On the detection and identification of botnets

We develop and discuss automated and self-adaptive systems for detecting and classifying botnets based on machine learning techniques and integration of human expertise. The proposed concept is purely passive and is based on analyzing information collected at three levels: (i) the payload of single packets received, (ii) observed access patterns to a darknet at the level of network traffic, and (iii) observed contents of TCP/IP traffic at the protocol level. We illustrate experiments based on real-life data collected with a darknet set up for this purpose to show the potential of the proposed concept for Levels (i) and (ii). As darknets cannot capture TCP/IP traffic data, we use a small spamtrap in our experiments at Level (iii). Strictly speaking, this approach for Level (iii) is not purely passive. However, traffic moving through a network could potentially be analyzed in a similar way to also obtain a purely passive system at this level. (C) 2009 Elsevier Ltd. All rights reserved.