Computer Networks 56 (2012) 20–33

Contents lists available at ScienceDirect

Computer Networks

journal homepage: www.elsevier .com/locate /comnet

Identifying botnets by capturing group activities in DNS traffic

Hyunsang Choi, Heejo Lee ⇑Department of Computer Science and Engineering, Korea University, Seoul 136-713, Republic of Korea

a r t i c l e i n f o

Article history:Received 13 October 2010Received in revised form 21 June 2011Accepted 22 July 2011Available online 30 July 2011

Keywords:BotnetGroup activityDNS

1389-1286/$ - see front matter � 2011 Elsevier B.Vdoi:10.1016/j.comnet.2011.07.018

⇑ Corresponding author.E-mail addresses: realchs@korea.ac.kr (H. Cho

(H. Lee).

a b s t r a c t

Botnets have become the main vehicle to conduct online crimes such as DDoS, spam,phishing and identity theft. Even though numerous efforts have been directed towardsdetection of botnets, evolving evasion techniques easily thwart detection. Moreover, exist-ing approaches can be overwhelmed by the large amount of data needed to be analyzed. Inthis paper, we propose a light-weight mechanism to detect botnets using their fundamen-tal characteristics, i.e., group activity. The proposed mechanism, referred to as BotGAD(botnet group activity detector) needs a small amount of data from DNS traffic to detectbotnet, not all network traffic content or known signatures. BotGAD can detect botnetsfrom a large-scale network in real-time even though the botnet performs encrypted com-munications. Moreover, BotGAD can detect botnets that adopt recent evasion techniques.We evaluate BotGAD using multiple DNS traces collected from different sources includinga campus network and large ISP networks. The evaluation shows that BotGAD can auto-matically detect botnets while providing real-time monitoring in large scale networks.

� 2011 Elsevier B.V. All rights reserved.

1. Introduction

A botnet is a network of computers compromised bymalicious software. The botnet is operated by a criminalentity to perform Internet attacks, such as identity theft,spam distribution, and DDoS attack. All of these infectedhosts are unwilling victims, performing malicious tasksunbeknownst to their owners.

Researchers have focused on bot traffic detection usingincidental traits of prevalent bots. However, the detectionapproaches can be quickly overcome by evasion tech-niques. Moreover, some approaches need to run with anoverwhelming amount of data, which becomes ineffectivefor high speed networks.

We have proposed a botnet detection mechanismusing a fundamental property of botnets [1,2]. Wefocused on an underlying common association among

. All rights reserved.

i), heejo@korea.ac.kr

infected hosts, command and control (C&C) servers andvictims, and found that the botnet generally acts as acoordinated group. Using this ‘‘group activity’’ property,it is possible to detect unknown botnets, irrespective oftheir communication protocol and structure. BotGADdetects botnets using DNS traffic, since it is possible tocapture botnet group activities by monitoring the DNStraffic and monitoring DNS traffic has less overhead thanmonitoring the entire network traffic. Moreover, DNSmonitoring enables botnet detection at their early stages,since botnet DNS traffic is often sent prior to performingattacks.

However, our previous mechanism has three limita-tions as follows:

� The mechanism may generate false negatives, when aset of infected hosts in a botnet is changed frequently.For example, a part of a botnet can appear only for ashort time because they are removed by users ortemporally deactivated. The changes in the botnetcan decrease detection accuracy of our previousmechanism.

H. Choi, H. Lee / Computer Networks 56 (2012) 20–33 21

� The previous mechanism is too sensitive against detec-tion parameters. For example, if a time window param-eter of the previous mechanism is misconfigured, themechanism can generate a significant number of falsepositives or false negatives.� The mechanism cannot detect recently introduced eva-

sive botnets that utilize a domain generation algorithmfor C&C. For example, Kraken/Bobax [3], Srizbi [4], Tor-pig [5] and Conficker [6] use the domain generationalgorithm (DGA) to evade detection.

To overcome the limitations, we improve the mecha-nism by applying three methods: error correction, clusteranalysis, and hypothesis test.

� Error correction. We develop the error correctionmethod to alleviate errors caused when analyzinggroup activities. Error correction can decrease falsealarms caused by unexpected changes in a botnet orby misconfigured detection parameters. We devise col-umn filtering and row filtering operations to correct theerrors.� Cluster analysis. We develop a clustering method using

unsupervised machine learning to detect a set of corre-lated botnets. Several features are devised to classifycorrelated clusters. Each cluster is analyzed to detectbotnet clusters.� Hypothesis test. We adopt Sequential Probability Ratio

Testing (SPRT) [7], as a hypothesis test for sequentialanalysis, where a decision is made within a small num-ber of rounds with bounded false alarm rates. The SPRTmethod guarantees a higher level of confidence to makedecisions than simple threshold based detection used inour previous mechanism.

The three methods are added in BotGAD to enhanceaccuracy and robustness against evasions.

We evaluate BotGAD using real-life DNS traces col-lected from several networks, such as a campus networkand a large ISP network. BotGAD can report hundreds ofbotnet domains and correlated botnet domain clusters. Ittakes only a few minutes to analyze an hour’s DNS traceof a large ISP network. The evaluation shows BotGAD canautomatically detect botnets in real-time, even thoughthey apply evasion techniques, such as the DGA algorithm.

The remainder of this paper is organized as follows. Sec-tion 2 reviews related work. We describe the botnet groupactivity, detection algorithms and a framework of BotGADin Section 3. We evaluate BotGAD performance in Section 4and analyze results. We also discuss possible evasion tech-niques in Section 4. We draw conclusions in Section 5.

2. Related work

In this section, we review several network based botnetdetection approaches that can be classified machine learn-ing approaches and non-machine learning approaches. Wefurther classify the approaches according to their detectionobject such as botnet traffic, cooperative behavior, andspamming botnets. We also distinguish the approaches

by the source data they analyze (DNS traffic or other net-work traffic).

2.1. Non-machine learning approaches

2.1.1. Botnet traffic detectionDNS-based mechanisms. Ramachandran et al. [8] devel-

oped techniques and heuristics derived from an idea thatdetects DNSBL (DNS-based block list) reconnaissanceactivity of the botmaster whereby the botmasters performlookups against the DNSBL to determine whether theirspam bots have been blacklisted. However, it is easy to de-sign evasion strategies. Salomon et al. [9] proposed andevaluated a Bayesian approach for bot detection based onthe similarity of their DNS traffic to that of known bots.The hypothesis of the proposed approach is that bots inthe same botnet have similar DNS traffic that can be distin-guished from legitimate DNS traffic. However, the ap-proach may generate false positives when a domainname is queried by one infected host and a few uninfectedhosts. Sato et al. [10] also proposed a similar approach todetect botnets. Brustoloni et al. [11] described DNS Flagger,a device for ISP bot detection. DNS Flagger matches sub-scribers’ DNS traffic against IP and DNS signatures withthe IP addresses and domain names of blacklisted C&Cservers, respectively.

Network traffic-based mechanisms. BotHunter [12] mod-eled the botnet infection life cycle as sharing commonsteps. It then detects botnets employing IDS-driven dialogcorrelation according to the bot infection life-cycle model.Karasaridis et al. [13] also proposed a similar approachusing IDS-driven dialog correlation according to a definedbot infection dialog model. These bot infection model-based approaches are useful to detect botnets with lowfalse positives. However, malware not conforming to thesemodels would seemingly go undetected. BotCop [14] is abotnet traffic detection system in which the network trafficis fully classified into different application communitiesusing payload signatures and a decision tree model. How-ever, the very nature of signature-based detection rendersit easy to evade. RB-Seeker [15] can automatically detectredirection botnets. RB-Seeker gathers information aboutbots redirection activities. Then it utilizes the statisticalmethodology and DNS query probing technique to detectbotnet redirection domains. However, RB-Seeker only fo-cused on the redirection botnets. Zeidanloo and Manaf[16] proposed a general detection framework that focusedon P2P and IRC based Botnets. The framework is based onthe definition of botnets that is a group of bots that per-form similar communication and malicious activitypatterns.

2.1.2. Cooperative network behavior detectionThe approaches in this category are closely related to

BotGAD since they have a similar concept of capturingthe synchronized botnet communication.

DNS-based mechanisms. Manasrah and Hasan [17] pro-posed a DNS-based mechanism that is similar to our previ-ous mechanism [1,2] since they capture botnet groupactivities from DNS traffic. However, their approach haslimited coverage because they use a MAC address as an

DNS server C&C server Victim

DNS queries

Attacktraffic

C&Ctraffic

GroupActivity

Target(Object)

Bot Bot Bot Bot

… Botnet(Group)

Fig. 1. Botnet group activities (centralized C&C).

