Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)


Botnets have evolved to become one of the most serious threats to the Internet and there is substantial research on both botnets and botnet detection techniques. This survey reviewed the history of botnets and botnet detection techniques. The survey showed traditional botnet detection techniques rely on passive techniques, primarily honeypots, and that honeypots are not effective at detecting peer-to-peer and other decentralized botnets. Furthermore, the detection techniques aimed at decentralized and peer-to-peer botnets focus on detecting communications between the infected bots. Recent research has shown hierarchical clustering of flow data and machine learning are effective techniques for detecting botnet peer-to-peer traffic.


Alhomoud, A., Awan, I., Disso, J., & Younas, M. (2013). A next-generation approach to combating botnets. Computer, 46(4), 62-66. Retrieved from http://doi.ieeecomputersociety.org/10.1109/MC.2013.67

Brezo, F., Santos, I., Bringas, P., & Val, J. (2011, Aug). Challenges and limitations in current botnet detection. Proceedings of the 22nd International Workshop on Database and Expert Systems Applications, Toulouse, France, 95-101. Retrieved from http://dx.doi.org/10.1109/DEXA.2011.19

Caglayan, A., Toothaker, M., Drapaeau, D., & Burke, D. (2010, January). Behavioral patterns of fast flux service networks. Proceedings of the 2010 43rd Hawaii International Conference on System Sciences (HICSS), Honolulu, HI, 1-9. doi: 10.1109/HICSS.2010.81

Cao, L, & Qiu, X. (2013, July). Defense against botnets: A formal definition and a general framework. Proceedings of the 2013 IEEE Eighth International Conference on Networking, Architecture, and Storage, Xi’an, Shaanxi, China, 237-241. Retrieved from http://doi.ieeecomputersociety.org/10.1109/NAS.2013.37

Cisco. (2014). Snort (Version [Computer Software]. Retrieved from http://www.snort.org/downloads

Cooke, E., Jahanian, F., & McPherson, D. (2005, July). The zombie roundup: Understanding, detecting, and disrupting botnets. Proceedings of the Steps to Reducing Unwanted Traffic on the Internet Workshop 2005, Cambridge, MA. Retrieved from https://www.usenix.org/legacy/events/sruti05/tech/full_papers/cooke/cooke.pdf

Dean, J., & Ghemawat, S. (2004, December). MapReduce: Simplified data processing on large clusters. Proceedings of the 6th Symposium on Operating System Design and Implementation, San Francisco, CA, 137-150. Retrieved from http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en/us/archive/mapreduce-osdi04.pdf

Dittrich, D. (2012, April). So you want to take over a botnet. Proceedings of the 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET ’12, San Jose, CA. Retrieved from https://www.usenix.org/system/files/conference/leet12/leet12-final23.pdf

Feily, M., Shahrestani, A., & Ramadass, S. (2009, June). A survey of botnet and botnet detection. Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies, Athens, Glyfada, Greece, 268-273. Retrieved from http://doi.ieeecomputersociety.org/10.1109/SECURWARE.2009.48

Francois, J., Wang, S., Bronzi, W., State, R., & Engel, T. (2011, November). BotCloud: Detecting botnets using Mapreduce. Proceedings of the 2011 IEEE International Workshop on Information Forensics and Security, Iguazu Falls, Parana, Brazil, 1-6. Retrieved from http://dx.doi.org/10.1109/WIFS.2011.6123125

Garant, D., & Lu, Wei. (2013). Mining botnet behaviors on the large-sale web application community. Proceedings of the 2013 27th International Conference on Advanced Information Networking and Applications Workshops, Barcelona, Spain, 185-190. Retrieved from http://doi.ieeecomputersociety.org/10.1109/WAINA.2013.235

Gu, G., Perdisci, R., Zhang, J., & Lee, W. (2008, July). BotMiner: Clustering analysis of network traffic for protocol and structure independent botnet detection. Proceedings of the 17th USENEX Security Symposium, San Jose, CA. Retrieved from https://www.usenix.org/legacy/event/sec08/tech/full_papers/gu/gu.pdf

Gu, G., Porras, P., Yegneswaran, V., Fong, M., & Lee, W. (2007, August). BotHunter: Detecting malware infection through IDS-driven dialog correlation. Proceedings of the 16th USENEX Security Symposium, Boston, MA. Retrieved from https://www.usenix.org/legacy/events/sec07/tech/full_papers/gu/gu.pdf

