Analysis and Detection of Malicious Data Exfiltration in Web Traffic
Areej Al-Bataineh and Gregory White
Department of Computer Science
University of Texas at San Antonio
aalbata@cs.utsa.edu, greg.white@utsa.edu
Abstract
Data stealing botnets pose a great risk to the security
of networks and the privacy of their users. Most of these
botnets use the web as a medium for communication, mak-
ing them difficult to detect given that web traffic constitutes
about 70% of Internet traffic. In addition, they use obfus-
cation techniques, primarily encryption, to hide their com-
munications and data exfiltration attempts making current
botnet detection techniques that depend on content inspec-
tion ineffective. In this paper, we present an analysis of the
data stealing behaviors of one of the most notorious data
stealing botnets, Zeus. In addition, we propose a classifica-
tion algorithm to identify malicious data stealing attempts
within web traffic. Our classifier uses entropy and byte fre-
quency distribution of HTTP POST request contents as fea-
tures. Our evaluation of the classifier shows high accuracy
and high efficiency making it applicable at network perime-
ter monitoring devices and web proxies.
1. Introduction
Users of networked systems are at a great risk of los-
ing their identity and financial credentials today due to mal-
ware and botnets [26]. Cyber criminals have transformed
from immature hackers to organized professionals with a
great potential for conducting cybercrimes, including spam
and identity theft. The underground economy has become
a million dollar industry [8] built upon developing and sell-
ing software kits for the creation of botnets . Botnets created
with these kits often use the web as a medium for communi-
cation between infected victims (bots) and their command
and control (C&C) servers. This choice of web (or HTTP
protocol) is motivated by convenience and ease of use of
web applications, allowing it to reach a wider range of au-
dience of prospect cyber criminals.
Historically, botnets were used to launch attacks such as
DDoS and spamming. More recent botnets, though, are be-
ing used to harvest data from the victim machines for the
978-1-4673-4879-9/12/$31.00 2012
c IEEE
purpose of monetizing the stolen data through underground
distribution. Proprietary personal and financial-related data
is harvested through keylogging, screen scrapping, and web
spying while the victim user is accessing financial institu-
tion websites.
The effectiveness of these botnets depends primarily on
being quiet, stealthy, and better hidden, thus they do not
leave noticeable traces of their activity either on the vic-
tim machine or on the network. The most common stealth
method is the usage of web for their C&C and encryption
to hide the data stolen thwarting data loss prevention (DLP)
methods which track sensitive data. They also thwart net-
work intrusion detection systems (IDS) because they have
no perceivable anomalies in their usage of HTTP protocol.
Furthermore, current botnet detection systems that depend
on content inspection [10, 27, 14] fall short because of en-
cryption and other stealth methods.
In this paper we study the problem of detecting mali-
cious data stealing activities by malware that utilize encryp-
tion. We consider encryption as an opportunity for detection
rather than a limitation because if encryption is detected
where its not expected, it should be considered anamoly.
Our research makes several contributions. First, we study
the behavior of a data stealing bot and provide insights into
how it could be differentiated from typical web usage of be-
nign applications. Second, we propose a classifier to iden-
tify data stealing HTTP requests based on features of their
contents. Third, we evaluate the classifier on real world
benign and malicious traffic traces and propose implemen-
tation scenarios within network perimeter monitoring de-
vices.
2 Data Stealing Botnets
Recently, many botnets have been discovered with data
stealing activities that cost millions of dollars, such as Tor-
pig [22] which was responsible for stealing the details of
about 500,000 online bank accounts, credit cards, and debit
cards. However, the most notorious botnet associated with
greater money losses is Zeus (individual bots are called
26
 (a) The botnet DIY toolkit (b) Observable network activity a Zbot
Figure 1: Description of Zeus Botnet
Zbots) [20]. SpyEye started as Zbot competitor, but ended
in a merge of their source code making more powerful data
stealing botnets [23].
Zbot appeared in 2007 and since then it has grown to be
one of the top banking Trojans, infecting 41% of govern-
ment networks, according to US-CERT [6]. Zbot was also
used in the Mumba Botnet [5] which stole 60GB of data
from computers in U.K. and Germany, and in the Kneber
Botnet [15] which targeted 374 US-based firms. Rrecently,
the FBI and international law enforcement agencies discov-
ered a ring of criminals that used Zbots to steal around $70
million from victim’s bank accounts [9]. Zeus continues to
be a great threat until today, therefore it is used as an exam-
ple of a data stealing botnet.