22 H. Choi, H. Lee / Computer Networks 56 (2012) 20–33

identifier of a host rather than an IP address. The MAC ad-dress is visible only to hosts on the same subnet. Therefore,it is not appropriate for monitoring large-scale networks.

Network traffic-based mechanisms. Reiter et al. proposedTAMD [18], a system to detect botnets by aggregating traf-fic that shares the same external destination, similar pay-load, and that involves internal hosts with similar OSplatforms. BotSniffer [19] is designed to detect IRC or HTTPbotnets using a spatial–temporal correlation of botnets. Itrelies on the assumption that all botnets, unlike humans,tend to communicate in a highly synchronized fashion.BotSniffer performs string matching to detect similar re-sponses from botnets, in contrast to BotGAD. Botnet canencrypt their communication traffic or inject random noisepackets for evasion. Yu et al. [20] proposed a real-timebased botnet activity monitoring mechanism by using net-work features such as bps, pps and bytes to detect botnet.However, adversaries can easily manipulate the featuresby adding a noise to their network traffic.

2.1.3. Spam bot detectionMost recent botnet detection approaches focus on spam

bot detection because botnets mainly perform spam distri-bution. Husna et al. [21] investigated the behavior patternsof spammers based on their underlying similarities inspamming. Zhuang et al. [22] developed techniques tomap botnet membership by grouping bots into botnetsthey look for multiple bots participating in the same spamemail campaign. SPOT [23] is a spam zombie detection sys-tem for monitoring outgoing messages of a network. SPOTis designed based on a powerful statistical tool, SequentialProbability Ratio Test. Botgraph [24] used graph algo-rithms to detect web provider email accounts used by bot-nets to send spam. This analysis helped identify accountsregistered by bots during an interval when CAPTCHAs weresubverted, allowing automatic bot registration. Spam botdetection obtains high accuracy with low false positives.However, the approaches cannot detect zombie machinesor C&C servers that are important to disarm botnets. Onlyspam relays or proxy servers (or some infected hosts whenthey directly send spam) are detectable by spam bot detec-tion approaches. Moreover, spam bot detection cannot pro-vide early detection because they are post-mortemmethods that can detect botnets only after sending spammails.

2.2. Machine learning approaches

2.2.1. Bot traffic detectionDNS-based mechanisms. Antonakakis et al. [25] proposed

Notos, a dynamic reputation system for DNS that uses pas-sive DNS query data and analyzes the network and zonefeatures of domains. It builds models of known legitimatedomains and malicious domains, and uses these modelsto compute a reputation score for a new domain indicativeof whether the domain is malicious or legitimate.

Network traffic-based mechanisms. BotMiner [26] pre-sented a botnet detection method that clusters botnet’scommunication traffic and activity traffic. Clustering algo-rithms are applied and performed cross-plane correlationto detect botnets. Yu et al. [27] proposed a technique to

detect botnet activities. They transform network trafficflows into multi-dimensional feature, adopt the slidingwindow to retain the continuous network traffic and selectcorrelation analysis as the similarity measurement. Hostswhose feature streams belong to the same cluster withhigh similarities will be regarded as suspected bot hosts.Lu et al. [28] proposed an approach for detecting and clus-tering botnet traffic on large scale network applicationcommunities. They classified the network traffic into dif-ferent applications using traffic payload signatures, andused a decision tree model to classify the traffic to be un-known by the payload content into known applicationcommunities to differentiate the malicious botnet trafficfrom normal traffic on each specific application.

2.2.2. Spam bot detectionSNARE [29] investigates ways to infer the reputation of

an email sender based solely on network-level featuresthat enable it to distinguish spammers from legitimatesenders.

Even though several approaches have been proposed todetect the botnets, they often suffer from several tactics toevade the detection methods. Stinson and Mitchell [30]proposed a systematic framework to evaluate the evadabil-ity of a detection method to assess the fitness of a detec-tion method. We discuss possible evasion tactics andevaluate our mechanism using their systematic frameworkin Section 4.3.3.

3. Botnet group activity and detection scheme

In this section, we illustrate the concept of our mecha-nism and a botnet detection scheme.

3.1. Botnet group activity

The main characteristic of a botnet is embedded C&C(Command and Control) systems that allow an attacker(botmaster) to control a pool of compromised machines.Bots communicate through the C&C systems and performmalicious behaviors in a coordinated manner. We startwith this fundamental property of a botnet defined as a‘‘group activity’’. Fig. 1 shows an example of the botnetgroup activity which has a centralized C&C. Botnet groupactivities are frequently shown in a botnet life cycle,

Table 1Differences between botnet and normal group activities.

Groupuniformity

Activityperiodicity

Activityintensity

Botnet Consistent Periodic/sporadic

Intensive

Normalgroup

Fluctuate Irregular Moderate

H. Choi, H. Lee / Computer Networks 56 (2012) 20–33 23

particularly more often in centralized botnets since theycontinuously communicate with their C&C servers. Groupactivities can be also observed in P2P botnets that have adecentralized architecture [31] (e.g., Bots within the StormP2P botnet frequently contact the NTP (Network TimeProtocol) server as a group to synchronize themselves.

In this study, we use DNS data to capture the botnetgroup activities. We use the DNS data for three reasons.First, DNS queries are frequently generated during theoperation of botnets. Second, DNS occupies only a smallportion of network traffic so that we can greatly reducethe amount of data to be handled. Third, DNS monitoringenables botnet detection at their early stages, becausethe DNS traffic is often sent when bots find C&C serversprior to performing attacks.

In general, the two main purposes of DNS lookup in bot-nets are (1) rendezvous points lookup (C&C servers or up-date download servers) and (2) victim lookup.

Rendezvous point lookup. Botnets send DNS querieswhen they look up C&C servers or update servers. Once avulnerable machine has been infected, the machine con-nects to C&C servers to receive orders, and finds updateservers to download new binaries. Generally, botnets useDNS to find IP addresses of the rendezvous point [32].IRC protocol based bots frequently send PING/PONG mes-sages to keep their connection with a C&C server and HTTPprotocol based bots periodically/sporadically send HTTPrequests to deliver commands from C&C servers [33]. Therendezvous point access and the connection maintenanceare repeatedly observed in a botnet lifecycle and can beconsidered as group activities (accompanied with DNSqueries sent in a similar fashion). Some botnets apply a dy-namic DNS [34] service to migrate C&C servers frequently.

Victim lookup. Botnets send DNS queries when they per-form malicious behavior, such as DDoS attacks, spam dis-tribution and click frauds. For example, when the botnetsends spam, the botnets look up domains in spam recipientlists [35]. Recent spam bots such as Rustock [36] periodi-cally obtain a chunk of recipients and send spam to therecipients. The spam sending behavior of a botnet can in-duce massive DNS queries for the victim lookup.

Consequently, the coordinated DNS transmission is oneof the most frequently observed group activities in a botnetlifecycle. Group activities can be monitored in normal com-

BotGAD (Bot net

DataCollector

DNS server 1

DNS server 2

DNS server N

…

Sensor 1

Sensor #2

Sensor N

…

DataMapper

Hash Map

Dom 1

Dom 2

Dom 3

Dom X

Domain Map

…

IP 1

IP 2

IP Y

…

IP M

IP M

IP M

…

White&Black

list

DNS traffic

DNS Info.

DNS traffic

Domain name

DNS traffic

DNS traffic

Fig. 2. BotGAD fr

munication as well (e.g., flash crowds). However, groupactivities of botnet have discriminative characteristics asshown in Table 1. Members of a botnet (i.e., bots) are rela-tively stable when they perform group activities (consis-tent group). Conversely, members in a normal group (i.e.,benign hosts) generally keep changing over time (inconsis-tent group). Botnet group activities generally appear inten-sively having a periodic/sporadic pattern, whereas benigngroup activities appear at random. Our detection mecha-nism uses these characteristics to distinguish botnets fromlegitimate groups. The dynamics of IP addresses can affectthe uniformity of the botnet group. The issue of IP dynam-ics will be discussed in Section 4.3.2.

3.2. BotGAD framework

In this section, we describe the framework of BotGAD. Itconsists of five main parts: (1) data collector, (2) data map-per, (3) correlated domain extractor, (4) matrix generator,and (5) similarity analyzer (see Fig. 2). The data collectorreceives and aggregates DNS traffics from the sensors.The data mapper parses the DNS traffic and inserts DNSinformation into the hash map data structure. The hashmap data structure includes a domain map that has a do-main name as a key and an IP map as a value, and IP mapsthat have an IP address number as a key and the informa-tion list as a value. The information list has timestamps ofeach DNS query and DNS based feature values. The matrixgenerator builds a matrix to measure a similarity score.The correlated domain extractor classifies domain setsusing the DNS based features stored in the hash maps.The similarity analyzer calculates the similarity score ofgenerated matrixes. It also performs a hypothesis test to

Group Activity Detector)

Database

Info 1

Info 1

Info Y

ap 1

ap 2

ap X

…

MatrixGenerator

SimilarityAnalyzer

Correlated Domain

Extractor

Correlated domain cluster analysis

Single domain analysis

Map Info.

