Behavior-based botnet detection in parallel

Kuo-Chen Wang, Chun-Ying Huang*, Li Yang Tsai, Ying-Dar Lin

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

13 Scopus citations


Botnet has become one major Internet security issue in recent years. Although signature-based solutions are accurate, it is not possible to detect bot variants in real-time. In this paper, we propose behavior-based botnet detection in parallel (BBDP). BBDP adopts a fuzzy pattern recognition approach to detect bots. It detects a bot based on anomaly behavior in domain name service (DNS) queries and transmission control protocol (TCP) requests. With the design objectives of being efficient and accurate, a bot is detected using the proposed five-stage process, including: (i) traffic reduction, which shrinks an input trace by deleting unnecessary packets; (ii) feature extraction, which extracts features from a shrunk trace; (iii) data partitioning, which divides features into smaller pieces; (iv) DNS detection phase, which detects bots based on DNS features; and (v) TCP detection phase, which detects bots based on TCP features. The detection phases, which consume approximately 90% of the total detection time, can be dispatched to multiple servers in parallel and make detection in real-time. The large scale experiments with the Windows Azure cloud service show that BBDP achieves a high true positive rate (95%+) and a low false positive rate (∼3%). Meanwhile, experiments also show that the performance of BBDP can scale up linearly with the number of servers used to detect bots.

Original languageEnglish
Pages (from-to)1849-1859
Number of pages11
JournalSecurity and Communication Networks
Issue number11
StatePublished - 1 Nov 2014


  • Anomaly detection
  • Behavior-based
  • Botnet detection
  • Cloud computing
  • Fuzzy pattern recognition
  • Parallel process


Dive into the research topics of 'Behavior-based botnet detection in parallel'. Together they form a unique fingerprint.

Cite this