›› 2013, Vol. 28 ›› Issue (4): 605-615.doi: 10.1007/s11390-013-1361-1

Special Issue: Artificial Intelligence and Pattern Recognition; Data Management and Data Mining

• Special Section of EDB2012 • Previous Articles     Next Articles

Mining Botnets and Their Evolution Patterns

Jaehoon Choi1, Jaewoo Kang1,*, Member, ACM, IEEE, Jinseung Lee1, Chihwan Song1, Qingsong Jin1, Sunwon Lee1, and Jinsun Uh2   

  1. 1. Department of Computer Science and Engineering, Korea University, Seoul 136-701, Korea;
    2. Daou Technology Inc., 1002, Daechi-Dong, Gangnam-Gu, Seoul, Korea
  • Received:2012-09-10 Revised:2013-05-03 Online:2013-07-05 Published:2013-07-05
  • Supported by:

    This work was supported by the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (MEST) of Korea under Grant No. 2012R1A2A2A01014729.

The botnet is the network of compromised computers that have fallen under the control of hackers after being infected by malicious programs such as trojan viruses. The compromised machines are mobilized to perform various attacks including mass spamming, distributed denial of service (DDoS) and additional trojans. This is becoming one of the most serious threats to the Internet infrastructure at present. We introduce a method to uncover compromised machines and characterize their behaviors using large email logs. We report various spam campaign variants with different characteristics and introduce a statistical method to combine them. We also report the long-term evolution patterns of the spam campaigns.

[1] Ramachandran A, Feamster N. Understanding the network-level behavior of spammers. ACM SIGCOMM ComputerCommunication Review, 2006, 36(4): 291-302.

[2] Goebel J, Holz T. Rishi: Identify bot contaminated hosts byIRC nickname evaluation. In Proc. the 1st Workshop on HotTopics in Understanding Botnets, Apr. 2007.

[3] Karasaridis A, Rexroad B, Hoeflin D. Wide-scale botnet de-tection and characterization. In Proc. the 1st Workshop onHot Topics in Understanding Botnets, Apr. 2007.

[4] Spitzner L. The honeynet project: Trapping the hackers.IEEE Security and Privacy, 2003, 1(2): 15-23.

[5] Vrable M, Ma J, Chen J et al. Scalability, fidelity, and con-tainment in the Potemkin virtual honeyfarm. ACM SIGOPSOperating Systems Review, 2005, 39(5): 148-162.

[6] Cho C Y, Caballero J, Grier C et al. Insights from the inside:A view of botnet management from infiltration. In Proc. the3rd USENIX Workshop on Large-Scale Exploits and Emer-gent Threats (LEET), Apr. 2010.

[7] Wang P, Sparks S, Zou C C. An advanced hybrid peer-to-peer botnet. IEEE Transactions on Dependable and SecureComputing, 2010, 7(2): 113-127.

[8] Hu X, Knysz M, Shin K G. Rb-seeker: Auto-detection of redi-rection botnets. In Proc. Symp. Network and DistributedSystem Security, Feb. 2009.

[9] Ramachandran A, Feamster N, Vempala S. Filtering spamwith behavioral blacklisting. In Proc. the 14th ACM Confer-ence on Computer and Communications Security, Oct. 2007,pp.342-351.

[10] Duan Z, Chen P, Sanchez F, Dong Y, Stephenson M, BarkerJ. Detecting spam zombies by monitoring outgoing messages.In Proc. INFOCOM, Apr. 2009, pp.1764-1772.

[11] John J P, Moshchuk A, Gribble S D, Krishnamurthy A.Studying spamming botnets using Botlab. In Proc. the 6thUSENIX Symposium on Networked Systems Design and Im-plementation, Apr. 2009, pp.291-306.

[12] Zhao Y, Xie Y, Yu F et al. Botgraph: Large scale spammingbotnet detection. In Proc. the 6th USENIX Symposium onNetworked Systems Design and Implementation, Apr. 2009,pp.321-334.

[13] Li F, Hsieh M H. An empirical study of clustering behaviorof spammers and group-based anti-spam strategies. In Proc.the 3rd Conference on Email and Anti-Spam, Jul. 2006.