Map Info.

DomainCluster

Botnetdomains

Matrix

Estimatedsimilarity

amework.

24 H. Choi, H. Lee / Computer Networks 56 (2012) 20–33

make a decision to detect botnet domains. Detected botnetdomains are summarized in a database.

3.2.1. Matrix generation and error correctionConventional vector based similarity is one of the most

widely used methods to measure similarity [37]. The vec-tors are constructed to represent original data and a coef-ficient function operating on the vectors (e.g., cosinecoefficient) is used to output the similarity score. We useda binary matrix representation to measure the temporalsimilarity of group activities. The matrix has column vec-tors that can be regarded as temporal vectors of a group.Temporal similarity scores can be obtained using the vec-tor based similarity method.

We first translate DNS queries into the form of a binarymatrix. In designing the binary matrix constructionscheme, we use a domain, a set of IP addresses which que-ries the domain and a timestamp when each IP addressqueries the domain. Assume there is an m by n matrix fora domain D. Rows of the matrix represent unique IP ad-dresses that send DNS queries for a domain D and columnscorrespond to time windows that are evenly distributedtime intervals. For example, if an IP1 queries the domainD within a time window w1, the matrix generator marks1 at the matrix element (1,1). After marking all elementsin the binary matrix, the similarity analyzer computesthe similarity of each neighbor column vector of thematrix.

The matrix representation is useful to measure tempo-ral similarity and our previous mechanisms [1,2] measuresimilarities in this way. However, we observed two typesof errors that can cause false detection. (1) If a time win-dow parameter is misconfigured, especially when there isa relatively loose/random C&C lookup, the matrix is likelyto have column vectors that decrease similarity values be-tween neighbor column vectors. (2) If a part of a botnet isremoved by users or temporally deactivated, the matrixmay have erroneous rows that also decrease similarity val-ues. We devise two filtering operations (column filteringand row filtering) to eliminate such errors. The filteringoperation is designed as a pre-processing method to de-crease errors incurred by erroneous vectors of a matrix.

Column filtering. Columns of a botnet domain matrixtend to have same (or similar) vector lengths since bots be-have as a coordinated group and botnet domains are peri-odically queried. However, columns of a normal domainmatrix tend to have random vector lengths, because theuser web access model is known to follow the Poissonmodel [38].1 Therefore, we use a vector length differenceto find erroneous columns for a botnet domain matrix. Incolumn filtering, column vector ~wx is deleted when itsatisfies

1m

Pni¼1k~wik2

n� k~wxk2

!> gc;

1 Roughly, more than 60% of normal domains have random columnlengths that follow the Poisson distribution in our datasets. We used amatrix rank value to measure randomness of the matrix [39].

where m is the number of rows (i.e., the number of uniqueIPs seen) and n is the number of columns (i.e., the numberof time windows). The equation yields a squared vectorlength difference between ~wx and the average length ofcolumn vectors in a matrix. If the difference is larger thanthe column filter threshold gc, the matrix generator re-moves the column vector as an error. The pre-definedthreshold determines how aggressively to filter erroneouscolumns of the matrix.

Row filtering. Periodicity difference and row vectorlength difference metrics are used to delete erroneousrow vectors (errors by the bot deviation or deletion). Theperiodicity metric is measured to find a row that has sametemporal patterns as the others and the difference of vec-tor lengths is used similarly as used in the column filteringoperation. We choose an erroneous row when a row has asmall periodicity difference (shows temporal property ofbotnets) but has a large row vector length difference. Wefirst measure a time interval between a successive pair oftimestamps to estimate the periodicity. Assume the timeinterval for the xth row is Tx = t1, t2,t3, . . . , tk and �t is a meanvalue of Tx. Then, the periodicity for x can be measured bythe following equation.

PðxÞ ¼

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi1k

Xk

i¼1

ðti � �tÞ2vuut :

The periodicity (i.e., a standard deviation of time intervals)is measured for each row in the matrix. The difference be-tween the periodicity and the mean value of the periodic-ity P� �

is used to measure how similar the periodicity of arow is. We also measure a vector length difference be-tween a row vector ~ipx and an average length of row vec-tors in a matrix. If the length difference is larger than therow filter threshold gr and the periodicity difference is lar-ger than a periodicity difference threshold gp, the row is re-moved as an error. In summary, the row filter operationremoves a row vector ~ipx that follows

1n

Pmi¼1

~ipi

��� ���2

m� ~ipx

��� ���2

0B@

1CA > gr ; and

PðxÞ � P�� ��

P< gp:

The pre-defined thresholds gc, gr and gp are decidedconsidering the detection rate and false positive/negativerates (discussed in Section 4.2.3).

3.2.2. Correlated domains clusteringOur previous mechanism [1,2] cannot detect a botnet if

the botnet utilizes multiple domains at random. The multi-ple domains can be hard-coded in a bot code or generatedby an embedded algorithm. We found three typical casesfrom real-world botnets: (1) botnets query a domain usinga domain generation algorithm, (2) botnets randomlyquery domains from hard-coded C&C domains and (3) bot-nets query a domain from a spam recipient list.

Domain generation algorithm. Adversaries have recentlydeveloped a flexible and robust channel lookup mecha-nisms against C&C break down. Kraken/Bobax [3], Srizbi[4], Torpig [5] and Conficker [6] are examples that use a do-main generation algorithm to be robust against a sinkhole

H. Choi, H. Lee / Computer Networks 56 (2012) 20–33 25

defense mechanism [40]. Each bot independently uses thegenerated domains and queries the domains frequently.The bots keep contacting the domains until one of themsucceeds.

Multi-domain C&C. Some botnets have a list of multipledomains for C&C and query domains sequentially/randomly.

Botnet spamming. When botnets distribute spam usingrecipient lists, bots query the mail server domains in therecipient lists. The spam bots share their recipient listsand choose victims randomly. The spam distribution corre-sponds to overlapped multi-domain lookups.

We devise a cluster analysis method using a machinelearning algorithm, X-means [41], to detect these corre-lated domains.

Features. We develop a feature set obtainable from DNStraffic for the cluster analysis. Selection of discriminativefeatures plays a critical role for machine learning based ap-proaches. Therefore, we carefully choose 13 features fromthree different aspects: (1) DNS lexicology, (2) DNS queryinformation and (3) DNS answer information. These threegroups of features can effectively represent the propertiesof botnet domains to classify the correlated domains.

� DNS lexicology features. DNS lexicology features are thetextual properties of a botnet domain itself. Domainsqueried by botnets may have distinguishable textualpatterns. For example, spam [42] and phishing [43]domains have different textual patterns from benigndomains. Algorithmically generated botnet domainstend to have similar length and number of domaintokens [6]. Therefore, we adopt the token count, theaverage length of tokens and the longest length oftokens as lexicology features. Moreover, the correlatedbotnet domains are likely to be hosted by the same pro-vider who often serves malicious domains (e.g.,3322.org); therefore, we employ a binary feature,‘‘blacklisted SLD presence’’ to check whether a SLD (Sec-ond Level Domain) of a domain is matched to a SLD con-tained in a blacklist. Consequently, four lexical featureslisted in Table 2 are used in our method (domains aredelimited by ‘�’, ‘/’, ‘?’, ‘=’, ‘�’, ‘_’ to obtain the domaintokens).� DNS query features. A set of domains queried by a botnet

are sent in a similar way. Bots send a similar number ofDNS queries that have the same query type (e.g., A, NS,CNAME, MX and PTR). Therefore, we employ the num-ber of queries sent and the query type as DNS query fea-tures. DNS queries from botnets also have similartemporal patterns so we adopt the measured similarityas a DNS query feature (even if it has a small value). Thebots are usually distributed over different networks.Thus, we adopt the number of distinct sender IPs andASNs (Autonomous System Numbers) as DNS queryfeatures.� DNS answer features. A DNS answer packet returned by a

DNS server usually has several DNS A (address) records.Attackers typically use botnet domains that map tomultiple IP addresses that reside in different ASNs,countries and regions. With this insight, we extract fourfeatures from the DNS answer data. The number of

unique IP addresses, ASNs and countries that areresolved for a given domain are used as DNS answerfeatures. AS numbers and country codes are extractedusing MaxMind’s database [44]. Every DNS record hasa TTL (Time To Live) value that specifies how long theanswer for a domain should be cached. Setting lowerTTL value is useful for the attackers to achieve higheravailability and resistancy against take downs. In par-ticular, botnet domains usually have a very low TTLvalue when they use DDNS [34] or FFSN [45] service.Thus, we select the TTL value as a DNS answer feature.