2.1 Zeus Toolkit
As mentioned earlier, Zeus is not a single botnet, the
name actually refers to the Do-It-Yourself (DIY) software
kit that is used to create one or more botnets as shown in
Figure 1(a). We were able to obtain an old copy of the kit
after it was released to the public by its developers. Our
analysis shows that the kit has two modules; Binary Builder
which is responsible for creating new Zbot samples, and
a web application called Control Panel. Each Zbot sam-
ple requires static and dynamic configurations. Static con-
figurations sets the name of the botnet, time intervals for
downloads and uploads, URLs for getting the config file,
and an encryption key. The dynamic configurations lists the
URLs of bot download server(s), data upload server(s), and
backup download servers for configuration files. The Con-
trol Panel runs on the C&C server for botnet administration;
it allows the botnet owner to view the status of his botnet by
listing statistics about the number of total bots and the cur-
rent active ones.
2012 7th International Conference on Malicious and Unwanted Software
(c) Byte Entropy of Zbot POST contents
The information stealing capabilities implemented in
Zbots exceed traditional keyloggers and spyware. The
design of the toolkit makes it highly configurable, such
that new modules can be added to newly generated bina-
ries increasing their sophistication. Data stolen using a
Zbot range from account credentials, PKI certificates, and
HTTP Cookies to screen shots, specific files, and databases.
What makes Zbot especially dangerous is its ”man-in-the-
browser” ability. When a user opens a browser to log into
his bank website, for example, Zbot grabs all values filled
in the form and injects additional form fields into the page
which will lure the user into entering more information such
as their social security number or ATM pin numbers. Some
Zbot variants also contain a feature called ”Jabber Zeus”
which relays the victim’s credentials to the criminals in real-
time via Instant Messenger (IM). This real time interception
allows criminals to login into the account while the user is
using it and wire money to third parties.
2.2 Network Behavior
We looked into the network behavior of Zbots by running
a large set in a controlled environment (i.e. sandbox), see
Figure 1(b). The bot first attempts to establish a connection
with C&C server using the 3-way TCP handshake over port
80. After successful connection, it issues a GET request
to download a new configuration file, and a POST request
to upload a log of statistics or stolen data. This pull/push
process is repeated periodically based on the time settings
in the static configuration. The most interesting feature of
this process is that GET and POST request/response pay-
loads appear to be encrypted. Furthermore, we noticed that
most of POST Content-Type was text/html while the
payload is not text. We also noticed that some OK replies of
POST requests embed encrypted content possibly contain-
27
ing commands and scripts to be executed by the bot.
To summarize, our findings show that Zbots HTTP us-
age appears to be normal and blends perfectly with web
traffic with a successfully parsed HTTP headers. How-
ever, we uncovered the following anamolies that can be
used for detection: (1) Repeatability of issuing HTTP GET
and POST requests, which does not happen in most be-
nign applications, except for software updates for exam-
ple. (2) Type-mismatch of content between the declared
type in HTTP header and actual content. (3) Encryption and
possibly compression of POST request content, see Figure
1(c), while Content-Encoding is not used. (4) Embed-
ding of encrypted commands in the body of GET requests
and POST responses. In this paper we take advantage of
finding (3) in our detection approach because its the most
crucial for data exfiltration.
3 Related work
Current botnet detection methods which depend on con-
tent inspection [11, 27, 14], fall short with data stealing bot-
nets because of encryption. For example, Botsniffer [11]
detects HTTP bots assuming that there is temporal-spatial
correlation between several bots within a monitored net-
work. That is, finding a group of hosts that have similar
pattern of receiving messages from C&C servers and re-
sponding with messages and/or activities. This approach
is limited because some assumptions do not apply on data
stealing bots. First, finding similarities in messages requires
the messages to be transferred in clear text, and can not be
accomplished when encrypted. Second, temporal correla-
tion is only effective when bots within the same network
has the same time configurations, whereas botnet genera-
tion kits enable the creation of endless numbers of bots with
different time configurations. In our analysis, we observed
that different samples of Zbot generate HTTP requests with
a large degree of variation in the time between consecutive
requests.
