A Taxonomy of Botnet Behavior, Detection, and Defense

A number of detection and defense mechanisms have emerged in the last decade to tackle the botnet phenomenon. It is important to organize this knowledge to better understand the botnet problem and its solution space. In this paper, we structure existing botnet literature into three comprehensive taxonomies of botnet behavioral features, detection and defenses. This elevated view highlights opportunities for network defense by revealing shortcomings in existing approaches. We introduce the notion of a dimension to denote different criteria which can be used to classify botnet detection techniques. We demonstrate that classification by dimensions is particularly useful for evaluating botnet detection mechanisms through various metrics of interest. We also show how botnet behavioral features from the first taxonomy affect the accuracy of the detection approaches in the second taxonomy. This information can be used to devise integrated detection strategies by combining complementary approaches. To provide real-world context, we liberally augment our discussions with relevant examples from security research and products.