Abstract

Malicious botnets have become a common threat and pervade large parts of the Internet today. Existing surveys and taxonomies focus on botnet topologies, command and control protocols, and botnet objectives. Building on these research results, network-based detection techniques have been proposed that are capable of detecting known botnets. Methods for botnet establishment and operation have evolved significantly over the past decade resulting in the need for detection methods that are capable of detecting new, previously unknown types of botnets. In this paper we present an in-depth analysis of all network communication aspects in botnet establishment and operation. We examine botnet topology, protocols, and analyze a large set of very different and highly sophisticated existing botnets from a network communication perspective. Based on our analysis, we introduce a novel taxonomy of generalized communication patterns for botnet communication using standardized unified modeling language sequence diagrams. We furthermore examine data exchange options and investigate the influence of encryption and hiding techniques. Our generalized communication patterns provide a useful basis for the development of sophisticated network-based botnet detection mechanisms and can offer a key component for building protocol- and topology-independent network-based detectors.