Using the features, we apply X-means in order to clustercorrelated domains.

X-means clustering. X-means is a clustering algorithmbased on a very popular K-means clustering algorithm. Dif-ferent from K-means, the algorithm X-means does not haveto choose the number of final clusters in advance. It tries toincorporate a search for the best K in the process itself.While more comprehensive criteria for finding optimal Krequire running independent K-means and then comparingthe results, X-means tries to split a part of the previouslyconstructed cluster based on the outcome of BayesianInformation Criterion [41]. This gives a much better initialguess for the next iteration and covers a user specifiedrange of admissible K.

3.2.3. Similarity analysisNumerous similarity measures in use, differ primarily in

the way they normalize the intersection value. We use thecosine similarity coefficient to measure the domain/clustersimilarity. The cosine similarity coefficient is based on thebinary term vectors and normalizes the similarity valuebetween 0 and 1. The similarity yields the probability ofhow many members are presented in a single group andpresented in the other group simultaneously. Therefore,the cosine similarity coefficient between column vectorw1 and w2 indicates measured similarity of the group be-tween w1 and w2. The cosine similarity SCos is measuredas the following equation,

SCos ~wi; ~wiþ1ð Þ ¼~wi � ~wiþ1

~wik k ~wiþ1k k :

In the case of a domain cluster, we measure two values:cosine similarity and intensity of a cluster matrix. We gen-erate a matrix for a cluster using every DNS queries in-volved in the cluster. The intensity value is used toestimate periodic/sporadic pattern of a cluster. Assumethat a cluster has n domains and kmik2 is the number ofelements that have a value of 1 in a domain matrix i, andkMk2 is the number of elements that have a value of 1 ina cluster matrix. Then, the matrix intensity is calculated as

I ¼ kMk2Pni¼0kmik2 :

The similarity analyzer detects botnet domain clustersusing a metric of SCosþI

2 : The metric is used for a hypothesistest of a cluster instead of a similarity value.

Sequentialprobability ratio test. Our previous mechanismcalculates an average value of the similarity and uses a

Table 2Selected features for clustering.

Feature type Feature name

DNS lexicologyfeatures

Number of domain tokensAverage length of domain tokensLongest length of domain tokenBlacklisted SLD presence

DNS query features Number of queries sentNumber of distinct sender IPsNumber of distinct sender ASNsQuery type (A, NS, CNAME, MX, PTR)Estimated similarity of a domain

DNS answer feature Number of distinct resolved IPsNumber of distinct ASNs of resolved IPsNumber of distinct countries of resolvedIPsTTL value in a DNS answer packet

26 H. Choi, H. Lee / Computer Networks 56 (2012) 20–33

fixed threshold to detect botnet domains. However, thesimple threshold based method can make an incorrectdecision, particularly when botnets loosely/randomly lookup domains or a time window parameter is misconfigured.Therefore, we apply a hypothesis test that utilizes multipleobservations for decision making can guarantee a higherlevel of confidence than the simple threshold method.We use the Sequential Probability Ratio Testing (SPRT)which is a statistical method for testing a hypothesis witha bounded false positive rate and false negative rate. Bot-GAD measures similarity and after a number of tests, Bot-GAD produces the acceptance or rejection of thehypothesis.

We consider two hypotheses: H0 denotes the domain(or the cluster) is detected as a benign domain and H1 de-notes the domain (or the cluster) is detected as a botnetdomain.

PrðXijH0Þ ¼ h0; PrðXijH1Þ ¼ h1:

Let h0 and h1 denote the probability of a domain being abotnet domain and a normal domain, respectively. Let S1,S2, . . . ,Sn be an observed samples sequence of a domain(or a cluster), then we have the likelihood ratio Kn as

Kn ¼ lnPrðS1; S2; . . . ; SnjH1ÞPrðS1; S2; . . . ; SnjH0Þ

¼Yn

k¼1

lnPrðSkjH1ÞPrðSkjH0Þ

:

The equation represents the step in the hypothesis testthat generates the accumulated likelihood ratio. Thehypothesis test is then defined as follows. Given two userspecified threshold k0 and k1 where k0 < k1, at each testwe compute the likelihood ratio and check the stoppingrule as follows:

Kn 6 k0; then accept H0;

Kn P k1; then accept H1;

k0 < Kn < k1; then pend the decision:

The thresholds k0 and k1 can be set according to the user-chosen false positive rate a and false negative rate b. Bysetting the threshold k0 ¼ 1�b

a and k1 ¼ b1�a, the true

bounded false positive rate and false negative rate can beacquired.

4. Evaluation result and analysis

We tested BotGAD on three different real-life traces toevaluate its performance. We also evaluate the perfor-mance of the three modules, i.e., error correction, corre-lated cluster analysis and hypothesis test. We discussevadability and compare BotGAD to other mechanisms.

4.1. Datasets and result verification

We obtained three DNS traces from three differentnetworks:

� Trace #1: This DNS traffic was tapped from the gatewayrouter of a /16 campus network on December 24th,2008. There are 4.6 million DNS queries in 1.48 GB ofcaptured DNS traffic.� Trace #2: This DNS traffic was collected from ISP DNS

servers on July 7th, 2009. The network size is much lar-ger than the campus network (453.6 million DNS que-ries were captured).� Trace #3: This data has DNS logs tapped from ISP DNS

servers on June 15th 2010. The data consists of dynamicDNS logs that have more than 15 million DNS queries.

We need a method to ensure the result for the evalua-tion since it is difficult to know all hidden botnets in thereal-life traces. Hence, we design a method to verify exper-imental results with the help of third parties such as searchengines. A combination of the following approaches is usedto verify the results.

1. Blacklist matching: We match detected domains with ablacklist collected from several resources (Korea Infor-mation Security Agency (KISA) sinkhole domain list[46], DNS-BH list [47] and Cyber-TA list [48]). Theblacklists include more than 200,000 domain names.

2. Web reputation search: We use online Web reputationsearch tools such as McAfee SiteAdvisor [49] and WOT(Web of Trust) [50] that provide the reputation of a sub-mitted website domain including the detailed catego-ries to which it belongs.

3. IP address resolution: Resolved IP information is used tocheck whether the resolved IP address is abnormal orinaccessible.

4. Domain information investigation: We look up thedomain using Google and a domain crawler [51] todetermine whether it is a domain for a name server,mail server, or web server and to find that resolved IPaddresses of the domain is listed on RBLs such as Spam-haus SBL.

We categorize the detected result into known botnets,unknown botnets and false positives. The known botnetsare revealed in steps 1 and 2. If a domain is listed in theblacklist or reported as a malicious domain by the Web rep-utation tools, the domain is classified as a known botnet do-main. We verify unknown botnets from steps 3 to 4. If adomain is determined as suspicious at these steps, we re-gard the domain as an unknown suspicious domain. For

Table 3Single domain analysis result.

Trace #1 Trace #2 Trace #3

DNS queries 4.6 M 453.6 M 15 MNo. of distinct domains 7,850 984,000 151,326Detected domains 43 512 486Unknown suspicious 12 250 191Known botnets 10 135 170False positives 21 127 125False negatives 54 1805 897

Detection rate (%) 28.9 17.6 28.7False positive rate (%) 0.27 0.01 0.08False negative rate (%) 71.1 82.4 71.3

Table 4Detected botnet domains and false positives.

Result type Domain name Groupsize

Averagesimilarity

Suspiciousdomains

bosam.gnway.net 13 0.99shiyansend.zyns.com 33 0.98shiyansend.solaris.nu 33 0.97

H. Choi, H. Lee / Computer Networks 56 (2012) 20–33 27

example, if a domain has a resolved IP address listed on RBL,the domain is classified into the unknown suspicious.Remainders are considered as false positives. Knowing acomplete set of hidden botnets can be hardly done sincewe evaluate them with the real-life traces.2 Therefore, theexact number of false negatives is difficult to acquire. Inthe evaluation of our study, the false negatives are approxi-mately estimated by comparing the detection result to ourblacklist. When a domain is listed in the blacklist but not de-tected by BotGAD, it is counted as a false negative. The detec-tion rate and false negatives in our evaluation are likely to bealtered depending on the blacklist. However, they can showthe improvements of relevant metrics.

