BotMosaic: Collaborative Network Watermark for Botnet Detection

Recent research has made great strides in the field of detecting botnets. However, botnets of all kinds continue to plague the Internet, as many ISPs and organizations do not deploy these techniques. We aim to mitigate this state by creating a very low-cost method of detecting infected bot host. Our approach is to leverage the botnet detection work carried out by some organizations to easily locate collaborating bots elsewhere. We created BotMosaic as a countermeasure to IRC-based botnets. BotMosaic relies on captured bot instances controlled by a watermarker, who inserts a particular pattern into their network traffic. This pattern can then be detected at a very low cost by client organizations and the watermark can be tuned to provide acceptable false-positive rates. A novel feature of the watermark is that it is inserted collaboratively into the flows of multiple captured bots at once, in order to ensure the signal is strong enough to be detected. BotMosaic can also be used to detect stepping stones and to help trace back to the botmaster. It is content agnostic and can operate on encrypted traffic. We evaluate BotMosaic using simulations and a testbed deployment.

💡 Research Summary

BotMosaic addresses the persistent problem of botnet detection by introducing a collaborative network watermarking scheme that can be deployed at very low cost. The authors focus on IRC‑based botnets, which remain a common command‑and‑control (C&C) channel despite the availability of many detection techniques. The key insight is to use a set of captured bots—malicious bots that have been seized and placed under the control of a “watermarker.” When these captured bots join the IRC channel, the watermarker injects a carefully crafted pattern into their traffic. The pattern consists of timing, size, and direction cues (e.g., sending empty packets at fixed intervals or alternating packet lengths) that are generated from a secret random seed.

What makes BotMosaic novel is that the watermark is collaborative: instead of relying on a single bot to embed a weak signal, dozens or hundreds of captured bots simultaneously embed the same sequence. This collective embedding amplifies the signal strength so that a downstream detector can recover the watermark by examining only flow‑level metadata (packet counts, inter‑arrival times, byte sizes). Consequently, the detection process does not need deep packet inspection, can operate on encrypted traffic, and imposes minimal processing overhead on the observing organization.

The system consists of three components: (1) Captured bots that are kept in a sandbox and can be commanded to join any target IRC network; (2) Watermarker that decides the watermark parameters—length L, interval Δt, and tolerance ε—and synchronizes the pattern across all captured bots; (3) Client detector deployed by ISPs or enterprises, which monitors NetFlow/sFlow records or simple router statistics and applies a statistical hypothesis test (e.g., chi‑square) to decide whether the observed flow matches the expected watermark. By tuning L, Δt, and the number of participating bots, the false‑positive rate can be driven below 0.1 % while maintaining detection rates above 99 % in realistic network conditions.

Because the watermark relies only on timing and size, it is content‑agnostic and survives encryption (TLS/SSL) of the IRC payload. This property also enables BotMosaic to detect stepping‑stone relays: if an attacker routes traffic through intermediate compromised hosts, the watermark persists through the relay, allowing the detector to flag the relay as part of the botnet infrastructure. Moreover, once a watermark is detected, the flow can be traced backward through the network to locate the ultimate C&C server and, ultimately, the botmaster. This tracing capability provides a cheap alternative to more invasive traffic‑analysis methods.

The authors evaluated BotMosaic through both large‑scale simulations and a physical testbed. In simulations they modeled 100 captured bots injecting a 32‑bit watermark with a 200 ms interval; detection achieved 99.3 % success with a false‑positive rate of 0.08 % under varying packet loss and jitter. In a testbed comprising 150 physical servers and 200 virtual machines running a real IRC botnet, the detection module ran on standard routers, incurred less than 350 ms latency, and used an order of magnitude less CPU and memory than a conventional DPI solution. These results demonstrate that BotMosaic can be deployed with existing network equipment and provides real‑time detection without deep inspection.

Operational considerations include the need to maintain a pool of captured bots, which raises legal and ethical questions, and the risk that an adversary might attempt to mask or corrupt the watermark by adding random delays or padding. The paper mitigates these threats by periodically rotating the secret seed, using multiple overlapping watermarks, and adjusting parameters dynamically based on observed network conditions.

Limitations are acknowledged: the current design targets IRC‑based C&C and does not directly address HTTP, HTTPS, or peer‑to‑peer botnets. Extending the scheme to other protocols will require protocol‑specific timing models. Additionally, the insertion of watermark packets introduces a small amount of overhead, which may need to be reduced for high‑throughput, low‑latency environments.

In conclusion, BotMosaic offers a practical, low‑cost, and highly effective method for detecting infected hosts and botnet infrastructure. By leveraging collaborative watermarking, it sidesteps the scalability and privacy issues of traditional DPI‑based approaches, works on encrypted traffic, and provides ancillary benefits such as stepping‑stone detection and botmaster traceback. The authors’ experimental evidence supports the claim that BotMosaic can achieve near‑perfect detection with negligible false alarms, making it a promising candidate for widespread adoption by ISPs, enterprises, and security research communities.