0% found this document useful (0 votes)

85 views

Bot Detection Algorithms

This document summarizes a systematic literature review on bot detection algorithms. It describes different approaches for detecting bots, including taxonomy of approaches, commonly used datasets and features, performance metrics, and defense measures against malicious bots. It provides an overview of bot detection systems, highlighting requirements like datasets, features, metrics, frameworks, and languages. The review contributes a refined taxonomy combining prior work, describes evaluation tools and measures against bots, and discusses adequacy of detection techniques and areas needing improvement.

Uploaded by

Hélder J. Chissingui

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

85 views

Bot Detection Algorithms

Uploaded by

Hélder J. Chissingui

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 26

Revista Cubana de Ciencias Informáticas

Vol. 16, No. 4, Mes Octubre-Diciembre, 2022

ISSN: 2227-1899 | RNPS: 2301
http://rcci.uci.cu
Pág. 1-26

Tipo de artı́culo: Artı́culos de revisión

Temática: Seguridad informática
Recibido: 21/08/2022 | Aceptado: 01/09/2022 | Publicado: 31/10/2022

Bot detection algorithms: A systematic literature review

Algoritmos de detección de bots: Una revisión sistemática de literatura

Hélder João Chissingui 0000-0002-7538-38651*

Humberto Dı́az Pando 0000-0003-1591-87812
Mailyn Moreno Espino 0000-0002-7613-33822
Nayma Cepero Pérez 0000-0003-3808-81352
1 Instituto
Superior Técnico Militar - ISTM/FAA, Avenida Deolinda Rodrigues, Campo Militar do Grafanil,
Km 9, Luanda, Angola. {[email protected]}
2 Universidad Tecnológica de La Habana José Antonio Echeverrı́a, CUJAE. 114 No. 11901, e/ Ciclovia y
Rotonda, Marianao, La Habana, Cuba. {hdiazp,my,ncepero}@ceis.cujae.edu.cu
∗ Autor para correspondencia: ([email protected])

A BSTRACT

The growing adoption of web-based services contributes a lot to the growing trend of the use of bots. Despite
its benefits, malicious intent by attackers is even more worrisome. Issues such as cyber attacks, cognitive
warfare, are at the origin of malicious activities that damage the security properties of systems and manipulate
public opinion. In recent years, the number of studies based on this topic has grown considerably, although
there have been very few systematic literature review studies. In this article, a generic studies is made on the
different ways of detecting bots, describing the approaches and their functional particularities. The tools for
building and evaluating bot detection systems are described, such as, datasets, features, performance metrics,
development frameworks, as well as, a comparative study of the most used programming language. Also, the
defence measures against malicious bots are exposed, in addition to a discussion about the adequacy of the
bot detection approaches.

Keywords: Bot detection algorithms; malicious bots; systematic literature review.

Editorial “Ediciones Futuro” 1

Universidad de las Ciencias Informáticas. La Habana, Cuba
[email protected]
Revista Cubana de Ciencias Informáticas
Vol. 16, No. 4, Mes Octubre-Diciembre, 2022
ISSN: 2227-1899 | RNPS: 2301
http://rcci.uci.cu
Pág. 1-26

R ESUMEN

El crecimiento de la adopción de servicios basados en la web, contribuye bastante en la tendencia creciente

del uso de bots. A pesar de sus beneficios, la intención maliciosa por parte de los atacantes es aún más
preocupante. Cuestiones como los ataques cibernéticos, la guerra cognitiva, están en el origen de actividades
maliciosas que dañan las propiedades de seguridad de los sistemas y manipulan la opinión pública. En los
últimos años, el número de estudios basados en este tema ha crecido considerablemente, aunque ha habido
muy pocos estudios de revisión sistemática de la literatura. En este artı́culo se realiza un estudio genérico
sobre las diferentes formas de detección de bots, describiendo los enfoques y sus particularidades funcionales.
Se describen las herramientas para construir y evaluar sistemas de detección de bots, como conjuntos de
datos, caracterı́sticas, métricas de rendimiento, marcos de desarrollo, ası́ como un estudio comparativo de
los lenguajes de programación más utilizados. Además, se exponen las medidas de defensa contra bots
maliciosos, y de una discusión sobre la adecuación de los enfoques de detección de bots.

Palabras clave: Algoritmos de detección de bots; bots maliciosos; revisión sistemática de literatura.

Introduction
Web robots or bots, are software programs that automatically transverse the hyperlink structure of world wide
web in order to locate and retrieve information (Tan and Kumar, 2002). Detecting them is a fundamental
and crucial task for tracing and mitigating cyber threats in the Internet (Zhao et al., 2020). Despite the
beneficial use, there are several sectors affected by malicious activities carried out by bots, for instance,
huge financial losses, political elections by distorting online discourse, to manipulate the stock market, or to
push anti-vaccine conspiracy theories that may have caused health epidemics (Kudugunta and Ferrara, 2018).
Therefore, malicious bots are also designed to exploit system vulnerabilities, although whether they are benign
or malicious, its large-scale use, can also negatively affect the availability of services on the web servers.
Imperva (2020) describes four sophistication levels of malicious bots: (1) simple, (2) moderate, (3) sophisti-
cated and (4) Advanced Persistent Bots (APB), where the use of automated scripts, use of headless browser,
producing mouse movements and clicks, change their user agents, respectively are some of their potential
behaviour. On the other hand, in the materialization of several malicious activities, the bots can act in a co-
ordinated manner, which for certain environments applies the concept of Botnet. What is a group of infected

Editorial “Ediciones Futuro” 2

hosts running bots and connected to a Command and Control (C&C) channel waiting for instructions (Alieyan
et al., 2017), from attacker (Botmaster role).
Bot sophistication level and botnet communication structure are two main keys for greater effectiveness of bot
detection systems. Depending on these keys, the bots acquire abilities such as, imitation of human patterns, use
of measures based on Machine Learning (ML) techniques, among others, which greatly affect the performance
of bot detection algorithms. In a similar situation are the traditional completely automated public Turing test
to tell computers and Humans apart (CAPTCHA) algorithms, that being the old solution of bot detection
problem, they can also be affected by ML-based bots.
It can be affirmed that cybersecurity is a field of growing interest for governments, public and private com-
panies, academic community, among others areas, due to its involvement with the exposure of important
resources for the life of organizations. According to Imperva (2020), malicious bots increase infrastructure
costs, because, beyond the losses, the design requirements of defence systems grow, as their efficiency does
not so much, due to the rapid evolution of bots. At the same time, the research related to bot detection
approaches is very current, in the most prestigious academic information databases, such as IEEE, Web of
Science, Scopus, Springer. There is an evident flow of studies around these topics, conversely, the Sistematic
Literature Reviews (SLR) studies are scarce.
The state of the art SLRs, focus on the subject from a particular contexts, such as, Online Social Networks
(OSN) (Karataş and Şahin, 2017; Latah, 2020; Orabi et al., 2020), online games (Kotkov et al., 2018), Soft-
ware Defined Networking (SDN) (Shinan et al., 2021), CAPTCHAs (Xu et al., 2020) and advanced technolo-
gies (Xing et al., 2021). The descriptions of the datasets used for ML approach are very scarce, as well as,
the measures against malicious bots are not exposed in most of the studies. Development frameworks are
also not studied. Latah (2020); Shinan et al. (2021); Xing et al. (2021) provide taxonomies of bot detection
approaches, which contribute to this SLR study, as well as the Common Bot Detection Evaluation System
(CBDES) proposed by Xing et al. (2021).
This SLR addresses the relevant issues of bot detection, provides an overview and highlights the necessary
requirements for the development of a bot detection system. The contribution is summarized below.

• A refined taxonomy of bot detection approaches is provided, primarily combining the Latah (2020),
Shinan et al. (2021) and Xing et al. (2021) taxonomies.
• According to the dominant nature of approaches based on data mining, a succinct description of the
datasets and features used in the state of the art is provided. To complete the topic of algorithm evalua-
tion, some performance metrics are generally described.