Our research focuses on the detection of malicious data
uploads through the web. While other researcher proposed
methods for web-based malware detection, the design goals
of our approach are different in that: (1) unlike [19], our ap-
proach does not need to learn the web behavior of individ-
ual users within a monitored network; (2) unlike [17], our
approach does not generate signatures from traffic traces of
malware. Our work is mostly comparable to [7, 13] because
they aim at detecting encrypted traffic using entropy mea-
sures, however, (1) they consider all traffic types, while we
only focus on web traffic (HTTP). (2) They detect encrypted
flows based on the first few packets or bytes, including ap-
plication headers, while we exclude headers and consider
the transfered contents within HTTP requests. (3) The only
features they used for detection are different forms of en-
28 2012 7th International Conference on Malicious and Unwanted Software
tropy, while we combine entropy with other features.
4 Data Stealing Classifier
Our goal is to monitor HTTP requests that originate from
a monitored network and identify malicious requests. The
focus is to prevent data stealing attempts carried out by bots
that infect internal machines. Our classifier aims at detect-
ing malicious data uploads, and we assume that issuing out-
bound POST requests is the most viable option. One might
argue that it could be done using outbound GET requests by
saving the data in the request body. In this case, the anomaly
would be so obvious because GET requests should not have
any payload, it only contains the HTTP header fields and
values. Therefore, we only consider data uploads through
HTTP POST requests. We also assume that bots encrypt
the stolen data before uploading it. These assumptions are
supported by our findings outlined in Section 2. We con-
sider encryption as an opportunity for detection rather than a
limitation, therefore we use the entropy and byte frequency
distribution of content files as features.
4.1 Experimental Setup
In order to build the classifier, we used real world traffic
including traffic collected from one of our university cam-
pus networks, and traffic generated from malware samples
of the data stealing botnet (Zeus). We constructed 2 traf-
fic data sets to represent them TB and TS . TB represents
the benign web traffic where there are no “observable” ma-
licious activities. It was constructed from 2 days (48 hours)
of web traffic collected at the router of our campus net-
work. This network serves an institution, with around 30
machines, 22 users, and 15 MB bandwidth. The collected
traffic was checked by running Snort IDS to support our as-
sumptions, and there were no alerts generated.
TS represents web-based data stealing activities by bots
and it was constructed from the traffic of Zeus samples.
We collected 1000 Zeus samples from commercial malware
feeds and from ZeuS Tracker [3]. The traffic was generated
from executing each sample in a sandbox environment for 3
minutes and recording its network traffic. Of the 1000 Zeus
samples, 759 generated network traffic, 239 connected suc-
cessfully with their C&C server, and only 80 uploaded some
stolen data.
Since our focus in this research on malicious data up-
loads through the web, we considered injecting TB with
artificial benign data uploads in order to increase the fre-
quency of POST requests. Data uploads are seen in upload-
ing files to file-sharing websites, and web-based email at-
tachments which usually do not occur frequently. We con-
structed TU to represents benign web-based data uploads
 Data Set Description # of HTTP Pairs # of POST Requests
TB 48 hr web 224587 16695
TU 30 file uploads 302 80
TS 80 samples 784 228
Table 1: Web Traffic Data Sets
by sniffing the traffic generated from uploading files of dif-
ferent types to sendspace.com website. The same set of
files were attached to emails sent trough a Yahoo email ac-
count. The file set included text, application (pdf, doc),
audio, video, image, binary executables, zipped, and en-
crypted files. This insured that the benign data set has con-
tents of varying features.
Table 1 shows a description of those data sets, where the
third column (# of HTTP pairs) lists the total number of
request/response pairs including GET and POST. While the
fourth column (# of POST Requests) shows the number of
POST requests that carry content with size greater than 0.
Notice that the percentage of POST requests among all pairs
is 26% and 29% in TU and TS respectively, while its only
7% in TB .
4.2 Feature Extraction
We observed that malicious HTTP requests and re-
sponses exchanged between the bots and their server have
normal HTTP headers. However, the content of all POST
Requests looks random, therefore the initial goal of our
classifier is to check if the content is encrypted or not. This
is accomplished by information theory concepts that mea-
sure the randomness in a content, given that encrypted con-
tent must be random in the ideal case. For this purpose, we
use Shanon’s Entropy [21]. Entropy of a message of n bytes
is defined by
 raising θ to cover benign content with high entropy (such
H(X) = − p(x)log2 p(x)
x
where p(x) is the normalized frequency of byte x in the
message p(x) = f (x)/n. Byte values range from 0 to 255,
and thus entropy values range from 0 to 8, where it con-
verges to 8 as the randomness of the message increases.