[14] Zhuang L, Dunagan J, Simon D R et al. Characterizing bot-nets from email spam records. In Proc. the 1st USENIXWorkshop on Large-Scale Exploits and Emergent Threats,Apr. 2008, Article No.2.

[15] Xie Y, Yu F, Achan K et al. Spamming botnets: Signaturesand characteristics. ACM SIGCOMM Computer Communi-cation Review, 2008, 38(4): 171-182.

[16] Gu G, Perdisci R, Zhang J, Lee W. BotMiner: Cluster-ing analysis of network traffic for protocol-and structure-independent botnet detection. In Proc. the 17th Conferenceon Security Symposium, Jul. 2008, pp.139-154.

[17] Gu G, Porras P, Yegneswaran V, Fong M, Lee W. Bothunter:Detecting malware infection through IDS-driven dialog corre-lation. In Proc. the 16th USENIX Security Symposium onUSENIX Security Symposium, May 2007, Article No.12.

[18] Gu G, Zhang J, Lee W. BotSniffer: Detecting botnet com-mand and control channels in network traffic. In Proc. the15th Annual Network and Distributed System Security Sym-posium, Feb. 2008.

[19] Kanich C, Levchenko K, Enright B et al. The Heisenbot un-certainty problem: Challenges in separating bots from chaff.In Proc. the 1st USENIX Workshop on Large-Scale Exploitsand Emergent Threats, Apr. 2008, Article No. 10.

[20] Rajab M A, Zarfoss J, Monrose F, Terzis A. My botnet isbigger than yours (maybe, better than yours): Why size esti-mates remain challenging. In Proc. the 1st Workshop on HotTopics in Understanding Botnets, Apr. 2007.

[21] Rubner Y, Tomasi C, Guibas L J. A metric for distributionswith applications to image databases. In Proc. the 6th Inter-national Conference on Computer Vision, Jan. 1998, pp.59-66.

[22] Choi J, Kang J, Lee J et al. Mining the global network ofcompromised machines. In Proc. the 4th International Con-ference on Emerging Databases-Technologies, Applications,and Theory, Aug. 2012.
No related articles found!
Full text



[1] Liu Mingye; Hong Enyu;. Some Covering Problems and Their Solutions in Automatic Logic Synthesis Systems[J]. , 1986, 1(2): 83 -92 .
[2] Chen Shihua;. On the Structure of (Weak) Inverses of an (Weakly) Invertible Finite Automaton[J]. , 1986, 1(3): 92 -100 .
[3] Gao Qingshi; Zhang Xiang; Yang Shufan; Chen Shuqing;. Vector Computer 757[J]. , 1986, 1(3): 1 -14 .
[4] Chen Zhaoxiong; Gao Qingshi;. A Substitution Based Model for the Implementation of PROLOG——The Design and Implementation of LPROLOG[J]. , 1986, 1(4): 17 -26 .
[5] Huang Heyan;. A Parallel Implementation Model of HPARLOG[J]. , 1986, 1(4): 27 -38 .
[6] Min Yinghua; Han Zhide;. A Built-in Test Pattern Generator[J]. , 1986, 1(4): 62 -74 .
[7] Tang Tonggao; Zhao Zhaokeng;. Stack Method in Program Semantics[J]. , 1987, 2(1): 51 -63 .
[8] Min Yinghua;. Easy Test Generation PLAs[J]. , 1987, 2(1): 72 -80 .
[9] Zhu Hong;. Some Mathematical Properties of the Functional Programming Language FP[J]. , 1987, 2(3): 202 -216 .
[10] Li Minghui;. CAD System of Microprogrammed Digital Systems[J]. , 1987, 2(3): 226 -235 .

ISSN 1000-9000(Print)

CN 11-2296/TP

Editorial Board
Author Guidelines
Journal of Computer Science and Technology
Institute of Computing Technology, Chinese Academy of Sciences
P.O. Box 2704, Beijing 100190 P.R. China
E-mail: jcst@ict.ac.cn
  Copyright ©2015 JCST, All Rights Reserved