Editorial “Ediciones Futuro” 3

• A description of measures against malicious bots and a comparative study of programming languages is
also provided, in addition to describing the most used frameworks in the development of bot detection
systems.
• The discussion is focused on the detection techniques that are more adequate, the deficiencies of some
areas and possibilities that these approaches maintain their capabilities with respect to the evolution of
bot design techniques.

Methods
This SLR was based on the process in fig. 1a, with the following papers selection criteria:

• Inclusion criteria : Papers that are written in English and Spanish. Related to web systems security,
where bot detection algorithms are used and analysed with the aim to improving system security. Papers
present the research method and results of experiments.
• Exclusion criteria : Papers not presented in English or Spanish. Informal publications studies. Dupli-
cates and not accessible in full-text. Templates for conducting bots detection algorithms studies.

5225 Remove 4781 Remove

Search Databases
duplicates non-scientific
35
4013
30
Number of papers

Review of
excluded
4 Select by
relevance
Select by title
and abstract
25
310
20
270
Data 15
Full-text 131 extraction
reading and 10
clasification 5
Quality 0
1
2
3
4
5
6
7
8
9
0
1

assessment
201
201
201
201
201
201
201
201
201
202
202

and report
preparation Publication year
(a) SLR protocol with the number of papers (b) The number of papers selected per year
included in each process phase. of publication,where approximately 80% of
papers were published in the last five years.

Fig. 1 - Methodology and the studies included.

Editorial “Ediciones Futuro” 4

Bot detection approaches

RQ1: Which bot detection approaches exist?
Bots are designed for specific tasks, this characteristic impose a certain level of specification to design detec-
tion approaches. These are also directly related to the nature of the problem being solved. The bot detection
problem can categorized as classification problem, in which a previously known class is assigned to object,
according to process of feature analysis.
The answer to RQ1 is summarized in fig. 2, and the short descriptions of the corresponding variants are
described in the following paragraphs.

Machine Learning approaches Supervised

Unsupervised
Reinforcement
Deep Learning

Complex Data approaches Sequence data mining

Graphs and network mining
BOT DETECTION APPROACHES Other data types mining

Distributed Approaches Blockchain

Moving Target Defence
Software Define Networking

Other approaches Honeypot

CAPTCHAs
Combined approaches

Fig. 2 - Taxonomy of bot detection approaches.

Machine Learning approaches

ML is the main analytical approach used in Bot detection field, where the tasks of classification, clustering,
and anomaly detection are highlighted. These tasks are performed by means of supervised, unsupervised,
reinforcement and deep learning algorithms.
Supervised learning
Characterized by a simplicity of implementation, supervised learning algorithms are usually the initial choices
in classification problems. The good performance of these algorithms is always the result of good data prepa-
ration, since the training process is supervised. Despite their advantages mentioned above, they are not im-
mune to the evil of dimensionality. There are several types of supervised learning algorithms applied in the
state of the art of bot detection, which are selected according to several criteria based for example on the type

Editorial “Ediciones Futuro” 5

and size of data, robustness to noise and computational complexity. The most frequent supervised algorithms
are the ensembles (Random Forests (RF) (Gezer et al., 2019; Barbon et al., 2018; Singh et al., 2019)) and
Neural Networks (Kudugunta and Ferrara, 2018; Feng et al., 2020; Zhao et al., 2020). Although there are
other solutions based on algorithms such as, Decision Trees (DT) (Balla et al., 2011), K-Nearest Neighbor
(K-NN) (Rahman and Tomar, 2020), Vector Support Machine (SVM) (Hosseini et al., 2019), Naı̈ve Bayes
(NB) (Venkatachalam and Anitha, 2017).
Unsupervised learning
Clustering and anomaly detection are the highlight unsupervised leaning activities used for bot detection,
without eliminating their importance in data preprocessing stage. As well as the supervised learning approach,
both are limited to the accuracy of data training. Although the mining process is indirect, there are bot
detection solutions based on clustering. For Suchacka and Iwanski (2020), the use of unsupervised learning
approach is motivated by the fact that in real life several bots are camouflaged and when we have a historical
user session data set, some bot sessions may be improperly labelled as human-generated.
With a lower frequency than the previous approach, in the state of the art clustering approaches are applied,
such as, BotGrab (Yahyazadeh and Abadi, 2015), SMART based on Markov Clustering (MCL) (Zabihimay-
van et al., 2017), Agglomerative Information Bottleneck (AIB) (Suchacka and Iwanski, 2020), K-Means and
Graded Possibilistic C-Means (GPCM) (Rovetta et al., 2020), and the anomaly detection approach such as,
correlation analysis (Chen and Lin, 2015) and Botmark (Wang et al., 2020).
Reinforcement learning
The reinforcement learning methods are a bit different from conventional supervised or unsupervised methods.
In this context, we have an agent that we want to train over a period of time, to interact with a specific
environment and improve its performance over a period of time, with regard to the type of actions it performs
on the environment (Sarkar et al., 2017). Learning Automata-based Malicious Social Bot Detection using trust
model (LA-MSBD) Rout et al. (2020) and Venkatesan et al. (2017) are the few studies with Reinforcement
Learning (RL)-based approach.
Artificial Neural Networks
Although they are not a solution for all variants of the bot detection problem, it is important to reference the use
of Artificial Neural Networks (ANN)-based models in several studies of the state of the art. Multiple purposes,
scalability, robustness to incomplete and noisy data, can be the reasons for the choice, conversely, they are
very detrimental at saving computing resources. Some ANNs approaches are as follows: Convolutional
Neural Networkss (CNNs) (Iliou et al., 2021), Long Short-Term Memory (LSTM) (Kudugunta and Ferrara,

Editorial “Ediciones Futuro” 6

2018), Deep Neural Networks and Active Learning Bot detection (DABot) based on RGA, a deep ANN
that comprises a Resisual Networks (ResNet), Bidirectional Gated Recurrent Unit (BiGRU) and an Attention
mechanism (Wu et al., 2021). There other bot detection approaches supported by ANNs, which are discussed
in the following approaches.

Complex data approaches

The complex nature of identifying the behavioural profiling of bot and human users, reduces the accuracy
of the above approaches, which leads to the use of complex data, such as, multimedia data, spatial data,
time-series data, text and other complex data types.
Sequence Data Mining
Han et al. (2012) defines a sequence as an ordered list of events, where the classes of biologically inspired,
symbolic and time-series sequences can be identified. The following paragraphs address bot detection ap-
proaches based on sequence data.
Marcov chain approach. Is a collection of random variables X = {Xn : n ∈ T }, where T is a countable time-
set. It is customary to write T as Z+ := {0, 1, . . .}, and we will do this henceforth (Tweedie, 2001). The detail
in Marcov chain is that the previous event is considered as determining for the current occurrence. Suchacka
et al. (2021) defines a Discrete-Time Markov Chain (DTMC) as a vector of starting probabilities s = (si ) and
a transition probability matrix P = (pi j ). These are trained based on resource request patterns of sessions
in a training dataset. During the training phase a separate DTMC model is developed for each class. Let
R = (sr , Pr ) and H = (sh , Ph ) be DTMCs trained with robot and human sessions, respectively. To make the
decision, let X = (x1 , . . . , xK ) be the resource request pattern of a session with K requests observed on the
server. The log-probability that a DTMC will generate X at step k ≤ K is :

k
log Pr (X | s, P) = log sx1 + ∑ log pxi−1 ,xi (1)
i=2

Given X, Pr (X | R) represents the probability computed using eq. (1) for R (bot), and similarly Pr(X | H)
for H (human). Doran and Gokhale (2016); Suchacka et al. (2021) uses a DTMC approach to classify user
session based on differences of the resource request patterns.
Digital-DNA approach. Biologically inspired by Desoxyribo Nucleic Acid (DNA), a digital-DNA sequence
is nothing more than a character vector, whose possible values are in an alphabet B = {B1 , . . . , BN }, which is

Editorial “Ediciones Futuro” 7

defined by the number of the bases or cardinality N and the identification of the bases’ information.
A digital-DNA sequence s is defined as follows:

s = (b1 , b2 , . . . , bn ) bi ∈ B ∀i = 1, . . . , n (2)

