ABSTRACT

Botnet hazards have increased in the Internet environment subsequent to the first-known Botnets found at the beginning of the 1990s based on the Internet Relay Chat (IRC). The IRC was set up in the late 1980s to allow the computer user to connect to the Internet anywhere and to join live chats. Botnet behavior is addressed in terms of the set of operations used by a Botnet during its life cycle phase. As a result, the analysis of the Botnet life cycle is also important in understanding the previous work on Botnet detection and Botnet behavior. In addition, the IP address of a new C&C server can be updated to keep it working and thus then prevent it from being blocked due to the evolution of Botnet detection techniques. As opposite to passive monitoring that interacts with Botnet behavior, active monitoring techniques interact with a Botnet directly by probing the network host with active communication and analyzing its responses.