Entropy has been extensively used in literature to detect en-
crypted and compressed contents, such as in malware [16],
and in network traffic [13, 7].
The first feature considered for our classifier is the byte
entropy of POST requests contents. We used a training data
to produce a simple threshold-based classifier. The train-
ing set contained equal numbers of non-encrypted and en-
crypted contents. The non-encrypted set was constructed
from POST contents extracted from benign traffic. The en-
crypted set was generated by encrypting the benign set with
3 different encryption algorithms (RC4, DES3, and AES).
2012 7th International Conference on Malicious and Unwanted Software
avg Size avg Entropy
Data Set TB TU TS Total
574 4.3288
D1 10000 40 114 10154
509262 6.3188
D2 5000 40 114 5154
351 7.1375
Table 2: Evaluation Data Sets
(a) Encrypted Contents (b) Compressed Contents
Figure 2: Byte Entropy Comparison
From the training set, we obtained the entropy thresh-
old θ to be 6.503545. That is, if the entropy of content is
greater than or equal θ, content is classified as encrypted,
otherwise its considered non-encrypted. This approach pro-
duced few false negatives, when encrypted content size is
less than 256. It also produced false positives, especially for
benign content with type application/octet-stream.
This particular type is usually assigned to binary data such
as software packages, documents, pdf, and other applica-
tions.
False positives and negatives are caused by inherited arti-
facts of the entropy as a measure of encryption. The first ar-
tifact is related to content size, in particular, when the size is
less than 256 bytes, entropy does not reach its maximum (8)
even though the content is completely random, this is empir-
ically shown in Figure 2 (a). Therefore, in our experiment,
(1)
as application/octet-stream) caused small-sized en-
crypted contents to be missed, which increased false nega-
tives.
The second artifact is related to compression, where
compressed contents usually have high entropy. This is
proven empirically in Figure 2 (b) where the entropy of
compressed contents shows a similar curve of encrypted.
To overcome this we initially considered Schneier’s ap-
proach [18] where random looking data is assumed to be
compressed unless proven otherwise. That is, if the ran-
dom data were successfully uncompressed, that means its
not encrypted. However, in our benign data we found that
in POST requests compression is not used at all where in
POST responses it is used 50% of the time.
Due to these limitations, we added additional features to
improve the detection accuracy and reduce false positives
and negatives. We considered the structure of the content
29
detailed by Byte Frequency Distributions (BFD). For a mes-
sage of n bytes, BFD is a vector of the normalized bytes
frequencies {p(0), ..., p(255)}. BFD was utilized in detect-
ing the type of a given file [25], detecting malware inside
packet payloads[4], and in anomaly payload-based intru-
sion detection systems, such as PAYL [24]. However, the
goal of our approach is to differentiate encrypted contents
from all other types given that it has the most uniform dis-
tribution.
For feature extraction, we developed a python appli-
cation to extract web requests and responses from a net-
work trace file. The application first assembles TCP ses-
sions (or flows) and extract application layer data. Next, it
performs HTTP parsing to extract headers and contents of
each HTTP request and response using a modified version
of dpkt python package [1]. The content of each request
and response is saved in a separate file with a unique name
T -Fi -Rj -[Req/Res], where T is the name of the trace, i
is the TCP flow number within the trace file, j is the re-
quest/response number within the flow. The application
produces two reports, the first one contains a list of HTTP
pairs representing a request and response. For each pair, the
with some features extracted from the headers. The second
report lists the content features for each extracted content
file.
4.3 Classifier Design
Taking the size, entropy, and BFD as features (for a to-
tal of 258 attributes of each instance) we used Weka [12]
suite to find the best performing classifier. We constructed
2 data sets for training and testing by combining TB and TU
as Benign, and TS as Malicious. As shown in Table 2, D1 ,
contains one third of TB combined with half of each TU and
TS for a total of 10154 instances. For D2 we used the rest
of the data for a total of 5154 instances. In the first stage,
we experimented with different classification approaches,
including NaiveBayes, multi-layer perception (MLP), and
J48 decision trees. Among these, J48 performed the best,
but we had to fine tune it because we noticed that training
J48 multiple times produced different results. For this pur-
pose, we utilized meta learning methods to boost its accu-
racy. In particular, we used AdaBoostM1 with a maximum
of 10 boost operations and reweighing. The final classifier
model needed 6 iteration and produced 6 trees with different
weights.