We use three metrics in the evaluation: (1) detectionrate: the proportion of true detected botnet domains byBotGAD over a union of true detected botnet domains byBotGAD and by the blacklist. (2) false positive rate: thenumber of false positive domains divided by the totalnumber of distinct normal domains. (3) false negative rate:the number of false negative domains divided by the totalnumber of true botnet domains.

shiyansend.servebbs.org 29 0.87

Knownbotnetdomains

tzhen.3322.org 14 0.92proxima.ircgalaxy.pl 33 0.87proxim.ntkrnlpa.info 4 0.85roon.shannen.cc 11 0.83time.nist.gov⁄ 50 0.91

Falsepositives

updates.installshield.com 22 0.94us.update2.toolbar.yahoo.com 33 0.93asp.ircdevilz.net⁄⁄ 1 0

4.2. Evaluation results

4.2.1. Single domain analysis resultThis section describes the evaluation results of the sin-

gle domain analysis. We observe 142,045, 16,420,531 and1,301,919 unique queried domains in the trace #1, #2,and #3, respectively. More than 80% of the domains arequeried by only a single host. In the single domain analysis,BotGAD measures the similarity of a domain that is que-ried by more than three hosts (three unique IPs). BotGADanalyzes 7,850, 984,000 and 151,326 distinct domains asshown in Table 3.

We measure the similarity coefficients (with a 10 mintime window parameter). 72% of domains had similaritiesestimated to 0.

We obtain 28.9%, 17.6% and 28.7% of detection rateusing the trace #1, #2 and #3, respectively. The detectionrates are very low and the false negative rates are very highbecause many correlated botnet domains (e.g., Confickerdomains) are not detected in the single domain analysis.Moreover, BotGAD cannot detect a single infected clientin the single domain analysis, e.g., asp.ircdevilz.net⁄⁄. Theresult shows the necessity of the cluster analysis.

Examples of detected botnet domains and false posi-tives are listed in Table 4 (trace #1). Most false positivesare related to update domains such as antivirus softwareupdates, installshield updates and toolbar updates. The up-date related domain groups occur frequently and periodi-cally, similar to botnets. BotGAD reports time.nist.gov⁄ asa botnet domain. We find that 20 of the 89 hosts whoquery the domain generate excessive queries, estimatedat 4.2 queries/s. Obviously, they are abnormal becauseNIST does not allow queries being sent more frequentlythan once every four seconds. The hosts had been infectedby the Storm botnet, known as the largest P2P botnet.

2 Thus, network anomaly detection approaches commonly use syntheticnetwork traffic data for evaluation, e.g., MIT/DARPA data sets.

Storm synchronizes the system time of the infected ma-chine with the help of the Network Time Protocol (NTP)using time server domains (time.nist.gov and time.win-dows.com) [52]. The result implies BotGAD can capturenot only IRC and HTTP botnets but also P2P botnet (Storm)synchronization activities.

4.2.2. Cluster analysis resultThis section shows the evaluation result of the cluster

analysis. Several machine learning based clustering [26–28] approaches are proposed to detect botnets. However,the clustering approaches differ from our clustering method.We devise DNS based features using domain lexicons, DNSquery and answer information, whereas other approachesuse network traffic based features such as pps (packets persecond) and bps (bytes per second). Generally, those net-work traffic features are easy to manipulate for evasion.

By analyzing each trace (#1, #2 and #3), BotGAD classi-fies 144, 320, 208 clusters, respectively. Table 5 lists theclustering result for each trace. As expected, most detectedbotnet clusters are: (1) algorithmically generated domainsby botnets (Conficker’s domain, e.g., yrxhwjlzg.org, yle-haairwse.biz, ykywftwssjc.com), (2) randomly used multi-ple C&C domains or binary download domains (e.g.,⁄.jiangmin.com, ⁄.duba.net, ⁄.http://www.duba.net), and(3) domains for sending spam mails (mail server domains,e.g., mail.global.frontbridge.com, mail.global.sprint.com,mail.global.mas.att.com). The result shows the cluster

Table 5Cluster analysis result.

Trace #1 Trace #2 Trace #3

Clusters 144 320 208Detected clusters 12 42 7Botnet clusters 9 27 5False positive clusters 3 15 2

Table 6The precision gain for each feature (%).

Type Feature Precision+

DNS lexicologyfeature

Number of domain tokens 4.2Average length of domain tokens 4.7Longest length of domain token 3.5Blacklisted SLD presence 6.3

DNS queryfeature

Number of queries sent 8.8Number of distinct sender IPs 9.2Number of distinct sender ASNs 6.7Query type (A, NS, CNAME, MX,PTR)

4.5

Estimated similarity of a domain 9.6

DNS answerfeature

Number of distinct resolved IPs 6.7Number of distinct ASNs ofresolved IPs

3.3

Number of distinct countries ofresolved IPs

2.7

TTL value in a DNS answer packet 3.9

Table 7Result summary using both single domain analysis and cluster analysis (%).

Trace #1 Trace #2 Trace #3

Detection rate 97.2 95.4 96.1False positive rate 0.31 0.11 0.05False negative rate 2.8 4.6 3.9

0.2

0.3

0.4

0.5

0.6

Fals

e po

sitiv

e ra

te (

%)

ηr = 0.1ηr = 0.2ηr = 0.3ηr = 0.4ηr = 0.5

28 H. Choi, H. Lee / Computer Networks 56 (2012) 20–33

analysis enables BotGAD to detect all three types of corre-lated botnet domains.

Most false positive clusters are related to consequentlygenerated domains when accessing a website. Differentdomains are queried all together to get each content ofthe Web page. In particular, a website served by ContentDelivery Network (CDN) often uses an array of domainsand the domains have temporal properties of a botnetgroup activity. Therefore, the domains of the website arelikely to be detected as a botnet domain cluster. These falsepositives can be decreased by whitelisting popular do-mains3 that are usually served by CDNs.

Feature analysis. We evaluate each individual feature toknow the effectiveness of each feature. We use the preci-sion metric4 to measure clustering accuracies. First, we per-form clustering with all features. About 97% precision isobtained (averaged precisions using the three traces). Wethen exclude a feature one-by-one and measure a precisionimprovement (leave-one-out approach). Table 6 shows theresults.

The number of queries sent, the number of distinct sen-der IPs, and the estimated similarity of a domain are thetop three features that contribute the most to the cluster-ing precision. We find out that the three features have dif-ferent distributions for each type of cluster (i.e., normalclusters, generated botnet domain clusters, multiple C&Cdomain clusters, and spam domain clusters). The DNS lex-icology features have different distributions for the gener-ated botnet domain clusters and the multiple C&C domainclusters, but not for the spam domain clusters. The DNS an-swer features are effective to cluster the multiple C&C do-main clusters. However, the features were not effective indistinguishing the other types of clusters because most ofgenerated botnet domains do not have answer records (afew of them had the answer records) and spam domainsdo not have similar answer record patterns. If we considerthe reliability of the features, DNS query features are themost effective features, since they are more difficult tomanipulate than the other two types of feature. Therefore,the top three features, i.e., the number of queries sent, thenumber of distinct sender IPs, and the estimated similarityof a domain, are the most effective features that contributeto both precision and reliability.

Performance improvement. Table 7 lists the detection re-sults using both the single domain analysis and the clusteranalysis. The result shows the improvements of the clusteranalysis that was not applied in our previous mechanism.[1,2]. The cluster analysis significantly increases the detec-

3 Whitelist domains are taken from the Alexa top 500 site list.4 Precision = number of true positive classifications/number of positive

classifications.

tion rates and the false negative rates, e.g., 71% improve-ment of the detection rates on average.

4.2.3. Error correction resultThis section shows evaluation results of the error cor-

rection method. As mentioned in Section 3.2.1, we deter-mine the thresholds gc, gr and gp to minimize falsepositive/negative rates.

Figs. 3 and 4 show false positive and negative ratesusing trace #1. In the experiment, we set the time windoww = 10 min. When both row filtering threshold (gr) and col-umn filtering threshold (gc) are increased, both filteringoperations coarsely eliminate errors. Therefore, high filter-ing thresholds result in low false positive rates but highfalse negative rates as shown in the figures. Conversely,low filtering thresholds result in low false negative rates

0.10.1 0.2 0.3 0.4 0.5

Column filter threshold (ηc)

Fig. 3. False positive rate of trace #1.

0.1

0.2

0.3

0.4

0.5

0.6

0.1 0.2 0.3 0.4 0.5

Fals

e ne

gativ

e ra

te (

%)

Column filter threshold (ηc)

ηr = 0.1ηr = 0.2ηr = 0.3ηr = 0.4ηr = 0.5

Fig. 4. False negative rate of trace #1.

