Preliminary Results.

We applied this methodology to the 472 botnets we captured and tracked. Our results revealed 90 groups of related botnets covering 25% of the botnets we tracked. Figure 6 presents the features of the botnets in one of these clusters. As the figure illustrates, while these botnets used different servers, similarities across other dimensions can be used to detect their potential relationship. Notice that in this example (and many similar ones) the names of all IRC servers belong to the same DNS domain which provides additional evidence of the relationship among these botnets.

Figure 7: Example of a botnet cluster.

Figure 7 provides a graphical representation of one example cluster, with nodes indicating distinct botnets and edges indicating relationships between different botnets. The label on each edge reflects the pairwise similarity score. It is evident from this graph that botnet relationships can evolve to form rather complex clusters that significantly complicate the task of estimating botnet membership.

Figure 8 plots the CDF of the number of botnets affiliated with botnet cluster we discovered. The graph indicates that botnet clusters can span relatively large collections of botnets. Finally, we note that while code reuse [2] could explain the commonalities across some of the features we chose (e.g., IRC server version), other common features, such as channel names and botmaster IDs, are more likely to indicate intentional botnet relationships. Further research into feature selection and assigning proper weights for each feature is a subject of our ongoing work.

Figure 8: CDF of the number of botnets affiliated to each observed cluster.