Skip to main content
SpringerLink
Log in

Mining Botnets and Their Evolution Patterns

  • Regular Paper
  • Published:
Journal of Computer Science and Technology Aims and scope Submit manuscript

Abstract

The botnet is the network of compromised computers that have fallen under the control of hackers after being infected by malicious programs such as trojan viruses. The compromised machines are mobilized to perform various attacks including mass spamming, distributed denial of service (DDoS) and additional trojans. This is becoming one of the most serious threats to the Internet infrastructure at present. We introduce a method to uncover compromised machines and characterize their behaviors using large email logs. We report various spam campaign variants with different characteristics and introduce a statistical method to combine them. We also report the long-term evolution patterns of the spam campaigns.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Ramachandran A, Feamster N. Understanding the network-level behavior of spammers. ACM SIGCOMM Computer Communication Review, 2006, 36(4): 291–302.

    Article  Google Scholar 

  2. Goebel J, Holz T. Rishi: Identify bot contaminated hosts by IRC nickname evaluation. In Proc. the 1st Workshop on Hot Topics in Understanding Botnets, Apr. 2007.

  3. Karasaridis A, Rexroad B, Hoeflin D. Wide-scale botnet detection and characterization. In Proc. the 1st Workshop on Hot Topics in Understanding Botnets, Apr. 2007.

  4. Spitzner L. The honeynet project: Trapping the hackers. IEEE Security and Privacy, 2003, 1(2): 15–23.

    Article  Google Scholar 

  5. Vrable M, Ma J, Chen J et al. Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. ACM SIGOPS Operating Systems Review, 2005, 39(5): 148–162.

    Article  Google Scholar 

  6. Cho C Y, Caballero J, Grier C et al. Insights from the inside: A view of botnet management from infiltration. In Proc. the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Apr. 2010.

  7. Wang P, Sparks S, Zou C C. An advanced hybrid peer-to-peer botnet. IEEE Transactions on Dependable and Secure Computing, 2010, 7(2): 113–127.

    Article  Google Scholar 

  8. Hu X, Knysz M, Shin K G. Rb-seeker: Auto-detection of redirection botnets. In Proc. Symp. Network and Distributed System Security, Feb. 2009.

  9. Ramachandran A, Feamster N, Vempala S. Filtering spam with behavioral blacklisting. In Proc. the 14th ACM Conference on Computer and Communications Security, Oct. 2007, pp.342-351.

  10. Duan Z, Chen P, Sanchez F, Dong Y, Stephenson M, Barker J. Detecting spam zombies by monitoring outgoing messages. In Proc. INFOCOM, Apr. 2009, pp.1764-1772.

  11. John J P, Moshchuk A, Gribble S D, Krishnamurthy A. Studying spamming botnets using Botlab. In Proc. the 6th USENIX Symposium on Networked Systems Design and Implementation, Apr. 2009, pp.291-306.

  12. Zhao Y, Xie Y, Yu F et al. Botgraph: Large scale spamming botnet detection. In Proc. the 6th USENIX Symposium on Networked Systems Design and Implementation, Apr. 2009, pp.321-334.

  13. Li F, Hsieh M H. An empirical study of clustering behavior of spammers and group-based anti-spam strategies. In Proc. the 3rd Conference on Email and Anti-Spam, Jul. 2006.

  14. Zhuang L, Dunagan J, Simon D R et al. Characterizing botnets from email spam records. In Proc. the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats, Apr. 2008, Article No.2.

  15. Xie Y, Yu F, Achan K et al. Spamming botnets: Signatures and characteristics. ACM SIGCOMM Computer Communication Review, 2008, 38(4): 171–182.

    Article  Google Scholar 

  16. Gu G, Perdisci R, Zhang J, Lee W. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proc. the 17th Conference on Security Symposium, Jul. 2008, pp.139-154.

  17. Gu G, Porras P, Yegneswaran V, Fong M, Lee W. Bothunter: Detecting malware infection through IDS-driven dialog correlation. In Proc. the 16th USENIX Security Symposium on USENIX Security Symposium, May 2007, Article No.12.

  18. Gu G, Zhang J, Lee W. BotSniffer: Detecting botnet command and control channels in network traffic. In Proc. the 15th Annual Network and Distributed System Security Symposium, Feb. 2008.

  19. Kanich C, Levchenko K, Enright B et al. The Heisenbot uncertainty problem: Challenges in separating bots from chaff. In Proc. the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats, Apr. 2008, Article No. 10.

  20. Rajab M A, Zarfoss J, Monrose F, Terzis A. My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging. In Proc. the 1st Workshop on Hot Topics in Understanding Botnets, Apr. 2007.

  21. Rubner Y, Tomasi C, Guibas L J. A metric for distributions with applications to image databases. In Proc. the 6th International Conference on Computer Vision, Jan. 1998, pp.59-66.

  22. Choi J, Kang J, Lee J et al. Mining the global network of compromised machines. In Proc. the 4th International Conference on Emerging Databases-Technologies, Applications, and Theory, Aug. 2012.

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Korea University, Seoul, 136-701, Korea

    Jaehoon Choi, Jaewoo Kang (Member, ACM, IEEE), Jinseung Lee, Chihwan Song, Qingsong Jin & Sunwon Lee

  2. Daou Technology Inc., 1002, Daechi-Dong, Gangnam-Gu, Seoul, Korea

    Jinsun Uh

Authors
  1. Jaehoon Choi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jaewoo Kang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jinseung Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Chihwan Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Qingsong Jin
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Sunwon Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Jinsun Uh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jaewoo Kang.

Additional information

This work was supported by the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (MEST) of Korea under Grant No. 2012R1A2A2A01014729.

The preliminary version of the paper was published in the Proceedings of EDB2012.

Electronic Supplementary Material

Below is the link to the electronic supplementary material.

(DOC 33.5 KB)

Rights and permissions

Reprints and permissions

About this article

Cite this article

Choi, J., Kang, J., Lee, J. et al. Mining Botnets and Their Evolution Patterns. J. Comput. Sci. Technol. 28, 605–615 (2013). https://doi.org/10.1007/s11390-013-1361-1

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11390-013-1361-1

Keywords

Search

Navigation