0 0.1

0.2 0.3

0.4 0.5

0.6 0.7

0.8 0.9

1

0

10

20

30

40

E[N|H1]α=0.001, β=0.01α=0.01, β=0.01

θ0

θ1

E[N|H1]

Fig. 5. Average number of observation rounds (E[NjH1]).

H. Choi, H. Lee / Computer Networks 56 (2012) 20–33 29

but high false positive rates because the filtering opera-tions aggressively delete not only erroneous rows/columnsof a botnet domain matrix but also scarce rows/columns ofa normal domain matrix. When monitoring networks gen-erate a small amount of traffic (DNS queries), aggressivefiltering can affect the detection accuracy critically. Thus,high thresholds should be designated for small networks.

When the filtering thresholds are gr = 0.3 and gc = 0.2 ,we have the best results with an optimal trade-off betweenfalse positives and negatives on trace #1. Similarly, whengr = 0.2 and gc = 0.1, best results are obtained on trace #2and trace #3. We set periodicity threshold gp = 0.3 sinceit produced the best results for all cases. It is possible to de-crease 12% of false positives and 28% of false negatives onaverage. In this analysis, we do not count the number ofdetected correlated botnet domains that are only detect-able by cluster analysis as false negatives to know the ex-act improvement in the error correction method.

4.2.4. Hypothesis testBotGAD uses SPRT to determine botnet domains/clus-

ters so that the average number of observation rounds(E[NjH1],E[NjH0]) to reach the decision are represented asthe two following equations [7]:

E½NjH1� ¼b ln b

1�aþ ð1� bÞ ln 1�ba

h1 ln h1h0þ ð1� h1Þ ln 1�h1

1�h0

;

E½NjH0� ¼ð1� aÞ ln b

1�aþ a ln 1�ba

h0 ln h1h0þ ð1� h0Þ ln 1�h1

1�h0

;

where a and b are user-chosen false positive and false neg-ative probabilities, respectively.

Fig. 5 shows the value of E[NjH1] as a function of h0 andh1 with fixed a = 0.01, b = 0.01 and a = 0.001, b = 0.01. Onlysmall observations are needed to reach the decision forSPRT as shown in the figure. For instance, if the user-de-fined false positive and negative rates are 0.01 andh0 = 0.2, h1 = 0.8, then BotGAD needs six observations tomake the decision. BotGAD needs a smaller number ofE[NjH1] if we apply smaller h0, a, b, and larger h1. The rela-tionship between false alarm rates (a,b) and observationrounds (E[NjH1]) illustrates the trade-offs between effec-tiveness and efficiency of the detection algorithm.

4.3. BotGAD analysis

4.3.1. Deployment and performance analysisBotGAD can be used to detect botnet domains at any

network location that sees a collective DNS query sent byusers. If a monitoring network is large, more infected hostscan be found. Therefore, it is recommended to setup Bot-GAD to monitor large scale network or to deploy sensorsin distributed networks. There are good options for receiv-ing DNS data, e.g., from anti-virus softwares, browser tool-bar, or such types of products.

We now present system performance to justify the real-time nature of BotGAD. This is a very important aspect fortwo reasons. First, adversaries continuously change theirdomains and IP addresses of the domains. Therefore, real-time blocking of such domains is needed to alleviate themeffectively. Second, it is important to identify suspiciousbotnet domains that need a real-time inspection to ensurethe result. We run BotGAD on a machine that has a 3.0 GHzdual core CPU with a 4 GB RAM. Coarsely speaking, BotGADcan run as a real-time system since it took about 20, 318and 58 min to process the day traces #1, #2 and #3,respectively. For an hour DNS trace analysis, it even tookless than 1, 5 and 2 min.

4.3.2. Parameter analysisThis section describes an analysis of a similarity mea-

sure along with relevant parameters. Through the parame-ter analysis, we can estimate appropriate values ofparameters to measure accurate similarities. We dividethe parameters into two types: the botnet related parame-ters and the BotGAD related parameters as shown in Table8. If Dn = 0, it is clear that we can detect a botnet domaingroup. Suppose the worst case that a botnet forms a groupappeared randomly. We derive a similarity equation usingPoisson distribution.

S ¼ nnþ jDntj 1� 1

ecðt�xÞ

� �; x ¼

w; w P TL;

TL; w < TL:

The derived equation consists of four parts: TTL in DNS re-source record TL, group size parameter n and Dnt, parame-ters from the detection mechanism t and w, and DNSquerying ratio c.

Table 8Parameters related with BotGAD.

Parameter description Variable

Botnetparameters

TTL in DNS resource record TL

DNS querying ratio cGroup size and change in the groupsize

n,Dn

BotGADparameters

Monitoring time tTime window w

0.1 1

10 100 0.001

0.01 0.1

1 0

0.20.40.60.8 1

Time Windows SizeDNS Quering Ratio of Group

Similairty

Fig. 6. Relationship among similarity S, time window w, and DNSquerying ratio c.

30 H. Choi, H. Lee / Computer Networks 56 (2012) 20–33

� TTL in DNS resource record TL: Most operating systems,including Windows, have a DNS resolver cache. Forexample, when the Windows resolver receives a posi-tive or negative response to a query, it adds that posi-tive or negative response to its cache, and as a result,creates a DNS resource record. If a DNS resource recordis in the cache, the resolver uses the record from thecache instead of querying. After a period specified inTTL in the DNS resource record, the resolver discardsthe record from the cache. The cache can decrease bot-net DNS queries as well as normal queries. Botnets com-monly use DDNS [53]. Therefore, it is possible toroughly estimate the value of TTL applied in botnetdomains.� DNS querying ratio c: We set w to 10 min (<1 h) in our

experiment, so we can assume Dn = 0. TL < w. Thederived equation can be approximated to

S � 1� 1ecðt�wÞ :

Table 9Evasion tactics used for defeating BotGAD, the tactic’s implementationcomplexity and effects on botnet utility.

Evasion tactic Implementationcomplexity

Effects on botnetutility

1. Threshold attacks High ;Attack rate2. Botnet subgrouping Low ;Botnet size3. Minimize the

synchronicityHigh ;Attack diversity

4. Induce IP churn Unknown None5. Generate fake DNS

queriesLow None

If t = 5w, similarity S will be approximated as shown inFig. 6. The graph implies that c is also one of the mostimportant parameters of BotGAD.� Change in the group size Dn: We can estimate Dn from

the botnet propagation model [32]. In addition, dynam-ics of IP address should be considered. The authors in[54] address that more than half (61.4%) of the IPaddresses were observed as dynamic IP addresses.However, over 95% of IP addresses have inter-user dura-tions longer than an hour. Errors derived from dynamicsof IP addresses can be ignored when we choose the wwithin an hour.� Time window w: To set an appropriate value of a time

window w, relevant parameters, i.e., c,TL and false posi-tive/negative rates should be considered. (1) If c is lar-ger than w, false negatives will be increased becausetoo small w will decrease the estimated similarity. (2)If TL is larger than w, false negatives will be increaseddue to the DNS resolver cache effect. (3) If w is too large,false positives will be increased since many normalgroups are possibly selected as suspicious groups. Con-sequently, the lower bound of w should be larger thanboth c and TL(w P max(c,TL)). The c and TL can be esti-mated, considering existing bot implementations. Theupper bound of w should be determined to have thesmallest number of false positives possible.

4.3.3. Evadability analysisEven though several automated botnet detection mech-

anisms have been proposed, botnets can evade them with ahigh level of attacker power. Our mechanism is to beevaded to a certain degree, as for the existing mechanisms.However, it is an improvement if we can raise a bar of eva-sion difficulty by either increasing the evasion cost ordecreasing the effectiveness of botnets. We refer to Stin-son’s [30] systematic evaluation which demonstrates anevasion tactic in respect of two associated costs: imple-mentation complexity and effect on botnet utility. An eva-sion tactic’s implementation complexity is based on theease with which bot writers can incrementally modify cur-rent bots to evade detection. If it takes a high implementa-tion cost, the evasion tactic is less useful. Affecting onbotnet utility is also important to the adversaries, becausean evasion tactic is less effective if the tactic restricts thebotnet utility. Stinson et al. list the botnet utility includingdiversity of attacks, lead time required to launch an attack,botnet size, attack rate, and synchronization level. We ad-dress likely evasion techniques of BotGAD and evaluate theevadability as shown in Table 9.

1. Evasion by threshold attacks: BotGAD relies on timerelated variables such as the time window parameter.Therefore, a botmaster can control the frequency of bot-net behaviors to decrease similarities. We add the errorcorrection and hypothesis test method to BotGAD to bemore robust against such threshold attacks. Moreover,the implementation complexity is high and applying

H. Choi, H. Lee / Computer Networks 56 (2012) 20–33 31

this tactic reduces attack rates of the botnet. Therefore,the threshold attack is less effective than the other tac-tics to evade BotGAD.

