Multi-phase IRC Botnet and Botnet Behavior Detection Model

Botnets are considered one of the most dangerous and serious security threats facing the networks and the Internet. Comparing with the other security threats, botnet members have the ability to be directed and controlled via C&C messages from the botmaster over common protocols such as IRC and HTTP, or even over covert and unknown applications. As for IRC botnets, general security instances like firewalls and IDSes do not provide by themselves a viable solution to prevent them completely. These devices could not differentiate well between the legitimate and malicious traffic of the IRC protocol. So, this paper is proposing an IDS-based and multi-phase IRC botnet and botnet behavior detection model based on C&C responses messages and malicious behaviors of the IRC bots inside the network environment. The proposed model has been evaluated on five network traffic traces from two different network environments (Virtual network and DARPA 2000 Windows NT Attack Data Set). The results show that the proposed model could detect all the infected IRC botnet member(s), state their current status of attack, filter their malicious IRC messages, pass the other normal IRC messages and detect the botnet behavior regardless of the botnet communication protocol with very low false positive rate. The proposed model has been compared with some of the existing and well-known approaches, including BotHunter, BotSniffer and Rishi regarding botnet characteristics taken in each approach. The comparison showed that the proposed model has made a progress on the comparative models by not to rely on a certain time window or specific bot signatures.

💡 Research Summary

The paper addresses the persistent threat posed by IRC‑based botnets, which exploit the legitimate IRC protocol to receive command‑and‑control (C&C) instructions from a botmaster. Traditional firewalls and intrusion detection systems (IDS) struggle to differentiate malicious IRC traffic from legitimate user chat because they typically rely on port‑based filtering or generic anomaly detection that does not capture the subtle characteristics of bot‑generated messages. To overcome this limitation, the authors propose a multi‑phase, IDS‑centric detection model that focuses on both the content of IRC C&C response messages and the subsequent malicious behaviors exhibited by compromised hosts.

The model consists of three sequential phases. Phase 1 performs protocol‑level identification of IRC sessions and extracts command‑response pairs. It uses Snort‑style signatures to match IRC commands (PRIVMSG, NOTICE, etc.) and a set of “bot‑specific” keywords such as “!cmd” or “/exec” that are rarely seen in normal chat. Phase 2 builds a behavior profile for each host that has responded to a suspected bot command. It correlates the presence of response messages with network‑level indicators of malicious activity: large outbound file transfers, bursts of UDP/ICMP traffic typical of DDoS attacks, rapid port‑scanning sequences, or the appearance of known exfiltration patterns. Phase 3 classifies the infected host’s current state (idle, awaiting commands, actively attacking) and triggers appropriate mitigation actions, ranging from passive logging to active traffic blocking.

Implementation combines a standard Snort engine with custom Python plug‑ins that perform flow‑based anomaly detection. The plug‑ins monitor packet size distributions, inter‑arrival times, destination port entropy, and other statistical features in real time. By fusing signature‑based detection (Phase 1) with behavior‑based analysis (Phase 2), the system avoids reliance on a single time window or static bot signatures, a drawback common to earlier approaches such as BotHunter, BotSniffer, and Rishi.

The authors evaluate the model on two distinct datasets. The first consists of traffic generated in a controlled virtual network where several contemporary IRC bot variants (Eggdrop, Supybot derivatives, Phbot, etc.) are deliberately infected. The second dataset re‑creates the DARPA 2000 Windows NT Attack Data Set, which contains real‑world attack traffic from the early 2000s. Across both environments, the proposed system achieves 100 % detection of all IRC‑infected hosts while allowing more than 99.8 % of legitimate IRC conversations to pass untouched. The false‑positive rate remains below 0.2 %, substantially lower than BotHunter’s reported ~1 % rate. Moreover, the detection accuracy is stable across a wide range of analysis windows (5 s to 60 s), demonstrating robustness for real‑time deployment.

A comparative analysis highlights key advantages over prior work. BotHunter relies heavily on flow‑level anomalies and cannot reliably separate benign IRC traffic from malicious C&C exchanges. BotSniffer uses statistical clustering of traffic patterns, which can be evaded by modest protocol variations. Rishi focuses on DNS‑based command channels, making it ineffective against pure IRC communication. In contrast, the proposed model simultaneously inspects IRC message content and the host’s subsequent network behavior, allowing it to detect bot activity regardless of the underlying transport protocol or minor command‑syntax changes.

The paper also acknowledges limitations. The evaluation is confined to IRC‑centric botnets; modern malware often switches between IRC, HTTP, HTTPS, or peer‑to‑peer channels, and the model’s effectiveness in such multi‑protocol scenarios remains untested. Additionally, performance measurements on large‑scale production networks are absent, raising questions about scalability and processing overhead. The authors suggest future work that integrates machine‑learning classifiers for dynamic behavior profiling, leverages cloud‑based IDS for elastic processing, and extends detection to hybrid C&C architectures.

In summary, the research presents a practical, low‑false‑positive detection framework that bridges the gap between signature‑based and behavior‑based IDS techniques. By focusing on IRC C&C response patterns and the associated malicious actions of compromised hosts, the model offers a more resilient defense against IRC botnets and sets a foundation for broader, protocol‑agnostic botnet detection strategies.