Where the length of the sequence n = |s|, is determined by the number of actions encoded in the sequence,
therefore sequences of arbitrary length can be created, considering a limited number of bases. Coding a given
behaviour involves link each of the actions to an alphabet base (Cresci et al., 2018).
Cresci et al. (2018) developed an approach to detect spambots in Twitter OSNs, based on Digital-DNA se-
quence, where legitimate users and bots are characterized with defined measures of similarity of sequences
under the notion of Longest Common Substring (LCS). This allowed the design of a social fingerprinting
technique based on supervised and unsupervised approaches.
Graphs and Network Mining
Derived from network embedding techniques, the approach stands out for its scalability and flexibility in terms
of processing large amounts of data and complex systems. However the storage cost and computation time
can be performance constraints. For Chen et al. (2020a), analysis graph data can provide significant insights
into community detection, behaviour analysis and other useful applications such as, node classification, link
prediction and clustering. Two main variants can be identified in the field of bot detection: First, considers
the graphical structure only in the preprocessing stage, to extract structured information (Ali Alhosseini et al.,
2019), second, considers the graphical structure in the learning phase.
Communities Detection. Given a network, a communities detection algorithm return a community label for
each node of the network, according to the particular criteria of each type of algorithm. Is usually, an important
approach for the characterization and discrimination of users in OSNs, Mendoza et al. (2020), proposes a
semi-supervised approach based on Label Propagation (LP) and Multiple Random Projection Trees (MRPT)
algorithms, Rheault and Musulan (2021) presents a online community approach based on Uniform Manifold
Approximation and Projection (UMAP).
Mining of other data types. In addition to sequences and graphs, there are many other kinds of semi-structured
or unstructured data, such as spatio-temporal, multimedia, hypertext data and text data, which have interesting
applications (Han et al., 2012), that impose certain particularities in the mining process. Barbon et al. (2018)
propose a natural language processing (NLP) approach based on Discrete Wavelet Transform (DWT), with
text-mining using fast calculated features grounded on DWT.

Editorial “Ediciones Futuro” 8

Distributed approaches
The defence systems against botnets are often confronted by the resilience of the attackers, one of the prob-
ables reasons, is the fact that not all the bots have been blocked, in addition, part of the attack strategies
are dynamic, that is, they can change according to the vulnerabilities of the target system’s attacks surface.
For Sagirlar et al. (2018), modern botnets have often a decentralized structure to increase attacks’ success
chance. Due to its characteristics, the approach of graphs and network mining, may be the most appropriate
to deal with this problem, but also, currently approaches based on distributed architectures and technologies
are adopted, those described below.
Blockchain
The underlying core principle of blockchain technology is the implementation of time-stamped series of per-
manently linked blocks using cryptographic secure hash functions. Verified data are stored in a distributed
ledger as a chain of blocks based on its timestamp. Each participant in blockchain networks can observe
data blocks to verify or reject them using the underpinning consensus model (Alkadi et al., 2021). Due to
its peculiarities, this approach corresponds to the concept of distributed but not decentralized systems, which
gives it enormous potential for Collaborative IDSs (CIDS) design. Sagirlar et al. (2018), proposed a AutoBot-
Catcher approach based on Byzantine Fault Tolerant (BFT) blockchain, and Spathoulas et al. (2019) presents
a concrete approach to detect Distributed Denial of Service (DDoS) attacks.
Moving Target Defence
Moving Target Defence (MTD) enables to create, analyse, evaluate, and deploy mechanisms and strategies
that are diverse and that continually shift and change over time to increase complexity and cost for attackers,
limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency (Albanese
et al., 2018). It is one of the appropriate techniques against resilient attacks. The studies Vikram et al. (2013);
Venkatesan et al. (2016) proposes a bot detection solutions based on MTD approach.
Software Defined Networking
SDN leads to more effective mitigation approaches by providing a flexible and dynamic way to control the
network (Ja’fari et al., 2021). Despite the centralized control that is characteristic of SDN environment,
its flexibility allows the inclusion of virtualization techniques, that are used for distributed monitoring and
detection in several implementations of state of art. Maeda et al. (2019) developed a Deep Learning (DL)-
based approach on a SDN and Zha et al. (2019) proposed BotSifter, a SDN-based scalable, accurate and
runtime bot detection framework for data centers.

Editorial “Ediciones Futuro” 9

Other bot detection approaches

Captcha-based approaches
Is common in web applications, such as online users testing, to ensure security measures are not violated, but
its accuracy is currently contrasted by the advent of ML-based bots, therefore, improving these algorithms
is a necessary task. Hitaj et al. (2020) proposed a CAPTCHA Technique Uniquely REsistant (CAPTURE)
based on Generative Adversarial Networks (GAN). Acien et al. (2021) presents a BeCAPTCHA, based on
handcrafted features and GAN deep learning.
Honeypot-based approaches
Consider for Chen et al. (2020b) the best Intrusion Detection Systems (IDS) technique, Honeypots are systems
that coexist with other machines within the network and are deliberately configured with vulnerabilities to lure
attackers to scan and compromise them (Venkatesan et al., 2017). Shadow Daemon, Snare And Tanner, BW-
Pot and Webtrap, are examples of systems available on the web, for this purpose. Table 1 lists the generic
benefits and limitations of this approach.

Table 1 - Advantages and disadvantages of the Honeypot approach.

Advantage Disadvantages
Passive approach and limited monitoring. It would be neces-
Large scale scope. Allow to know new bots
sary to combined with other bot detection approach. Can attract
and attack. Few design resources at grater
high amount of flow. Legitimate users can be caught by mistake.
scope. Provide valuable information to build
Bots that employ measures can be invisible. Can negatively af-
data sets. (Eduard and Daniel, 2010; Ja’fari
fect browser performance (Eduard and Daniel, 2010; Chen et al.,
et al., 2021).
2020b).

Haltaş et al. (2014) prepose BotFinder through Honeypots (BFH), a BotFinder-based approach (Tegeler et al.,
2012), Lewandowski et al. (2020), propose SpiderTrap, a multilevel website where the links to each page are
randomly generated.

Evaluation of the algorithms

For the use and maintenance of bot detection systems, the detection algorithms are subjected to a validation
process to evaluate the performance in a given environment. The metrics used in the validation process are
directly related to the type of detection approach. In all bot detection approaches mentioned in this study,
the analytical process is referenced by ML, which is an approach whose algorithm validation process is data

Editorial “Ediciones Futuro” 10

dependent. For this reason, data sets are an important tool for validation of ML-based approaches, since the
efficiency of web bot detection methods or algorithms depends on them. The lack of public ground-truth data
is considered to be the main challenge hindering appropriate evaluation of bot detection approaches (Latah,
2020).

Datasets and features

RQ2: Which datasets and features are used to build bot detection algorithms?
A large part of the datasets available on the web, are designed from the capture of network traffic and pro-
cessing of web log files, where the driving force come from the academic community. However, due to the
specificity and other reasons related to privacy, the datasets used in the bot detection approach for e-commerce
are not publicly available. Table 2 describes the datasets for bots detection tasks in network traffic and OSNs.
In addition to the datasets mentioned in table 2, ISOT (Wu et al., 2016), ImageNet Dataset (Hitaj et al., 2020),
Balabit Dataset (Morgan, 2021), and Human Mobile Interaction database (HuMIdb) (Acien et al., 2021) are
an important contribution to the topic of bot detection, due to their very particular way of approaching bot
detection.

Table 2 - Description of available datasets used in state of the art.