2. Evasion by the botnet subgrouping: A botmaster canapply multi-purpose time sharing botnets where a sub-set of bots is used for a single purpose (e.g., DDoS) andothers for another purpose (e.g., spamming). If elements(bots) of each subset are not changed, BotGAD candetect each subset independently. Even if a botmasterrandomly changes subsets, BotGAD can detect the sub-sets with cluster analysis. Therefore, the subgroupingtactic is also less useful for attackers.

3. Evasion by minimizing the synchronicity: Bots can delaycommunication time and do not perform any synchro-nized attacks to evade BotGAD. For example, manynew botnets have adopted a P2P architecture, wherebots are coordinated in a distributed fashion. BotGADcannot capture the P2P bots if bots have a long timedelay for communications and attacks. However, botnetutilities including botnet’s synchronization level anddiversity of attacks will decrease significantly in sucha case.

4. Evasion by inducing IP churn: BotGAD uses an IP addressas an identifier of a host. Therefore, if bots can changetheir IP address on demand, BotGAD will be defeated.The implementation complexity of this technique isunknown.

5. Evasion by generating Fake DNS queries: If bots inten-tionally generate fake DNS queries using a source spoof-ing method, the queries can poison our previousmechanism.

If botnets avoid using DNS, BotGAD cannot detect thebotnets. Some botnets have been observed to use hard-coded IP addresses for C&C even though the IP based C&Cis easy to take down.5 Group activities of the IP based C&Ccannot be detected by BotGAD, but other group activities(e.g., infection, binary download and spamming) are detect-able if the activities utilize DNS. To be sure, botnets cannever use DNS during every part of its lifecycle. In such acase, however, the botnet utility will be restricted.

4.3.4. Comparison to other mechanismsThis section lists advantages and disadvantages of the

BotGAD based on key features including: (1) ability to de-tect unknown bots, (2) capability of botnet detectionregardless of botnet protocol and structure, (3) robustagainst evasions including channel encryption, packing,traffic manipulation and random domain generation, (4)capability of real-time detection and ability to monitorlarge scale networks, and (5) capability of early detection.These features are used in the study by Feily et al. [55].

� Unknown botnet detection. BotGAD can detect unknownbotnets, whereas some other works, such as signature-based techniques, are unable to detect them.

5 DNS based C&C is harder to take down since they can circumventbotnet defense systems by changing resolved IP addresses continuously.

� Protocol & structure independent. BotGAD can detect bot-nets regardless of botnet protocol if the botnets use DNStraffic. However, botnets that do not use DNS are unde-tectable by BotGAD. Moreover, BotGAD cannot detectC&C of P2P botnets since it is not a group activityaccording to our definition. Only malicious attacks byP2P botnets are able to be captured by BotGAD. Theselimits are the disadvantages of BotGAD compared toother approaches [26–28] that provide protocol & struc-ture independent botnet detection.� Robust against evasions. BotGAD is robust to channel

encryption, packing, traffic manipulation (by adding anoise in communications) and random domain genera-tion for C&C. However, many approaches introduced inSection 2 are weak to such evasions. Therefore, therobustness to evasions is one of the most importantbenefits of this study.� Real-time detection and scalability. BotGAD is designed

as a light-weight system to provide real-time detectionand large coverage of monitoring networks. However,there are many approaches that cannot detect botnetsin real-time or are only deployable to small networks.We regard the abilities of real-time detection and largecoverage as major benefits of this study.� Early detection. BotGAD can detect botnets in their early

stages, since BotGAD can capture botnet DNS queriesthat are often sent when bots find C&C servers priorto performing attacks. The early detection is helpfulfor network operators to clean up compromised com-puters inside their networks, alleviating further infec-tions and losses from attacks. However, many othermechanisms (e.g., spam bot detection approaches) donot provide early detection.

In summary, BotGAD has advantages in four aspects: (1)ability to detect unknown botnet detection, (2) robustnessto evasions, (3) ability to monitor large scale networks inreal-time and (4) ability to detect botnets at their earlystage. Our mechanism can effectively and efficiently detectunknown botnets in large scale networks due to theseadvantages.

5. Conclusion

Botnets are the major threats to network security andmajor contributors to unwanted network traffic. Thus, itis necessary to provide appropriate countermeasures tobotnets. We propose BotGAD to reveal both unknown do-main names of C&C servers and IP addresses of hidden in-fected hosts. We define an inherent property of botnets,termed group activity. Using this property, we propose alight-weight mechanism to detect botnets. Our mechanismneeds a small amount of data from DNS traffic, not all thetraffic content or known signatures. BotGAD can detectbotnets from a large-scale network in real-time eventhough the botnet performs encrypted communications.Moreover, BotGAD can detect not only individual botnetsbut also correlated evasive botnets, using unsupervisedmachine learning. Our method provides over 95% detectionrates while generating less than 0.4% false positive ratesand 5% false negative rates based on experiments with

32 H. Choi, H. Lee / Computer Networks 56 (2012) 20–33

real-life campus and ISP DNS traces. It takes only a fewminutes to analyze an hour-long DNS trace of a large ISPnetwork. The evaluation results prove that BotGAD canautomatically detect botnets in large scale networks.

Acknowledgments

This research was supported by the MKE, Korea, underthe ITRC support program supervised by the NIPA (NIPA-2011-C1090-1131-0005) and the Seoul R&BD Program(WR080951). The preliminary version of this paper waspresented in IEEE CIT [1] and COMSWARE [2].

References

[1] H. Choi, H. Lee, H. Lee, H. Kim, Botnet Detection by monitoringgroup activities in dns traffic, in: Proceedings of the IEEEInternational Conference on Computer and InformationTechnology (CIT), 2007.

[2] H. Choi, H. Lee, H. Kim, BotGAD: detecting botnets by capturinggroup activities in network traffic, in: Proceedings of InternationalConference on COMmunication System softWAre and MiddlewaRE(COMSWARE), 2009.

[3] S. Shevchenko, Kraken changes tactics. <http://www.blog.threatexpert.com/2008/04/kraken-changes-tactics.html>,2009.

[4] J. Wolf, Technical details of Srizbi’s domain generation algorithm.<http://www.blog.fireeye.com/research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html>, 2008.

[5] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R.Kemmerer, C. Kruegel, G. Vigna, Your Botnet is My Botnet: Analysisof a Botnet Takeover, 2009.

[6] P. Porras, H. Saidi, V. Yegneswaran, A foray into Conficker’s logic andrendezvous points, in: Proceedings of the USENIX Workshop onLarge-Scale Exploits and Emergent Threats (LEET), 2009.

[7] A. Wald, Sequential tests of statistical hypotheses, The Annals ofMathematical Statistics (1945) 117–186.

[8] A. Ramachandran, N. Feamster, D. Dagon, Revealing botnetmembership using DNSBL counter-intelligence, in: Proceedings ofthe Workshop on Steps to Reducing Unwanted Traffic on the Internet(SRUTI), 2006.

[9] R.V.-Salomon, J.C. Brustoloni, Bayesian bot detection based on DNStraffic similarity, in: Proceedings of the ACM Symposium on AppliedComputing (SAC), 2009.

[10] K. Sato, K. Ishibashi, T. Toyono, N. Miyake, Extending black domainname list by using co-occurrence relation between dns queries, in:Proceedings of the workshop on Large-scale Exploits and EmergentThreats (LEET), 2010.

[11] J. Brustoloni, N. Farnan, R. Villamarin-Salomon, D. Kyle, Efficientdetection of bots in subscribers’ computers, in: Proceedings of IEEEInternational Conference Communications (ICC), 2009.

[12] G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. Lee, BotHunter:detecting malware infection through ids-driven dialog correlation,in: Proceedings of the USENIX Security Symposium (Security),2007.

[13] A. Karasaridis, B. Rexroad, D. Hoeflin, Wide-scale botnet detectionand characterization, in: Proceedings of the Workshop on Hot Topicsin Understanding Botnets (HotBots), 2007.

[14] W. Lu, M. Tavallaee, G. Rammidi, A.A. Ghorbani, BotCop: an onlinebotnets traffic classifier, in: Proceedings of the Conference onCommunication Networks and Services Research (CNSR), 2009.

[15] X. Hu, M. Knyz, K.G. Shin, RB-Seeker: auto-detection of redirectionbotnets, in: Proceedings of the Annual Network and DistributedSystem Security Symposium (NDSS), 2009.