4.4 Evaluation
To evaluate the classifier we ran three experiments, and
from the confusion matrix, we calculated the rates of false
positives and false negatives as shown in Table 3. Usually,
classifiers are evaluated by their false positives, but in our
30 2012 7th International Conference on Malicious and Unwanted Software
Figure 3: Performance evaluation using ROC curve with
different zoom levels
Experiment Data Set Time FP FN FPR FNR Accuracy
66% Training, rest Testing D1 80 sec 1 0 0.001 0 99.97%
10-fold Cross Validation D1 69 sec 3 3 0 0.0263 99.94%
Testing Classifier D2 62 sec 3 2 0 0.0263 99.90%
Table 3: Experimental Results using AdaBoost+J48 Classi-
fier
case false negatives are equally important. A false negative
means that a malicious data stealing attempt was classified
as benign, which is a costly miss. We also measured the
time required to run each experiment as time is a limiting
factor when classification is performed online at wire speed.
In the first experiment we performed typical evaluation
on D1 using 66% split for training and the rest for testing.
We achieved high accuracy with one FP and no FN. The FP
was a very high entropy (7.9) content posted into an adver-
tisment website (ad4.liverail.com). The legitimacy of
this website was not verified, but it looks suspecious.
In the second experiment we performed 10-fold cross
validation and produced the Receiver Operating Character-
istic (ROC) curve shown in Figure 3. ROC curves are not
sensitive to unbalanced data, which we have (10040 vs 114)
while performance metrics derived from the confusion ma-
trix are sensitive to it. In addition, ROC curve convey the
same information as the confusion matrix in a more robust
and intuitive fashion.
From ROC we calculated the Area Under the Curve
(AUC) using Mann Whitney Statistic [2] to be 0.994. In
addition, we found that the optimal decision threshold =
0.990099 at the perfect performance point A in Figure 3,
where F P R=0.000299 and T P R=0.973684. This thresh-
old was used for operation in the testing phase on a new data
set, D2 . Notice that the FNR remained the same with D2 .
5. Conclusions and Future Work
In this paper we uncovered the network behavior of
web-based data stealing botnets, including patterns of com-
munication,and most importantly the use of encryption to
hide the stolen data. Unlike previous botnet detection ap-
proaches, we considered encryption as an opportunity rather
than a limitation, therefore we utilized information-theoric
concepts to classify malicious encrypted data uploads. We
extracted statistical features from the HTTP POST request
contents of benign and malicious traffic traces and trained
a J48 tree classifier. Testing the classifier on a different
data set detected malicious data uploads with no false pos-
itives and minimum false negatives. This provides strong
evidence that our chosen features can be used in practice,
along with content filtering provided at network monitoring
devices, such as web proxies and web gateways. In addi-
tion, our classifier could be implemented and added as a
new module the Snort IDS HTTP Inspect preprocessor.
Future work includes: (1) experimenting with with par-
tial content inspection, such as the first 256 bytes, to de-
crease processing time and power, thus decreasing decision
time. This is especially needed for embedding the classifier
on a network device that performs online content filtering.
(2) Implementing our classifier in as a new module the Snort
IDS HTTP Inspect preprocessor and study its performance
when executed online. (3) Experimenting with additional
features such as n-gram frequency distribution, and study it
effect on detecting encrypted content. (4) Studying different
information-theoric tests of randomness, such as the ones
included in the test suite provided by NIST [23]. (5) Study-
ing other data stealing botnets and compare the detection
results of our classifier among different types of botnets.
References
[1] http://code.google.com/p/dpkt.
[2] http://en.wikipedia.org/wiki/mann-whitney u.
[3] https://zeustracker.abuse.ch/.
[4] I. Ahmed and K.-s. Lhee. Classification of packet con-
tents for malware detection. Journal of Computer Virology,
7(4):279–295, November 2011.