Dataset Short description

A Botnet traffic dataset, was captured in the CTU University, Czech Republic, in 2014, consists
in thirteen captures of different botnet samples and contains data from seven different botnets:
CTU-13
Neris, Rbot, Virut, Murlo, NSIS, Donbot and Sogou. Besides, the CTU-13 can either be used as
a whole or by scenario. Each scenario was manually analysed and labelled (Garcia et al., 2014).
Incorporates both normal IoT-related and other network traffic, along with various types of attack
traffic commonly used by botnets. Was developed on a realistic testbed, and has been labelled,
Bot-IoT with the label features indicated an attack flow, the attacks category and subcategory for possible
multi-class classification purposes. Evaluated its reliability using different statistical and machine
learning methods for forensics purposes (Koroniotis et al., 2019).
Consists of a combination of three datasets, and contains traffic from 16 different Internet Relay
ISCX Chat (IRC), Peer-To-Peer (P2P) and Hypertext Transfer Protocol (HTTP) C&C based botnets.
This makes the ISCX dataset the most realistic and varied. (Álvarez Cid-Fuentes et al., 2018).
Repository where academic research datasets on Twitter OSN bot detection are hosted. Most
of the datasets are annotated by humans, while others are created using automated techniques
Bot Repository
based on account behaviour, filters on metadata, or more sophisticated procedures to achieve
high precision (Sayyadiharikandeh et al., 2020).

Editorial “Ediciones Futuro” 11

The features are directly related to the type of platform, activities that are captured and processing technique
used. When a user visits a web site using a web browser (client), for each page requested by the user,
browsers generally make a series of requests and then the page is built. Therefore, session is a sequence of
HTTP requests in a specific period of time which are related to a user. In fact, the information of each session
indicates a complete movement of a user in the web site. In log files, requests are in the form of independent
events which is ordered by timestamp, so session which shown navigational behaviour of each user should be
extracted from log files (Hosseini et al., 2019). Table 3 categorizes the features used in the state of the art.

Table 3 - Main categories of features used in bot discrimination.

Category Description
Includes all identification information related to the user. Compared to old detection approaches,
User profile the level of importance of this feature tends to decrease considering that bots have currently per-
fected imitation of human behaviour.
Content-based features, e-commerce-oriented features, these terms are used to designate the same
type of features. Of course, can play a leading role in e-commerce and OSNs, because presents
Semantic
information directly related to the users’ activities. On the other hand, it may involve the use of
other processing techniques depending on the type of content.
Network Related to network traffic, in which capturing is done primarily at the network and transport levels
flow-based of OSI model.
In OSNs, the posts of users can be commented, reposted, and liked by other users. These interac-
Interaction
tions often reflect the difference between normal users and social bots (Wu et al., 2021).
The time between consecutive requests, or the time a certain event elapses, are some examples of
Timing
the use of time-based features to discriminate bot activities.
Mentioned in Rahman and Tomar (2020), is related to biometric features by Chu et al. (2013); Ji
et al. (2016); Iliou et al. (2021) and handcrafted features of Acien et al. (2021); Mou and Kyu-
Biostatistics
min (2020). Both serve to designate the event-generated features of human user interaction, with
peripheral devices such as, keyboards, mouse, and smartphones.
Graph-based They result when graph-based approach is used, without graph-based learning.

Evaluation metrics
RQ3: Which evaluation metrics are used to measure the performance of algorithms?
There are two main variants of validation metrics: internal and external. Known as unsupervised validation,
internal, consists of submitting the algorithm to a set of tests without using elements external to algorithm
(test data). The external validation is suitable for selecting the optimal algorithm for a given data set. This
validation has a more generic perspective, since its metrics are flexible in the different state-of-the-art ap-

Editorial “Ediciones Futuro” 12

proaches. Next, the most used external metrics are described in table 4. Considering the binary classification,
these metrics are given in terms of: True Positives (TP) that represents the number of instances of bots classi-
fied as bots, True Negatives (TN) the number of instances of human classified as human, False Positives (FP)
the number of instances of bots classified as human (Error type I) and False Negatives (FN) the number of
instances of human classified. as bots (Error type II).
Sometimes it is difficult to compare bot detection algorithm based on the metrics mentioned so far, because
the performance of these algorithms is also a matter of computational cost, complexity, scalability and robust-
ness. On the other hand, not all approaches use quantitative evaluation (with metrics such as accuracy, recall,
precision and F1 − score), Spathoulas et al. (2019) compare their proposal, a collaborative Agent-based de-
tection of DDoS Internet of Things (IoT) Botnets with the existing ones according to integrity, availability,
responsiveness and scalability.

Table 4 - Most used metrics for bot detection algorithms evaluation.

Metric description Mathematical model

Accuracy, provides information on how many predicted values are correct. It can TP+TN
A=
have ambiguities in the interpretation of its value when there is a class imbalance. T P + T N + FP + FN
Precision, compares the current values of TPs with all the predictions of positive TP
P=
class. It is important when trying to analyse the predictions of the positive class. T P + FP
Recall, represents the actual predicted TP rate. Also known as sensitivity, its use TP
R=
is relevant in scenarios where FN have a negative impact. T P + FN
F1-Score, combines the accuracy and recall in situations where it is important to 2T P
F1 =
have a joint notion of error type I and II. 2T P + FP + FN
Integrity, Availability, Responsiveness, Scalability, Interpretability and Speed-up : The integrity of system re-
sources, the availability of the system against probable failures, the production of reports or alarms, the speed of
processing. These are very useful qualitative metrics used frequently, fundamentally when a comparison between
algorithms is intended, are a great tool for this purpose in addition to statistical test such as t-test.

Development environments
RQ4: Which programming environments are used to implement bot detection algorithm?
The algorithms of the state of the art are based on four main environment programming language : R, Matlab
Java and Python. The comparison of table 5 describes some advantages and disadvantages of these environ-
ments. The following paragraphs describes the most common frameworks.

Editorial “Ediciones Futuro” 13

Weka workbench. Was developed in Java by Weikato university of New Zealand and distributed under the
terms of the GNU General Public License (GPL), is a collection of ML algorithms and data preprocessing tools
that includes virtually all the algorithms, that provides extensive support for the whole process of experimental
data mining(Frank et al., 2016). Although extensions can be added easily, in addition to having a reduced
development community, there is very little documentation available compared to following environments.
Scikit-learn. Is an open source library, it has a huge community, where the capacity of the project is growing
more and more, with new implementations. Is a powerful tool used in the bot detection approach, that is
previously installed in Anaconda distribution, contains implemented a set of data mining algorithms, from
the classical to the most modern, for data preparation, classification, regression, clustering, anomaly detection
and association rules, in addition to its flexibility in integrating with other major data science libraries. There
are other frameworks based on C++, CUDA and Python, such as PyTorch, Theano, Tensorflow and Keras, that
are used very frequently.

Table 5 - Comparison of most used programming language, considering the characteristics of the languages and use
frequency (SC: Sintax Complexity, RT: Runtime, CC:Compile Code, IC: Interpreted code, WD : Web Development,
ML : Machine Learning, DV : Data Visualization, NLP : Natural Language Processing, PP : Parallel Programming,
FOS : Free and Open Source, OOP : Object Oriented Programming, DC : Develop Community, affirmation).

Syntax and runtime Project Development Others elements

Lenguaje SC RT CC IC WD ML DV NLP PP FOS OPP DC
√ √ √
R ∗∗ ∗∗∗ × × ∗∗ ∗∗∗ ∗ × Medium
Matlab ∗∗ ∗∗ × × × ∗∗ ∗∗ ∗ × × × Small
√ √ √
Java ∗∗∗ ∗ × ∗∗∗ ∗∗ ∗∗ ∗∗ × Large
√ √ √ √
Python ∗ ∗∗ × ∗∗∗ ∗∗∗ ∗∗∗ ∗ Large and growing
√
: Positive ×: Negative affirmation, ∗ ∗ ∗: High, ∗∗: Middle, ∗: Low

Measures against malicious bots

RQ5: Which defence responses are used when malicious bots are detected?
The measures would be oriented in a generic way to the life cycle of the cyber attacks, that are typically
preceded by a reconnaissance phase, in which, adversaries gather critical information about the target sys-
tem, including network topology, service dependencies, and unpatched vulnerabilities (Albanese et al., 2018).
Nevertheless, measures such a procedures to reduce the exposure of system resources, can also be classified
as: preventive and containment measures.

