IJSRD - International Journal for Scientific Research & Development| Vol. 1, Issue 9, 2013 | ISSN (online): 2321-0613 All rights reserved by www.ijsrd.com 1908 A Survey of Botnet Detection Techniques Parmar Riya H. 1 Harshita Kanani 2 1 P. G. Student 2 Assistant Professor 1, 2 Department of Computer Engineering 1, 2 LDRP-ITR, Kadi Sarvavidhyalaya, Gandhinagar, India Abstract—Botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical targets, malware dissemination, phishing, and click fraud. The defining characteristic of botnets is the use of command and control channels through which they can be updated and directed. Recently, botnet detection has been an interesting research topic related to cyber-threat and cyber-crime prevention. This paper is a survey of botnet and botnet detection. The survey clarifies botnet phenomenon and discusses botnet detection techniques. This survey classifies botnet detection techniques into four classes: signature-based, anomaly- based, DNS-based, and mining-base. Key words: Botnet; Botnet Detection; Cyber-security I. INTRODUCTION According to explanation in [1, 2], malicious botnet is a network of compromised computers called “Bots” under the remote control of a human operator called “Botmaster”. The term “Bot” is derived from the word “Robot”; and similar to robots, bots are designed to perform some predefined functions in automated way. In other words, the individual bots are software programs that run on a host computer allowing the Botmaster to control host actions remotely [1, 2]. Botnets pose a significant and growing threat against cyber-security as they provide a distributed platform for many cyber-crimes such as Distributed Denial of Service (DDoS) attacks against critical targets, malware dissemination, phishing, and click fraud[3,4]. Botnet detection has been a major research topic in recent years. Researchers have proposed several approaches for botnet detection to combat botnet threat against cyber-security. In this survey, botnet phenomenon will be clarified and advances in botnet detection techniques will be discussed. This survey classifies botnet detection approaches into four classes: signature-based, anomaly-based, DNS- based, and mining-based. Furthermore, it summarizes botnet detection techniques in each class and provides a brief comparison of these techniques. The remainder of the paper is organized as follows: Section II describes botnet phenomenon. In this section, botnet characteristics and botnet life-cycle are explained to provide better understanding of botnet technology. Section III discusses botnet detection and tracking. In this section four classes of botnet detection approaches including signature-based, anomaly-based, DNS- based, and mining-based are discussed respectively. The survey concludes in Section IV. II. BOTNET PHENOMENON Botnets are emerging as the most significant threat facing online ecosystems and computing assets. Malicious botnets are distributed computing platforms predominantly used for illegal activities such as launching Distributed Denial of Service (DDoS) attacks, sending spam, Trojan and phishing emails, illegally distributing pirated media and software, force distribution, stealing information and computing resource, e- business extortion, performing click fraud, and identity theft [3,4]. The high light value of botnets is the ability to provide anonymity through the use of a multi-tier command and control (C&C) architecture. Moreover, the individual bots are not physically owned by the Botmaster, and may be located in several locations spanning the globe. Differences in time zones, languages, and laws make it difficult to track malicious botnet activities across international boundaries [2, 5]. This characteristic makes botnet an attractive tool for cyber- criminals, and in fact poses a great threat against cyber- security. In order to provide better understanding of botnet phenomenon, botnet characteristics and botnet life-cycle will be explained respectively. Botnet Characteristics A. Like the previous generations of viruses and worms, a bot is a self-propagating application that infects vulnerable hosts through exploit activities to expand their reach. Bot infection methods are similar to other classes of malware that recruit vulnerable systems by exploiting software vulnerabilities, Trojan insertion, as well as social engineering techniques leading to download malicious bot code [4,6,7].According to measurement studies in [2] modern bots are equipped with several exploit vectors to improve opportunities for exploitation. However, among the other classes of malware, the defining characteristic of botnets is the use of command and control (C&C) channels through which they can be updated and directed. The multi-tier C&C architecture of botnets provides anonymity for the Botmaster. C&C channels can operate over a wide range of logical network topologies and use different communication protocols. Botnets are usually classified according to their command and control architecture [2, 4, 5, 6]. According to their command and control architecture, botnets can be classified as IRC-based, HTTP- based, DNS- based or Peer to Peer (P2P) botnets [8]. P2P botnets use the recent P2P protocol to avoid single point of failure. Moreover, P2P botnets are harder to locate, shutdown, monitor, and hijack [9, 10]. However, according