Free Essay

Classification of Botnet Detection Based on Botnet Architechture

In:

Submitted By Divyasahgal
Words 2973
Pages 12
2012 International Conference on Communication Systems and Network Technologies

Classification of Botnet Detection Based on Botnet Architechture
N.S.Raghava, Dept. of Information Technology Delhi Technological University Delhi, India nsraghava@dce.ac.in Divya Sahgal Dept of Information Technology Delhi Technological University Delhi, India divyasahgal61@gmail.com Seema Chandna Dept of Information Technology Delhi Technological University Delhi, India seemachandna64@gmail.com Abstract—Nowadays, Botnets pose a major threat to the security of online ecosystems and computing assets. A Botnet is a network of computers which are compromised under the influence of Bot (malware) code. This paper clarifies Botnet phenomenon and discusses Botnet mechanism, Botnet architecture and Botnet detection techniques. Botnet detection techniques can be categorized into six classes: honey pot based, signature-based, mining-based, anomaly-based, DNS-based and network-based. It provides a brief comparison of the above mentioned Botnet detection techniques. Finally, we discuss the importance of honeypot research to detect the infection vector and dealing with new Botnet approaches in the near future. Keywords- Botnet; Bot; Malware; Malicious code; P2P; Honeypot

functions programmed by the Bot-master in automated way. Bots can receive commands from the Bot-master and work according to those commands to perform many cyber crimes for example phishing [26], malware dissemination, Distributed Denial of Service attack (DDoS) attack, identity theft etc. The process of Botnet can be broadly divided into three parts: (1) Searching: searching for vulnerable and unprotected computers. (2) Distributing: the Bot code is distributed to the computers (targets), so the targets become Bots. (3) Sign-on: the Bots connect to Botmaster and become ready to receive command and control traffic [6]. In a Botnet each computer is infected with a malicious program called a “Bot”, which actively communicates with other Bots in the Botnet or with several “Bot controllers” to receive commands from the Botnet owner [3]. Unlike the existing malwares (such as virus and worms), Botnet is based on Command and control (C&C) infrastructure, which allows Bots to receive commands and malicious code as ordered by Bot-master [32]. IRC protocol uses the centralized approach for the command & control (C&C) infrastructure. The centralized C&C mechanism of such Botnet has made them vulnerable to being detected and disabled. Therefore new technique has been introduced, that is Peer-to-Peer (P2P) based Botnets. III. TYPES OF BOTNET BASED ON THE ARCHITECTURE

I.

INTRODUCTION

Internet users have been attacked by widespread email viruses earlier, but now scenario has been changed. Now attackers are no more interested to just attract media attention by infecting a large number of computers on the network, in-fact their interest has been shifted to compromising and controlling the infected computers for their personal profits. This new attack trend brings the concept of Botnets over the global network of computers. Basically “Botnet” comprises of two terms “Bot + Net”. When a malware code is installed on a vulnerable computer and after compromising, this system can be controlled by the Bot-master remotely via executing some threatening commands on the victim computer. This victim computer is called as a “Bot”. Bot can also be referred as “Zombie” [22, 24]. In this fashion, a network (Net) of Bots is formed which is called “Botnet”. The term here referred as Botmaster, is a person who controls and manages the whole network of Bots. In this paper, section 2 describes the Botnet Mechanism, section 3 explains the different types of Botnet based on their architecture, as well provides a brief comparison between centralized and P2P Botnet and in section 4 different Botnet detection techniques are discussed. Finally, we conclude in section 5. II. BOTNET MECHANISM

The term Bot has been taken from the “RoBot”, which works in a similar fashion to perform some predefined
978-0-7695-4692-6/12 $26.00 © 2012 IEEE DOI 10.1109/CSNT.2012.128 569 572 567

A. Centralized Botnets The old approach used by Botnet for their Command and control (C&C) architecture was the centralized mechanism (hierarchical). In this approach, the Bot-master (attacker) distributes the command over the Botnet via various BotControllers in order to hide attacker’s real identity. The uses of multiple Bot-Controllers prevent security professionals from shutting down C&C channel [6] shown in Figure 1. In Figure, the Bot-Controller retrieves the command from the

Bot-master and then Bot-controller distributes these commands further to all the Bots in the Botnet.

Hence Botnet often uses P2P. Comparison between centralized and P2P is shown in the Table I. However, malicious P2P Botnet is also weakness that is a Sybil attack [2]. For these reason, malicious HTTP2P Botnet appeared in 2008 [34]. IV. BOTNET DETECTION TECHNIQUES Different approaches have been proposed for detection of Botnet. One approach is based on locating honeypots in the network.
TABLE I.

Comparison Between Centralized & P2P
Botnets

S.No.