Editorial “Ediciones Futuro” 14

Preventive measures
These measures are used not only to reduce the exposure of system resources, but also to combat the resilience
of attacks. Thompson (2018) describes the most common attack reconnaissance forms: Gain knowledge about
the entity’s domains and subdomains, capturing IP addresses, e-mail harvesting, understand the entity, person-
nel, technology used, and personnel issues. These malicious activities affect the authenticity security property
of systems, Hitaj et al. (2020); Acien et al. (2021) in their approaches to dealing with such security property,
will improve CAPTCHA algorithms and as an authentication mechanisms, they allow to identify the bot user
accounts. System and network configurations are typically static, and do not reconfigure, adapt, or regener-
ate except in deterministic ways to support maintenance and uptime requirements, in such a static scenario
(Albanese et al., 2018), the impact of the cyber attack reconnaissance phase is very high, so the dynamic
change of the configurations can reduce the impact and consequently reduce the probability of success of the
next phase of the cyber attack. Some distributed approaches implement measures based on dynamic or peri-
odic change of system configurations: Detectors placement (Venkatesan et al., 2016), in Vikram et al. (2013)
with a similar approach, the information of human users is hidden so that malicious bots do not hijack that
information to impersonate human users.
Another way to prevent the success of this phase is to divert the attention of the bots to a point previously
established with vulnerabilities, an idea under the Honeypot approach.
Containment measures
The containment phase can be split into two stages: detection and response(Silva et al., 2013).
Detection. Detecting bots is paramount to stop malicious activities, or at least reduce them, while also allowing
people to be better informed when making decisions (Rodrı́guez-Ruiz et al., 2020). There are different bot
detection approaches, highlighting the recognition of network traffic patterns, user activities, as the main
tasks carried out in these approaches. Considering a previous infection by malicious botnets, the analysis
of network traffic is an important task for implementation of C&C traffic interception measures, that with
malicious network traffic generated by infected hosts, allows to identify the C&C channel used by botmaster,
to communicate with infected hosts. In addition, the detection in the C&C phase would like to detect the
presence of a bot early before any malicious activities can be performed (Zhao et al., 2013).
Response. Is related to using mechanisms to stop the traffic between bots and C&C servers and, as a more
effective final action, server deactivation. This stage can be accomplished using automated mechanisms that
integrate firewalls, content filters, address blacklists and routes to block communications between bots and
malware spread to reduce or stop the infection, disrupt the botnet communication or definitely deactivate the

Editorial “Ediciones Futuro” 15

C&C centers (Silva et al., 2013). It can be done in other several ways depending on the characteristics of the
system, or web application, limit their privileges, delete bot user, but be aware that many times this operation
may involve putting the server offline for a period of time.

Discussion
Machine Leaning (ML) being the most common approach in application contexts. However, our findings
do not suggest an appropriate ML algorithm for each context. Currently this task has become challeng-
ing, mainly due to bot sophistication, therefore, the trend is to use of robust algorithms, such as classifier
ensembles. In fact, Random Forests (RF) algorithm is popularly the choice for state-of-the-art binary classifi-
cation approaches, also unsupervised approach stand out for their ability to detect hidden patterns in the data,
Suchacka and Iwanski (2020) associates this with the camouflaged trend of current bots.
Our findings suggest that ML algorithms are the good choice, as Yang et al. (2019) concludes that is necessary
to update classification models, using newly available data, as well as, feedback collected from users. At the
same time, one must continuously evolve the set of features that may discriminate between human behaviours
and increasingly complex bot behaviours.
The content of bot activities is an important component to define a bot behaviour profile. Often this infor-
mation lacks a special processing mechanism since it can be complex data. To address the shortcomings of
conventional ML approaches with the treatment of referred type of data, as well as scaling large amounts of
data, complex data mining describes approaches that rely on complex data structures, where the deep leaning
approach can be considered the fundamental support for creation and manipulation of some complex data vari-
ants, excluding the DTMC and digital-DNA approaches. On this path, graph and network mining approach
has strengths to deal with bot coordinated attacks detection, user group behaviour identification, propagation
of fake news (a tool of cognitive warfare carried out mainly in OSNs), and other malicious activities, but the
computational effort required is intensive.
On the other hand, our findings show also, according to the measures against malicious activities, CAPTCHA-
based, Honeypots-based, Block chain-based, SDN-based and MTD-based approaches have a preventive na-
ture, highlighting the honeypot approach, which among other functions is its relevance in establishing the
profile of malicious bots, while Block chain-based, SDN-based and MTD-based approaches for its defence
response robustness, well, they employ measures that reduce the attack surface and dynamically fight with
resilient attacks.
Despite the existence of available datasets and even some with real and precise data, due to the level of speci-

Editorial “Ediciones Futuro” 16

ficity that is required, our findings suggest, for application contexts such as, e-commerce, finance and bank-
ing, a more appropriate option would be to use the data captured on the application server. About features,
IP address, user agent field and the like, including the OSN user identification, can provide false informa-
tion, considering the imitation power of moderate, advanced and APB bots, the trend of using graph-based,
biostatistic and NLP features can reduce the immunity of bots.
Java and python are the popular choices of programming languages to implement bot detection algorithms,
in addition to having huge developer communities, vast available bibliographic collection, libraries with im-
plemented ML algorithms, finally, the fact that they serve to application development, fills them with key
elements for the development of bot detection algorithms. Nevertheless, the most used programming lan-
guages have limited tools to efficiently take advantage of multicore and multiprocessor architectures, that is
an important element for the scalability of the algorithms.

Conclusions and future direction

This SLR allowed to identify five main bot detection approaches, namely, Machine Learning, Complex Data
Mining, Distributed approaches, CAPTCHAs and Honeypots. With emphasis on the massive use of the
Machine Learning approach, in which the data sets based on web traffic and web log files are used. The
detection approaches described are used as part of preventive and containment strategies against malicious
bots, finally it was found that Java and Python based development environments are the most common, with
the Python frameworks such as, Scikit-learn, PyTorch, Tensorflow, Keras, and Weka a Java based application.
For future work, we plan to address in capturing data in a real e-commerce web platform, and building robust
detection system, with two detection phases based on meta-learning, using the algorithms Proative Forests
(Cepero-Pérez et al., 2018) and heterogeneous ensembles.

References
Alejandro Acien, Aythami Morales, Julian Fierrez, Ruben Vera-Rodriguez, and Oscar Delgado-Mohatar.
Becaptcha: Behavioral bot detection using touchscreen and mobile sensors benchmarked on humidb.
Engineering Applications of Artificial Intelligence, 98:104058, 2021. ISSN 0952-1976. doi: https:
//doi.org/10.1016/j.engappai.2020.104058. URL https://www.sciencedirect.com/science/
article/pii/S0952197620303274.

Massimiliano Albanese, Sushil Jajodia, and Sridhar Venkatesan. Defending from Stealthy Botnets Using

Editorial “Ediciones Futuro” 17

Moving Target Defenses. IEEE Security Privacy, 16(1):92–97, 2018. ISSN 1558-4046. doi: 10.1109/MSP.
2018.1331034.

Seyed Ali Alhosseini, Raad Bin Tareaf, Pejman Najafi, and Christoph Meinel. Detect me if you can: Spam bot
detection using inductive representation learning. In Companion Proceedings of The 2019 World Wide Web
Conference, WWW ’19, page 148–153, New York, NY, USA, 2019. Association for Computing Machin-
ery. ISBN 9781450366755. doi: 10.1145/3308560.3316504. URL https://doi.org/10.1145/
3308560.3316504.

Kamal Alieyan, Ammar ALmomani, Ahmad Manasrah, and Mohammed M Kadhum. A survey of botnet
detection based on DNS. Neural Computing and Applications, 28(7):1541–1558, 2017. ISSN 1433-3058.
doi: 10.1007/s00521-015-2128-0. URL https://doi.org/10.1007/s00521-015-2128-0.

Osama Alkadi, Nour Moustafa, Benjamin Turnbull, and Kim-Kwang Raymond Choo. A deep blockchain
framework-enabled collaborative intrusion detection for protecting iot and cloud networks. IEEE Internet
of Things Journal, 8(12):9463–9472, June 2021. ISSN 2327-4662. doi: 10.1109/JIOT.2020.2996590.

