http://tinyurl.com/c6cqkkd
142. Stratsec, "botcloud ? an emerging platform for cyber-attacks," http://tinyurl.com/cubnghx, 2012, [Online; accessed 12-November-2012].
143. C. Xiang, F. Binxing, Y. Lihua, L. Xiaoyi, and Z. Tianning, "Andbot: towards advanced mobile botnets," in Proc. 4th USENIX conference on Large-scale exploits and emergent threats, ser. LEET'11. Berkeley, CA, USA: USENIX Association, 2011, pp. 11-11. [Online]. Available: http://dl.acm.org/ citation.cfm?id=1972441.1972456
144. Symantec, "Android.bmaster: A million-dollar mobile botnet," http://tinyurl.com/a4bdljv, 2012, [Online; accessed 12-November-2012].
145. K. Inc., "Irc bot for android." http://tinyurl.com/7xrmlcb, 2012, [Online; accessed 12-November-2012].
146. X. Jiang, "Security alert: Anserverbot, new sophisticated android bot found in alternative android markets." http://www.csc.ncsu.edu/faculty/ jiang/AnserverBot/, 2011, [Online; accessed 12-November-2012].
147. Micorsoft, "Flame malware collision attack explained," http://tinyurl.com/dxxlb5j, June 2012, [Online; accessed 1-Aug-2012].
148. L. of Cryptography of Systems Security (CrySyS), "Duqu: A stuxnet-like malware found in the wild, technical report," http://tinyurl.com/dxxlb5j, October 2011, [Online; accessed 1-Aug-2012].
149. K. Lab, "Gauss:abnormal distribution," http://tinyurl.com/ 8p34yp7, September 2012, [Online; accessed 12-Dec-2012].
150. "Shamoon the wiper-copycats at work," http://tinyurl.com/ a9axwgx, August 2012, [Online; accessed 12-Dec-2012].
151. Seculert, "Mahdi-the cyberwar savior?" http://tinyurl.com/ brp64k4, July 2012, [Online; accessed 12-Dec-2012].
152. InternetWorldStats, "Internet growth statistics," http://www.internetworldstats.com/emarketing.htm, [Online; accessed 12-December-2011].
153. J. Stanton, K. Stam, P. Mastrangelo, and J. Jolton, "Analysis of end user security behaviors," Computers Security, vol. 24, no. 2, pp. 124-133, 2005. [Online]. Available: http://tinyurl.com/b3k6fg6 (Pubitemid 40583824)
154. J. Fielding, "25% of all computers on botnets," http://tinyurl.com/9e7bdkr, January 2007, [Online; accessed 12-December-2011].
155. CIOinsight, "Botnets still a major threat, researchers say at rsa," http://tinyurl.com/cw5bypo, February 2011, [Online; accessed 12-December-2011].
156. M. S. Mimoso, "Fbi takes down dns changer botnet; aided $14 million click fraud scheme," http://tinyurl.com/8nltjzf, Nov 2011, [Online; accessed 12-December-2011].
157. D. Goodin, "Waledac botnet 'decimated' by ms takedown," http://tinyurl.com/7apnn9b, March 2010, [Online; accessed 12-December-2011].
158. ITN-News, "'slain' kelihos botnet still spams from beyond the grave," http://tinyurl.com/9esmb3e, Feb 2012, [Online; accessed 1-February-2012].
159. R. McMillan, "China cleans up spam problem," http://tinyurl.com/clnedlt, February 2011, [Online; accessed 12-December-2011].
160. BotHunter, "Bothunter: A network-based botnet diagnostic system," http://www.bothunter.net/, [Online; accessed 12-December-2011].
161. TrendMicro, "Rubotted," http://tinyurl.com/yd62cb8, [Online; accessed 12-December-2011].
162. N. R. Ramay, S. Khattak, A. A. Syed, and S. A. Khayam, "Bottleneck: A generalized, flexible and extensible framework for botnet defense," in IEEE Symposium on Security and Privacy, 2012, May 2012, poster Paper.