Botnet C&C Traffic and Flow Lifespans Using Survival Analysis

Vaclav Oujezsky, Tomas Horvath, Vladislav Skorpil


This paper addresses the issue of detecting unwanted traffic in data networks, namely the detection of botnet networks. In this paper, we focused on a time behavioral analysis, more specifically said – lifespans of a simulated botnet network traffic, collected and discovered from NetFlow messages, and also of real botnet communication of a malware.
As a method we chose survival analysis and for rigorous testing of differences Mantel–Cox test. Lifespans of those referred traffics are discovered and calculated by lifelines using Python language.
Based on our research we have figured out a possibility to distinguish the individual lifespans of C&C communications that are identical to each other by using survival projection curves, although it occurred in a different time course.

Full Text:



Plixer: Flow Analytics. PLIXER INTERNATIONAL, Inc. Plixer-Malware Incident Response.

V. Oujezsky, T. Horvath and V. Skorpil, ”Modeling Botnet C& C Traffic Lifespans from NetFlow Using Survival Analysis,” in Proc. 39th International Conference on Telecommunication and Signal Processing, TSP 2016. Vienna, Austria 2016. pp. 50–55, ISBN 9781509012879, ISSN 1805-5435.

S.C.S. Silva, R.M.P. Silva, R.C.G. Pinto, and R.M. Salles, ”Botnets: A survey,” Computer Networks, vol. 57, pp. 378–403, February 2013.

GCAT: A fully featured backdoor that uses Gmail as a C&C server, GitHub.

J. McHugh, R. McLeod, and V. Nagaonkar, ”Passive network forensics: behavioural classification of network hosts based on connection patterns,” ACM SIGOPS Operating Systems Review, vol. 42, pp. 99–111, April 2008.

A. Boukhtouta, D. Mouheb, M. Debbabi, O. Alfandi, F. Iqbal, and M.E. Barachi, ”Graph-theoretic characterization of cyber-threat infrastructures,” Digital Forensics & Incident Response, vol. 14, pp. S3–S15, August 2015.

W.K. Ehrlich, A. Karasaridis, D. Liu, and D. Hoeflin, ”Detection of spam hosts and spam bots using network flow traffic modeling,” in Proc. 3rd USENIX conference on Large-scale exploits and emergent threats LEET’10, pp. 7-7, 2010.

S. Garcia, V. Uhlir, and M. Rehak, ”Identifying and modeling botnet C&C behaviors,” in Proc. 1st International Workshop on Agents and CyberSecurity - ACySE 14, pp. 1–8, 2014.

S. Garcia, M. Grill, J. Stiborek, and A. Zunino, ”An empirical comparison of botnet detection methods,” Computers and Security, vol. 45, pp. 100–123, September 2014.

Introduction to Cisco IOS NetFlow - A Technical Overview. CISCO SYSTEMS, Inc. CISCO, 2012.

Lifelines, Cam Davidson-Pilon, Copyright 2014.

GDP - NetFlow Collector. Network Security Research, c 2016.

Fabric: Pythonic remote execution, c 2016.

Norman, Geoffrey R. and David L. Streiner. Biostatistics: the bare essentials. 3rd ed. Shelton, Conn.: People’s Medical Pub. House, 2008. ISBN 9781550093476

GitHub, Fabric: Simple, Pythonic remote execution and deployment, GitHub, 2016

C.D. Cam, Lifelines, 2014.

Stratosphere IPS, Dataset, c 2015.



  • There are currently no refbacks.