Andoena Balla, Athena Stassopoulou, and Marios D Dikaiakos. Real-time Web Crawler Detection. 18th
International Conference on Telecommunications Real-time, pages 428–432, 2011.

Jr. Barbon, S., G.F.C. Campos, G.M. Tavares, R.A. Igawa, Jr. Proença, M.L., and R.C. Guido. Detection of
human, legitimate bot, and malicious bot in online social networks based on wavelets. ACM Transactions
on Multimedia Computing, Communications and Applications, 14(1s), 2018. doi: 10.1145/3183506. URL
https://www.scopus.com/inward/record.uri?eid=2-s2.0-85045180136&doi=
10.1145%2f3183506&partnerID=40&md5=a3038e44cf7e2496b2c66a15e493c654.

Nayma Cepero-Pérez, Luis Alberto Denis-Miranda, Rafael Hernández-Palacio, Mailyn Moreno-Espino, and
Milton Garcı́a-Borroto. Proactive forest for supervised classification. In Yanio Hernández Heredia,
Vladimir Milián Núñez, and José Ruiz Shulcloper, editors, Progress in Artificial Intelligence and Pattern
Recognition, pages 255–262, Cham, 2018. Springer International Publishing. ISBN 978-3-030-01132-1.

Chia-Mei Chen and Hsiao-Chung Lin. Detecting botnet by anomalous traffic. Journal of Information Security
and Applications, 21:42–51, 2015. ISSN 2214-2126. doi: https://doi.org/10.1016/j.jisa.2014.05.002. URL
https://www.sciencedirect.com/science/article/pii/S221421261400026X.

Fenxiao Chen, Yun-Cheng Wang, Bin Wang, and C.-C. Jay Kuo. Graph representation learning: a survey.
APSIPA Transactions on Signal and Information Processing, 9:e15, 2020a. doi: 10.1017/ATSIP.2020.13.

Hanlin Chen, Hongmei He, and Andrew Starr. An Overview of Web Robots Detection Techniques. IEEE
Xplore, 2020b.

Editorial “Ediciones Futuro” 18

Zi Chu, Steven Gianvecchio, Aaron Koehl, Haining Wang, and Sushil Jajodia. Blog or block: Detect-
ing blog bots through behavioral biometrics. Computer Networks, 57(3):634–646, 2013. ISSN 1389-
1286. doi: https://doi.org/10.1016/j.comnet.2012.10.005. URL https://www.sciencedirect.
com/science/article/pii/S1389128612003593.

Stefano Cresci, Roberto Di Pietro, Marinella Petrocchi, Angelo Spognardi, and Maurizio Tesconi. Social
fingerprinting: Detection of spambot groups through dna-inspired behavioral modeling. IEEE Transactions
on Dependable and Secure Computing, 15(4):561–576, July 2018. ISSN 1941-0018. doi: 10.1109/TDSC.
2017.2681672.

Derek Doran and Swapna S Gokhale. An integrated method for real time and offline web robot detection.
Wiley Expert Systems, (September):1–15, 2016. doi: 10.1111/exsy.12184.

Arenas Eduard and López Daniel. Honeypot : Ventajas y Desventajas como Mecanismo para la Prevención
de Intrusos Informáticos. Universidad Piloto de Colombia, pages 1–6, 2010.

Y. Feng, J. Li, L. Jiao, and X. Wu. Towards learning-based, content-agnostic detection of

social bot traffic. IEEE Transactions on Dependable and Secure Computing, 2020. doi:
10.1109/TDSC.2020.3047399. URL https://www.scopus.com/inward/record.uri?
eid=2-s2.0-85098748309&doi=10.1109%2fTDSC.2020.3047399&partnerID=40&
md5=6f4052f608c7df46a2040078bcdb52a7.

Eibe Frank, Mark A Hall, and Ian H Witten. The weka workbench :. Morgan Kaufmann, fourth edition, 2016.

Sebastian Garcia, Martin Grill, Jin Stiborek, and Alejandro Zunimo. An empirical comparison of botnet
detection methods. Computers and Security Journal, Elsevier, 45:100–123, 2014. doi: http://dx.doi.org/
10.1016/j.cose.2014.05.011.

Ali Gezer, Gary Warner, Clifford Wilson, and Prakash Shrestha. A flow-based approach for trickbot banking
trojan detection. Computers & Security, 84:179–192, 2019. ISSN 0167-4048. doi: https://doi.org/10.
1016/j.cose.2019.03.013. URL https://www.sciencedirect.com/science/article/pii/
S0167404818309568.

Fatih Haltaş, Abdulkadir Poşul, Erkam Uzun, Bakir Emre, and Necati Şişeci. An Automated Bot Detection
System through Honeypots for Large-Scale. 2014 6th International Conference on Cyber Conflict, NATO
CCD COE Publications, Tallinn, pages 255–270, 2014.

Jiawei Han, Micheline Kamber, and Jian Pei. Data mining concepts and techniques, third edition, 2012.
URL http://www.amazon.de/Data-Mining-Concepts-Techniques-Management/dp/
0123814790/ref=tmm_hrd_title_0?ie=UTF8&qid=1366039033&sr=1-1.

D. Hitaj, B. Hitaj, S. Jajodia, and L.V. Mancini. Capture the bot: Using adversarial exam-
ples to improve captcha robustness to bot attacks. IEEE Intelligent Systems, 2020. doi:

Editorial “Ediciones Futuro” 19

10.1109/MIS.2020.3036156. URL https://www.scopus.com/inward/record.uri?eid=

2-s2.0-85098782217&doi=10.1109%2fMIS.2020.3036156&partnerID=40&md5=
f13811deabb8fec3fc16842c032a2e07.

Nafiseh Hosseini, Fatemeh Fakhar, Behzad Kiani, and Saeid Eslami. Enhancing the security of patients
portals and websites by detecting malicious web crawlers using machine learning techniques. Interna-
tional Journal of Medical Informatics, 132:103976, 2019. ISSN 1386-5056. doi: https://doi.org/10.1016/
j.ijmedinf.2019.103976. URL https://www.sciencedirect.com/science/article/pii/
S1386505619303454.

Christos Iliou, Theodoros Kostoulas, Theodora Tsikrika, Vasilios Katos, Stefanos Vrochidis, and Yiannis
Kompatsiaris. Detection of advanced web bots by combining web logs with mouse behavioural biometrics.
Digital Threats: Research and Practice, 0(ja), 2021. ISSN 2692-1626. doi: 10.1145/3447815. URL
https://doi.org/10.1145/3447815.

Imperva. Bad Bot Report 2021 - The Pandemic of the Internet. Technical report, Imperva, California, USA,
2020. URL www.imperva.com.

Forough Ja’fari, Seyedakbar Mostafavi, Kiarash Mizanian, and Emad Jafari. An intelligent botnet blocking
approach in software defined networks using honeypots. Journal of Ambient Intelligence and Humanized
Computing, 12(2):2993–3016, 2021. ISSN 1868-5145. doi: 10.1007/s12652-020-02461-6. URL https:
//doi.org/10.1007/s12652-020-02461-6.

Yuede Ji, Yukun He, Xinyang Jiang, Jian Cao, and Qiang Li. Combating the evasion mechanisms of social
bots. COMPUTERS & SECURITY, 58:230–249, MAY 2016. ISSN 0167-4048. doi: {10.1016/j.cose.2016.
01.007}.

Arzum Karataş and Serap Şahin. A review on social bot detection techniques and research directions. 10
2017.

Nickolaos Koroniotis, Nour Moustafa, Elena Sitnikova, and Benjamin Turnbull. Towards the develop-
ment of realistic botnet dataset in the internet of things for network forensic analytics: Bot-iot dataset.
Future Generation Computer Systems, 100:779–796, 2019. ISSN 0167-739X. doi: https://doi.org/
10.1016/j.future.2019.05.041. URL https://www.sciencedirect.com/science/article/
pii/S0167739X18327687.