[16] H.R. Zeidanloo, A.B.A. Manaf, Botnet Detection by Monitoring SimilarCommunication Patterns, International Journal of Computer Scienceand Information Security (IJCSIS) (2010).

[17] A.M. Manasrah, A. Hasan, O.A. Abouabdalla, S. Ramadass, DetectingBotnet Activities Based on Abnormal DNS traffic, InternationalJournal of Computer Science and Information Security (IJCSIS)(2009).

[18] M. Reiter, T. Yen, Traffic aggregation for malware detection, in:Proceedings of the Conference on Detection of Intrusions andMalware and Vulnerability Assessment (DIMVA), 2008.

[19] G. Gu, J. Zhang, W. Lee, BotSniffer: detecting botnet command andcontrol channels in network traffic, in: Proceedings of the AnnualNetwork and Distributed System Security Symposium (NDSS), 2008.

[20] X. Yu, X. Dong, G. Yu, Y. Qin, D. Yue, Y. Zhao, Online botnet detectionby continuous similarity monitoring, in: Proceedings ofInternational Symposium Information Engineering and ElectronicCommerce IEEC’09, 2009.

[21] H. Husna, S. Phithakkitnukoon, S. Palla, R. Dantu, Behavior analysis ofspam botnets, in: Proceedings of the International Conference onCOMmunication System softWAre and MiddlewaRE (COMSWARE),2008.

[22] L. Zhuang, J. Dunagan, D.R. Simon, H.J. Wang, I. Osipkov, G. Hulten,J.D. Tygar, Characterizing botnets from email spam records, in:Proceedings of the workshop on Large-scale Exploits and EmergentThreats (LEET), 2008.

[23] Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, J. Barker,Detecting spam zombies by monitoring outgoing messages, in:Proceedings of the Annual IEEE Conference on ComputerCommunications (INFOCOM), 2009.

[24] Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, E. Gillum, Botgraph: Largescale spamming botnet detection, in: Proceedings of the USENIXSymposium on Networked Systems Design and Implementation(NSDI), 2009.

[25] M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, N. Feamster, Building adynamic reputation system for DNS, in: Proceedings of the USENIXSecurity Symposium (Security), 2010.

[26] G. Gu, R. Perdisci, J. Zhang, W. Lee, BotMiner: clustering analysis ofnetwork traffic for protocol- and structure-independent botnetdetection, in: Proceedings of the USENIX Security Symposium(Security), 2008.

[27] X. Yu, X. Dong, G. Yu, Y. Qin, D. Yue, Data-adaptive clusteringanalysis for online botnet detection, in: Proceedings ThirdInternational Computational Science and Optimization (CSO) JointConference, 2010.

[28] W. Lu, G. Rammidi, A.A. Ghorbani, Clustering botnet communicationtraffic based on n-gram feature selection, ComputerCommunications (2010).

[29] S. Hao, N. Syed, N. Feamster, A.G. Gray, S. Krasser, Detectingspammers with snare: spatio-temporal network-level automaticreputation engine, in: Proceedings of the USENIX SecuritySymposium (Security), 2009.

[30] E. Stinson, J.C. Mitchell, Towards systematic evaluation of theevadability of bot/botnet detection methods, in: Proceedings of theUSENIX Workshop on Offensive Technologies (WOOT), 2008.

[31] J. Grizzard, V.Sharma, C. Nunnery, B. Kang, D. Dagon, Peer-to-peerbotnets: overview and case study, in: Proceedings of the Workshopon Hot Topics in Understanding Botnets (HotBots), 2007.

[32] D. Dagon, G. Gu, C. Lee, W. Lee, A taxonomy of botnet structures, in:Proceedings of the Annual Computer Security ApplicationsConference (ACSAC), 2007.

[33] L. Liu, S. Chen, G. Yan, Z. Zhang, BotTracer: execution-based bot-likemalware detection, in: Proceedings of the Information SecurityConference (ISC), 2008.

[34] P. Vixie, S. Thomson, Y. Rekhter, J. Bound, Dynamic updates in thedomain name system (DNS update). <http://www.faqs.org/rfcs/rfc2136.html/>, 1997.

[35] J. John, A. Moshchuk, S. Gribble, A. Krishnamurthy, Studyingspamming botnets using botlab, in: Proceedings of the UsenixSymposium on Networked Systems Design and Implementation(NSDI), 2009.

[36] K. Chiang, L. Lloyd, A case study of the rustock rootkit and spam bot,in: Proceedings of the Workshop on Hot Topics in UnderstandingBotnets (HotBots), 2007.

[37] W. Yih, C. Meek., Learning vector representations for similaritymeasures, Technical Report MSR-TR-2010-139, Microsoft Research.

[38] S. Gündüz, M.T. Özsu, A Poisson model for user accesses to webpages, in: ISCIS: Computer and Information Sciences, 2003.

[39] G. Marsaglia, L.-H. Tsay, Matrices and the structure of random numbersequences, Linear Algebra and its Applications 67 (1985) 147–156.

[40] D. Dagon, C. Zou, W. Lee, Modeling botnet propagation using timezones, in: Proceedings of the Annual Network and DistributedSystem Security Symposium (NDSS), 2006.

[41] D. Pelleg, A.W. Moore, X-means: extending k-means with efficientestimation of the number of clusters, in: Proceedings of theInternational Conference on Machine Learning (ICML), 2000.

[42] J. Ma, L.K. Saul, S. Savage, G.M. Voelker, Beyond blacklists: learningto detect malicious web sites from suspicious URLs, in: KDD:Proceedings of the international conference on KnowledgeDiscovery and Data mining, 2009.

H. Choi, H. Lee / Computer Networks 56 (2012) 20–33 33

[43] D.K. McGrath, M. Gupta, Behind Phishing: An Examination of PhisherModi Operandi, in: LEET: Proceedings of the USENIX Workshop onLarge-Scale Exploits and Emergent Threats, 2008.

[44] GeoIP API, MaxMind, LLC, Open source APIs and database forgeological information. <http://www.maxmind.com/app/api>, 2002.

[45] T. Holz, C. Gorecki, K. Rieck, F.C. Freiling, Detection and mitigation offast-flux service networks, in: Proceedings of the Annual Networkand Distributed System Security Symposium (NDSS), 2008.

[46] Korea Information Security Agency (KISA), Botnet C&C serverdomain list, 2009.

[47] DNS-BH, Malware Prevention through Domain Blocking (Black HoleDNS Sinkhole). <http://www.malwaredomains.com/>, 2007.

[48] Cyber-TA, SRI Honeynet and BotHunter Malware Analysis AutomaticSummary Analysis Table. <http://www.cyber-ta.org/releases/malware-analysis/public/>, 2005.

[49] McAfee SiteAdvisor, Service for reporting the safety of web sites.<http://www.siteadvisor.com/>, 2006.

[50] WOT, Web of Trust Community-based safe surfing tool. <http://www.mywot.com/>, 2006.

[51] Domaincrawler, Domain Information Services. <http://www.domaincrawler.com/>, 2006.

[52] T. Holz, M. Steiner, F. Dahl, E. Biersacky, F. Freiling, Measurementsand mitigation of peer-to-peer-based botnets: a case study on stormworm, in: Proceedings of the Workshop on Large-scale Exploits andEmergent Threats (LEET), 2008.

[53] S. Herona, Working the botnet: how dynamic DNS is revitalising thezombie army, Network Security 2007 (2007) 9–11.

[54] Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldszmidt, T. Wobber, Howdynamic are ip addresses?, in: Proceedings of the ACM SIGCOMMConference on Data communication (SIGCOMM), 2007.

[55] M. Feily, A. Shahrestani, S. Ramadass, A survey of botnet and botnetdetection, in: Proceedings of the Conference on Emerging SecurityInformation, Systems, and Technologies, 2009.

Hyunsang Choi received the B.S. and M.S.degree in computer science and engineeringfrom Korea University in Seoul, Korea, in 2007and 2009, respectively. He is currently work-ing toward doctorate degree in computer andcommunication security at Korea Universityin Seoul, Korea. He was an intern at MicrosoftResarche Asia (Beijing, China) from 2009 to2010.

Heejo Lee is an associate professor at theDivision of Computer and CommunicationEngineering, Korea University, Seoul, Korea.Before joining Korea University, he was atAhnLab, Inc. as a CTO from 2001 to 2003.From 2000 to 2001, he was a postdoc at theDepartment of Computer Sciences and thesecurity center CERIAS, Purdue University. Dr.Lee received his BS, MS, PhD degree in Com-puter Science andEngineering from POSTECH,Pohang, Korea. Dr. Lee serves as an editor ofJournal of Communications and Networks. He

has been an advisory member of Korea Information SecurityAgency andKorea Supreme Prosecutor’s Office.