Detection and classification of different botnet C&C channels

Gregory Fedynyshyn, Mooi Choo Chuah, Gang Tan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

40 Scopus citations


Unlike other types of malware, botnets are characterized by their command and control (C&C) channels, through which a central authority, the botmaster, may use the infected computer to carry out malicious activities. Given the damage botnets are capable of causing, detection and mitigation of botnet threats are imperative. In this paper, we present a host-based method for detecting and differentiating different types of botnet infections based on their C&C styles, e.g., IRC-based, HTTP-based, or peer-to-peer (P2P) based. Our ability to detect and classify botnet C&C channels shows that there is an inherent similarity in C&C structures for different types of bots and that the network characteristics of botnet C&C traffic is inherently different from legitimate network traffic. The best performance of our detection system has an overall accuracy of 0.929 and a false positive rate of 0.078.

Original languageEnglish (US)
Title of host publicationAutonomic and Trusted Computing - 8th International Conference, ATC 2011, Proceedings
Number of pages15
StatePublished - 2011
Event8th International Conference on Autonomic and Trusted Computing, ATC 2011 - Banff, AB, Canada
Duration: Sep 2 2011Sep 4 2011

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6906 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other8th International Conference on Autonomic and Trusted Computing, ATC 2011
CityBanff, AB

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'Detection and classification of different botnet C&C channels'. Together they form a unique fingerprint.

Cite this