Denis Kotkov, Gaurav Pandey, and Alexander Semenov. Gaming bot detection: A systematic literature review.
In Xuemin Chen, Arunabha Sen, Wei Wayne Li, and My T. Thai, editors, Computational Data and Social
Networks, pages 247–258, Cham, 2018. Springer International Publishing. ISBN 978-3-030-04648-4.

Sneha Kudugunta and Emilio Ferrara. Deep neural networks for bot detection. Information Sciences, 467:
312–322, 2018. ISSN 0020-0255. doi: https://doi.org/10.1016/j.ins.2018.08.019. URL https://www.
sciencedirect.com/science/article/pii/S0020025518306248.

Editorial “Ediciones Futuro” 20

M. Latah. Detection of malicious social bots: A survey and a refined taxonomy. Expert
Systems with Applications, 151, 2020. doi: 10.1016/j.eswa.2020.113383. URL https:
//www.scopus.com/inward/record.uri?eid=2-s2.0-85082019787&doi=10.1016%
2fj.eswa.2020.113383&partnerID=40&md5=9e21e69aaae28ac86873367e39cd094b.

P. Lewandowski, M. Janiszewski, and A. Felkner. Spidertrap - an innovative approach to ana-

lyze activity of internet bots on a website. IEEE Access - SPECIAL SECTION ON EMERG-
ING APPROACHES TO SYBER SECURITY, 8:141292–141309, 2020. doi: 10.1109/ACCESS.
2020.3012969. URL https://www.scopus.com/inward/record.uri?eid=2-s2.
0-85089874174&doi=10.1109%2fACCESS.2020.3012969&partnerID=40&md5=
21a9dd8ff511dac9a8a8be7baf264f30.

Javier Álvarez Cid-Fuentes, Claudia Szabo, and Katrina Falkner. An adaptive framework for the detection
of novel botnets. Computers & Security, 79:148–161, 2018. ISSN 0167-4048. doi: https://doi.org/10.
1016/j.cose.2018.07.019. URL https://www.sciencedirect.com/science/article/pii/
S0167404818309805.

Shogo Maeda, Atsushi Kanai, Shigeaki Tanimoto, Takashi Hatashima, and Kazuhiko Ohkubo. A botnet detec-
tion method on sdn using deep learning. In 2019 IEEE International Conference on Consumer Electronics
(ICCE), pages 1–6, Jan 2019. doi: 10.1109/ICCE.2019.8662080.

Marcelo Mendoza, Maurizio Tesconi, and Stefano Cresci. Bots in social and interaction networks: Detection
and impact estimation. ACM Trans. Inf. Syst., 39(1), October 2020. ISSN 1046-8188. doi: 10.1145/
3419369. URL https://doi.org/10.1145/3419369.

Justin Morgan. CLUSTERING WEB USERS BY MOUSE MOVEMENT TO DETECT BOTS. Master thesis,
Faculty of California Polytechnic State University San Luis Obispo, 2021.

Guanyi Mou and Lee Kyumin. Malicious Bot Detection in Online Social Networks: Arming Handcrafted
Features with Deep Learning. 12th International Conference, SocInfo 2020 Pisa, Italy, Proceedings -
LNCS 12467, pages 220–236, 2020. doi: 10.1007/978-3-030-60975-7 17.

Mariam Orabi, Djedjiga Mouheb, Zaher Al Aghbari, and Ibrahim Kamel. Detection of bots in social media:
A systematic review. Information Processing & Management, 57(4):102250, 2020. ISSN 0306-4573. doi:
https://doi.org/10.1016/j.ipm.2020.102250. URL https://www.sciencedirect.com/science/
article/pii/S0306457319313937.

Rizwan Ur Rahman and Deepak Singh Tomar. New biostatistics features for detecting web bot activity
on web applications. Computers & Security, 97:102001, 2020. ISSN 0167-4048. doi: https://doi.org/
10.1016/j.cose.2020.102001. URL https://www.sciencedirect.com/science/article/
pii/S0167404820302741.

Editorial “Ediciones Futuro” 21

L. Rheault and A. Musulan. Efficient detection of online communities and social bot activ-
ity during electoral campaigns. Journal of Information Technology and Politics, 2021. doi:
10.1080/19331681.2021.1879705. URL https://www.scopus.com/inward/record.uri?
eid=2-s2.0-85100537278&doi=10.1080%2f19331681.2021.1879705&partnerID=
40&md5=08bdc3e906e3da7d079473ed7942966a.
Jorge Rodrı́guez-Ruiz, Javier Israel Mata-Sánchez, Rául Monroy, Octavio Loyola-González, and Armando
López-Cuevas. A one-class classification approach for bot detection on twitter. Computers & Security, 91:
101715, 2020. ISSN 0167-4048. doi: https://doi.org/10.1016/j.cose.2020.101715. URL https://www.
sciencedirect.com/science/article/pii/S0167404820300031.
Rashmi Ranjan Rout, Greeshma Lingam, and D. V. L. N. Somayajulu. Detection of Malicious Social Bots
Using Learning Automata With URL Features in Twitter Network. IEEE TRANSACTIONS ON COMPU-
TATIONAL SOCIAL SYSTEMS, 7(4):1004–1018, AUG 2020. ISSN 2329-924X. doi: {10.1109/TCSS.
2020.2992223}.
Stefano Rovetta, Grazyna Suchacka, and Francesco Masulli. Bot recognition in a web store: An approach
based on unsupervised learning. Journal of Network and Computer Applications, 157:102577, 2020. ISSN
1084-8045. doi: https://doi.org/10.1016/j.jnca.2020.102577. URL https://www.sciencedirect.
com/science/article/pii/S1084804520300515.
Gokhan Sagirlar, Barbara Carminati, and Elena Ferrari. Autobotcatcher: Blockchain-based p2p botnet detec-
tion for the internet of things. In 2018 IEEE 4th International Conference on Collaboration and Internet
Computing (CIC), pages 1–8, Oct 2018. doi: 10.1109/CIC.2018.00-46.
Dipanjan Sarkar, Raghav Bali, and Tushar Sharma. Practical Machine Learning with Python: A Problem-
Solver’s Guide to Building Real-World Intelligent Systems. Apress, USA, 1st edition, 2017. ISBN
1484232062.
Mohsen Sayyadiharikandeh, Onur Varol, Kai-Cheng Yang, Alessandro Flammini, and Filippo Menczer. De-
tection of novel social bots by ensembles of specialized classifiers. In Proceedings of the 29th ACM
International Conference on Information & Knowledge Management, CIKM ’20, page 2725–2732,
New York, NY, USA, 2020. Association for Computing Machinery. ISBN 9781450368599. doi:
10.1145/3340531.3412698. URL https://doi.org/10.1145/3340531.3412698.
Khlood Shinan, Khalid Alsubhi, and Ahmed Alzahrani. SS symmetry Machine Learning-Based Botnet
Detection in Software-Defined Network : A Systematic Review. Symmetry, 866(13):1–28, 2021. doi:
10.3390/sym13050866. URL https://www.mdpi.com/journal/symmetry.
Sérgio S.C. Silva, Rodrigo M.P. Silva, Raquel C.G. Pinto, and Ronaldo M. Salles. Botnets: A sur-
vey. Computer Networks, 57(2):378–403, 2013. ISSN 1389-1286. doi: https://doi.org/10.1016/
j.comnet.2012.07.021. URL https://www.sciencedirect.com/science/article/pii/
S1389128612003568.

Editorial “Ediciones Futuro” 22

Manmeet Singh, Maninder Singh, and Sanmeet Kaur. Detecting bot-infected machines using dns fin-
gerprinting. Digital Investigation, 28:14–33, 2019. ISSN 1742-2876. doi: https://doi.org/10.
1016/j.diin.2018.12.005. URL https://www.sciencedirect.com/science/article/pii/
S174228761830272X.

Georgios Spathoulas, Nikolaos Giachoudis, Georgios-Paraskevas Damiris, and Georgios Theodoridis. Col-
laborative blockchain-based detection of distributed denial of service attacks based on internet of things
botnets. Future Internet, 11(11), 2019. ISSN 1999-5903. doi: 10.3390/fi11110226. URL https:
//www.mdpi.com/1999-5903/11/11/226.