Gu, G., Yegneswaran, V., Porras, P., Stoll, J., & Lee, W. (2009, December). Active botnet probing to identify obscure command and control channels. Proceedings of the 2009 Annual Computer Security Applications Conference, Honolulu, HI, 241-253. doi: 10.1109/ACSAC.2009.30

Gu, G., Zhang, J., & Lee, W. (2008, February). BotSinffer: Detecting botnet command and control channels in network traffic. Proceedings of the 15th Annual Network and Distributed System Security Symposium, San Diego, CA. Retrieved from http://www.isoc.org/isoc/conferences/ndss/08/papers/17_botsniffer_ detecting_botnet.pdf

Hadoop (2013). The Apache Hadoop project. Retrieved from http://hadoop.apache.org/

Han, F., Chen, Z., Xu, H., & Liang, Y. (2012, June). Garlic: A distributed botnets suppression system. Proceedings of the 2012 32nd International Conference on Distributed Computing Systems Workshops, Macau, China, 634-639. Retrieved from http://doi.ieeecomputersociety.org/10.1109/ICDCSW.2012.30

Hasan, A., Awadi, R., & Belaton, B. (2013). Multi-phase IRC botnet and botnet behavior detection model. International Journal of Computer Applications, 66(15), 41-51. doi: 10.5120/11164-6289

Householder, A., & Danyliw, R. (2003, March). Increased activity targeting windows shares (CERT advisory CA-2003-08). Retrieved from http://www.cert.org/advisories/CA-2003-08.html

Karasaridis, A., Rexford, B., & Hoeflin, D. (2007, April). Wide-scale botnet detection and characterization. Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA. Retrieved from https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/karasaridis/karasaridis.pdf

Li, W., Xie, S., Luo, J., & Zhu, X. (2013, April). A detection method for botnet based on behavior features. Proceedings of the 2nd International Conference on Systems Engineering and Modeling (ICSEM-13), Beijing, China, 512-517. Retrieved from http://www.atlantis-press.com/php/download_paper.php?id=5594

Rossow, C., & Dietrich, C. (2013, July). PROVEX: Detecting botnets with encrypted command and control channels. Proceedings of the 10th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Berlin, Heidelberg, 21-40. Retrieved from http://dx.doi.org/10.1007/978-3-642-39235-1_2

Spitzner, L. (2003). The honeynet project: Trapping the hackers. IEEE Security & Privacy, 1(2), 15-23. doi: 10.1109/MSECP.2003.1193207

Ventre, D. (2013). Cyber Conflict: Competing National Perspectives. Indianapolis, IN: Wiley.

Wang, T., & Yu, S. (2009). Centralized botnet detection by traffic aggregation. Proceedings of the 2009 IEEE International Symposium on Parallel and Distributed Processing with Applications, Chengdu, China, 86-93. Retrieved from http://dx.doi.org/10.1109/ISPA.2009.74

Zargar, S., Joshi, J., & Tipper, D. (2013). A survey of defense mechanisms against distributed denial of service (distributed denial of service) flooding attacks. IEEE Communications Surveys and Tutorials, PP(99), 1-24. doi: 10.1109/SURV.2013.031413.00127

Zeng, Y. (2012). On detection of current and next-generation botnets (Doctoral dissertation). University of Michigan. Retrieved from http://deepblue.lib.umich.edu/handle/2027.42/91382

Zeng, Y., Hu, X., & Shin, K. (2010, June). Detection of botnets using combined host and network level information. Proceedings of the 2010 IEEE/IFIP International Conference on Dependable Systems and Networks, Chicago, IL, 291-300. Retrieved from http://doi.ieeecomputersociety.org/10.1109/DSN.2010.5544306

Zhang, J. (2012). Effective and scalable botnet detection in network traffic. (Doctoral Dissertation). Retrieved from ProQuest Dissertations and Theses database. (AAT 1115317916)

Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., & Luo, X. (2011, June). Detecting stealthy P2P botnets using statistical traffic fingerprints. Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks, Hong Kong, China, 121-132. Retrieved from http://doi.ieeecomputersociety.org/10.1109/DSN.2011.5958212

Zhuge, J., Holz, T., Han, X., Guo, J., & Zou, W. (2007, December). Characterizing the IRC-Based Botnet Phenomenon. Peking University and University of Mannheim Technical Report. Retrieved from https://ub-mado



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.