[5] AVG AntiVirus. The mumba botnet disclosed. Technical
report, 2010.
[6] B. Bain. Massive botnet may have snared some agency sys-
tems. Federal Computer Week, Feb 18 2010.
[7] P. Dorfinger, G. Panholzer, and W. John. Entropy estimation
for real-time encrypted traffic identification. In Proceed-
ings of the Third international conference on Traffic moni-
toring and analysis, pages 164–171, Vienna, Austria, 2011.
Springer-Verlag.
[8] H. Fallmann, G. Wondracek, and C. Platzer. Covertly prob-
ing underground economy marketplaces. In Proceedings of
the Seventh Conference on Detection of Intrusions and Mal-
ware & Vulnerability Assessment (DIMVA ’10), 2010.
[9] FBI Press Release. International cooperation disrupts multi-
country cyber theft ring, 2010.
[10] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee.
Bothunter: detecting malware infection through ids-driven
dialog correlation. In Proceedings of 16th USENIX Security
Symposium, pages 12:1–12:16, Berkeley, CA, USA, 2007.
USENIX Association.
2012 7th International Conference on Malicious and Unwanted Software
[11] G. Gu, J. Zhang, and W. Lee. Botsniffer: Detecting bot-
net command and control channels in network traffic. In
15th Annual Network and Distributed System Security Sym-
posium, San Diego, CA, 10-13 February 2008.
[12] M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann,
and I. H. Witten. The weka data mining software: an update.
SIGKDD Explor. Newsl., 11(1):10–18, 2009.
[13] A. R. Khakpour and A. X. Liu. Iustitia: An information the-
oretical approach to high-speed flow nature identification.
In Proceedings of The 29th International Conference on
Distributed Computing Systems (ICDCS), pages 510–517,
Montreal, Quebec, Canada, June 2009.
[14] W. Lu, G. Rammidi, and A. A. Ghorbani. Clustering bot-
net communication traffic based on n-gram feature selec-
tion. Computer Communications, 34(3):502–514, March
2010. 1931223.
[15] NETWITNESS. The kneber botnet, Feb 2010.
[16] R. Perdisci, A. Lanzi, and W. Lee. Classification of packed
executables for accurate computer virus detection. Pattern
Recognition Letters, 29(14):1941–1946, Oct 2008.
[17] R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering
of http-based malware and signature generation using ma-
licious network traces. In Proceedings of the 7th USENIX
conference on Networked systems design and implementa-
tion (NSDI’10), San Jose, California, 2010. USENIX Asso-
ciation.
[18] B. Schneier. Applied Cryptography: Protocols, Algorithms,
and Source Code in C. John Wiley & Sons, Inc., New York,
NY, USA, 1995.
[19] G. Schwenk and K. Rieck. Adaptive detection of covert
communication in http requests. In European Conference
on Computer Network Defense (EC2ND), September 2011.
[20] SecureWorks. Zeus banking trojan reports. Technical report,
March 11 2010.
[21] C. E. Shannon and W. Weaver. A mathematical theory of
communication. Bell System Technical Journal, 27:397–423
and 623–656, July and October 1949.
[22] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szyd-
lowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet
is my botnet: Analysis of a botnet takeover. In Proceeddings
of the ACM Conference on Computer and Communications
Security (CCS), Chicago, IL, November 2009.
[23] Symantec. Spyeye bot versus zeus bot. Technical report,
2010.
[24] K. Wang and S. J. Stolfo. Anomalous payload-based net-
work intrusion detection (payl). In Proceedings of the 7th in-
ternational symposium on Recent Advances in Intrusion De-
tection (RAID), Lecture Notes in Computer Science, pages
203–222. Springer, September 2004.
[25] L. Wei-Jen, W. Ke, S. J. Stolfo, and B. Herzog. Fileprints:
identifying file types by n-gram analysis. In Proceedings of
the Sixth Annual IEEE SMC Information Assurance Work-
shop (IAW ’05), pages 64–71, 15-17 June 2005 2005.
[26] E. Wu and G. Ollmann. My bots are not yours! a case study
of 600+ real-world living botnets. Virus Bulletin (VB2009),
2009.
[27] P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, and
E. Kirda. Automatically generating models for botnet detec-
tion. In Computer Security (ESORICS’09), pages 232–249.
2009.
31