Parameters
Centralized P2P

1.

Tracking

Easier

Difficult

Figure 1.

Illustration of a centralized Botnet

2. 3.

Single Point of failure
Cost incurred

Can destroy the whole Botnet
Higher cost

Will not affect much
Low

B. P2P-Structured Botnets Cook et al. [3] discussed three different Botnet communication topologies and their properties: centralized, peer to- peer (P2P), and random. In a random topological Botnet, a Bot knows no more than one other Bot [3]. So this topology is not successful.

4.

Risk of Hijacking

Hijacking of Botcontroller can reveal the identity of Bot-master

Hijacking Bot peer cannot reveal the identity of Botmaster
Slower

5.

Command distribution speed Management

Faster

6.

Easy

Difficult

A. Honeypot- Based Detection Honeypot refers to a decoy system to entice the attention of attackers to attack this computer system to having an aim of protecting the critical targets. Honeypots are computer systems which don't have any production value. According to this concept, a resource that expects no data, so any traffic to or from it is most likely suspicious activity and must be investigated[18,25]. This technique is very effective for gathering compact high value information and tracking Botnets.. The useful information that honeypot can collect are: i. Signature of Bots for content-based detection ii. iii. Information of Botnet C&C mechanism/ servers Unknown security holes that enable Bots to penetrate the network Tools and techniques that attacker use The motivation of attacker [12].

Figure 2.

Structure of P2P model

There is no C&C server in the P2P Botnets. Botmaster directly communicates to a single Bot peer and then that Bot spreads the command sent by the Bot-master to other Bots in the Botnet. P2P Botnet is much harder to be suspended. However P2P Botnet is not easily manageable, because transferring command is slow as compared to centralized Botnet[13]. P2P Botnets are very difficult for defenders to track because single point of failure in P2P Botnet does not create significant disruption [1,20]. It was observed in the research that centralized Botnet has a weakness that is easy to detect.

iv. v.

570 573 568

There are many papers discussed how to apply honeynets for Botnet detection. For example, Nepenthe [29] is a low-interaction honeypot that simulate some vulnerability and provides some features for collection of malware binaries. Freiling et al. [23], used honeypot to track Botnets in the network and generate an early report for understanding the consequences of Botnets. There are some limitations in using honeypots, some smart worms may wake up and honeypot will be snubbed, in that case honeypot might become accessory if it is compromised and used as bounce [19]. B. Signature-Based Detection Knowledge about the signatures of existing Botnets makes the Botnet detection easier. The advantages provided by this technique are, immediate detection and impossibility of false positives. But Signature-based detection approach is functional for well-known Botnets only. Unknown Botnets can not be detected by this method. Consequently, this solution is not functional for unknown Bots [8, 9]. It means that zero-day Bots attacks cannot be detected. One of the well-known signature-based Botnet detection techniques is Rishi [15] that matches known nick-name patterns of IRC Bots. C. Anomaly-Based Detection Anomaly-based detection techniques attempt to detect Botnets based on several network traffic anomalies such as high network latency, high volumes of traffic, traffic on unusual ports, and unusual system behavior that could indicate presence of malicious Bots in the network [7, 28, 30]. Although anomaly detection techniques solve the problem of detecting unknown Botnets, problems with anomaly detection can include detection of an IRC network that may be a Botnet but has not been used yet for attacks, hence there are no anomalies. D. DNS-Based Detection DNS-based detection techniques are based on particular DNS information generated by a Botnet. DNS-based detection techniques are similar to anomaly detection techniques as similar anomaly detection algorithms are applied on DNS traffic [16, 17]. Bots typically initiate connection with C&C server to get commands. In order to access the C&C server Bots perform DNS queries to locate the respective C&C server that is typically hosted by a DDNS provider. Thus, it is possible to detect Botnet DNS traffic by DNS monitoring and detect DNS traffic anomalies. E. Mining-Based Detection One effective technique for Botnet detection is to identify Botnet C&C traffic. However, Botnet C&C traffic is difficult to detect [4, 11, 21]. In fact, since Botnets utilize normal protocols for C&C communications, the traffic is similar to normal traffic. Moreover, the C&C traffic is not