Grazyna Suchacka and Jacek Iwanski. Identifying legitimate web users and bots with different traffic pro-
files — an information bottleneck approach. Knowledge-Based Systems, 197:105875, 2020. ISSN 0950-
7051. doi: https://doi.org/10.1016/j.knosys.2020.105875. URL https://www.sciencedirect.
com/science/article/pii/S0950705120302318.

Grazyna Suchacka, Alberto Cabri, Stefano Rovetta, and Francesco Masulli. Efficient on-the-fly web bot de-
tection. Knowledge-Based Systems, 223:107074, 2021. ISSN 0950-7051. doi: https://doi.org/10.1016/
j.knosys.2021.107074. URL https://www.sciencedirect.com/science/article/pii/
S0950705121003373.

Pang-Ning Tan and Vipin Kumar. Discovery of Web Robot Sessions Based on their Navigational Pat-
terns. Data Mining and Knowledge Discovery, 6(1):9–35, 2002. ISSN 1573-756X. doi: 10.1023/A:
1013228602957. URL https://doi.org/10.1023/A:1013228602957.

Florian Tegeler, Xiaoming Fu, Giovanni Vigna, and Christopher Kruegel. Botfinder: Finding bots in network
traffic without deep packet inspection. In Proceedings of the 8th International Conference on Emerging
Networking Experiments and Technologies, CoNEXT ’12, page 349–360, New York, NY, USA, 2012.
Association for Computing Machinery. ISBN 9781450317757. doi: 10.1145/2413176.2413217. URL
https://doi.org/10.1145/2413176.2413217.

Eric C. Thompson. Cyber Risks and the Attack Life Cycle, pages 71–85. Apress, Berkeley, CA, 2018.
ISBN 978-1-4842-3870-7. doi: 10.1007/978-1-4842-3870-7 6. URL https://doi.org/10.1007/
978-1-4842-3870-7_6.

R.L. Tweedie. Markov chains: Structure and applications. In Stochastic Processes: Theory and Meth-
ods, volume 19 of Handbook of Statistics, pages 817–851. Elsevier, 2001. doi: https://doi.org/10.
1016/S0169-7161(01)19025-5. URL https://www.sciencedirect.com/science/article/
pii/S0169716101190255.

N. Venkatachalam and R. Anitha. A multi-feature approach to detect stegobot: a covert multi-

media social network botnet. Multimedia Tools and Applications, 76(4):6079–6096, 2017. doi:
10.1007/s11042-016-3555-3. URL https://www.scopus.com/inward/record.uri?eid=

Editorial “Ediciones Futuro” 23

2-s2.0-84969753274&doi=10.1007%2fs11042-016-3555-3&partnerID=40&md5=
7ac5b72ef2a45817679eb18e166d8b8e.

Sridhar Venkatesan, Massimiliano Albanese, George Cybenko, and Sushil Jajodia. A moving target defense
approach to disrupting stealthy botnets. In Proceedings of the 2016 ACM Workshop on Moving Target
Defense, MTD ’16, page 37–46, New York, NY, USA, 2016. Association for Computing Machinery. ISBN
9781450345705. doi: 10.1145/2995272.2995280. URL https://doi.org/10.1145/2995272.
2995280.

Sridhar Venkatesan, Massimiliano Albanese, Ankit Shah, Rajesh Ganesan, and Sushil Jajodia. Detecting
stealthy botnets in a resource-constrained environment using reinforcement learning. In Proceedings of the
2017 Workshop on Moving Target Defense, MTD ’17, page 75–85, New York, NY, USA, 2017. Association
for Computing Machinery. ISBN 9781450351768. doi: 10.1145/3140549.3140552. URL https://
doi.org/10.1145/3140549.3140552.

Shardul Vikram, Chao Yang, and Guofei Gu. Nomad: Towards non-intrusive moving-target defense against
web bots. In 2013 IEEE Conference on Communications and Network Security (CNS), pages 55–63, Oct
2013. doi: 10.1109/CNS.2013.6682692.

Wei Wang, Yaoyao Shang, Yongzhong He, Yidong Li, and Jiqiang Liu. Botmark: Automated botnet
detection with hybrid analysis of flow-based and graph-based traffic behaviors. Information Sciences,
511:284–296, 2020. ISSN 0020-0255. doi: https://doi.org/10.1016/j.ins.2019.09.024. URL https:
//www.sciencedirect.com/science/article/pii/S0020025519308758.

Wei Wu, Jaime Alvarez, Chengcheng Liu, and Hung-Min Sum. Bot detection using unsupervised machine
learning. Microsystem Technologies, 2016. ISSN 1432-1858. doi: 10.1007/s00542-016-3237-0.

Yuhao Wu, Yuzhou Fang, Shuaikang Shang, Jing Jin, Lai Wei, and Haizhou Wang. A novel framework
for detecting social bots with deep neural networks and active learning. Knowledge-Based Systems, 211:
106525, 2021. ISSN 0950-7051. doi: https://doi.org/10.1016/j.knosys.2020.106525. URL https://
www.sciencedirect.com/science/article/pii/S0950705120306547.

Ying Xing, Hui Shu, Hao Zhao, Dannong Li, and Li Guo. Survey on Botnet Detection Techniques : Classifi-
cation , Methods , and Evaluation. Hindawi Mathematical Problems in Engineering, 2021:24, 2021. doi:
10.1155/2021/6640499. URL https://doi.org/10.1155/2021/6640499.

Xin Xu, Lei Liu, and Bo Li. A survey of captcha technologies to distinguish between human and
computer. Neurocomputing, 408:292–307, 2020. ISSN 0925-2312. doi: https://doi.org/10.1016/
j.neucom.2019.08.109. URL https://www.sciencedirect.com/science/article/pii/
S0925231220304896.

Moosa Yahyazadeh and Mahdi Abadi. Botgrab: A negative reputation system for botnet detection. Com-
puters & Electrical Engineering, 41:68–85, 2015. ISSN 0045-7906. doi: https://doi.org/10.1016/

Editorial “Ediciones Futuro” 24

j.compeleceng.2014.10.010. URL https://www.sciencedirect.com/science/article/

pii/S0045790614002560.

Kai-Cheng Yang, Onur Varol, Clayton A. Davis, Emilio Ferrara, Alessandro Flammini, and Filippo Menczer.
Arming the public with artificial intelligence to counter social bots. Human Behavior and Emerging Tech-
nologies, 1(1):48–61, 2019. doi: https://doi.org/10.1002/hbe2.115. URL https://onlinelibrary.
wiley.com/doi/abs/10.1002/hbe2.115.

Mahdieh Zabihimayvan, Reza Sadeghi, H. Nathan Rude, and Derek Doran. A soft computing approach for
benign and malicious web robot detection. Expert Systems with Applications, 87:129–140, 2017. ISSN
0957-4174. doi: https://doi.org/10.1016/j.eswa.2017.06.004. URL https://www.sciencedirect.
com/science/article/pii/S0957417417304116.

Zili Zha, An Wang, Yang Guo, Doug Montgomery, and Songqing Chen. Botsifter: An sdn-based online bot
detection framework in data centers. In 2019 IEEE Conference on Communications and Network Security
(CNS), pages 142–150, June 2019. doi: 10.1109/CNS.2019.8802854.

David Zhao, Issa Traore, Bassam Sayed, Wei Lu, Sherif Saad, Ali Ghorbani, and Dan Garant. Botnet detection
based on traffic behavior analysis and flow intervals. Computers & Security, 39:2–16, 2013. ISSN 0167-
4048. doi: https://doi.org/10.1016/j.cose.2013.04.007. URL https://www.sciencedirect.com/
science/article/pii/S0167404813000837.

Jun Zhao, Xudong Liu, Qiben Yan, Bo Li, Minglai Shao, and Hao Peng. Multi-attributed heterogeneous
graph convolutional network for bot detection. Information Sciences, 537:380–393, 2020. ISSN 0020-
0255. doi: https://doi.org/10.1016/j.ins.2020.03.113. URL https://www.sciencedirect.com/
science/article/pii/S0020025520302930.

Author contributions