high volume and does not cause high network latency. Therefore, anomaly-based techniques are not useful to identify Botnet C&C traffic. Several data mining techniques including machine learning, classification, and clustering can be used efficiently to detect Botnet C&C traffic. Botminer is an improvement of Botsniffer [10, 31, 33, 34]. It clusters similar communication traffic and similar malicious traffic. Then, it performs cross cluster correlation to identify the hosts that share both similar communication patterns and similar malicious activity patterns. F. Network-Based Technique A network-based technique is a detection strategy which tries to detect Botnets by monitoring network traffics. We can classify Network-based techniques into two categories: Active Monitoring and Passive Monitoring. The active monitoring is based on the ability to inject test packets into the network, servers or application for measuring the reactions of network. Therefore, it can produce extra traffics. Among all Botnet detection which currently exist, we found Botprobe [15] technique as the only Active monitoring strategy for detection of Botnets. The passive monitoring uses some devices to inspect the traffics as they pass by. It does not increase the traffics on the network for inspection. This strategy usually requires a long time to inspect multiple stages or rounds of Botnet communication and activities to detect Botnets. V. CONCLUSION Despite the long presence of malicious Botnets, only few formal studies have examined the Botnet problem and Botnet research is still in its infancy. Diversity of Botnets protocols and structures makes Botnet detection a very challenging task. As shown in the table above Botnet detection techniques are classified into six classes including Honeypot based, signature-based, anomaly-based, DNS-based, and mining-base, network based. Signature-based techniques can only detect known Botnets, whereas the other classes are able to detect unknown Bots. From the comparison (mentioned in the Table) we can conclude that honeypot based detection is the most efficient technique and we propose that in the coming years emphasis should be laid on further research on honeypot to make it more viable and foolproof. Honeypot research and deployment has significant value for the security community, but honeypot researchers should not forget the importance of studying ways to build disguised honeypots, and the limitation in deploying honeypots in security defense. Internet security attack and defense is an endless war. From the attackers’ perspective, there is a tradeoff between detecting honeypots in their Botnets and avoiding Bot removal by security professionals. In the end, we should emphasize that there is significant value in honeypot research and deployment for detecting the Botnets and the source of attacks.

571 574 569

TABLE II. COMPARISON BETWEEN D IFFERENT BOTNET DETECTION TECHNIQUES

REFERENCES
[1] C. Davis, S. Neville, J. Fernandez, J.-M. Robert, and J. McHugh, “Structured peer-to-peer overlay networks: Ideal botnets command and control infrastructures?”, in To appear in the 13th European Symposium on Research in Computer Security (ESORICS’08), 2008. Dae-Il Jang, Jae-Seo Lee, Jun-Hyung Park, Minsoo Kim, Bong-Nam noh, “Analysis of HTTP-Based Malicious Botnet (The cases of Kraken Botnet)”, The 30th Fall conference, 2008. Dae-il Jang, Minsoo Kim, Hyun-chul Jung, Bong-Nam Noh, “Analysis of HTTP2P Botnet:Case Study Waledac”, In Proc. of IEEE 9th Malaysia International Conference on Communications, 2009. D. Fisher, “Storm, nugache lead dangerous new botnet barrage”, Search- Security.com, December 2007. Evan Cooke, Farnam Jahanian, and Danny McPherson, “The Zombie Roundup: Understanding, Detecting, and Disrupting botnets”, Proc. Of Steps to Reducing Unwanted Traffic on the Interne Workshop (SRUTI '05), 2005. F. Freiling, T. Holz, and G.Wicherski, "Botnet Tracking: Exploring a Root-cause Methodology to Prevent Denial of Service Attacks", in Proceedings of 10th European Symposium on Research in Computer Security (ESORICS'05), 2005. F. Giroire, J. Chandrashekar, N. Taft, E. Schooler, and K. Papagiannaki, “Exploiting temporal persistence to detect covert botnet channels”, In 12th International Symposium on Recent Advances in Intrusion Detection (RAID’09), 2009. G. Gu, J. Zhang, and W. Lee. “Bot Sniffer: Detecting botnet command and control channels in network traffic”, In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), February 2008. G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “Bot hunter: Detecting malware infection through IDS-driven dialog correlation”, In 16th USENIX Security Symposium , 2007. G. Gu, R. Perdisci, J. Zhang, and W. Lee, “BotMiner: Clustering analysis of network traffic for protocol- and structure independent botnet detection”, In Proceedings of the 17th USENIX Security Symposium (Security’08), 2008. Guofei Gu, Vinod Yegneswaran, Phillip Porras, Jennifer Stoll, and Wenke Lee, “Active Botnet Probing to Identify Obscure Command and Control Channels”, Annual Computer Security Applications Conference, 2009. Hossein Rouhani Zeidanloo, Mohammad Jorjor Zadeh shooshtari, Payam Vahdani Amoli, M.Safari, Mazdak Zamani, “A Taxonomy of Botnet Detection Techniques”, IEEE, 2010. H.R. Zeidanloo,A.A. Manaf, "Botnet Command and Control Mechanisms", Second International Conference on Computer and Electrical Engineering, ICCEE '09. Page(s): 564 - 568 ,2009.

[14] Ian Clarke, Oskar Sandberg, Brandon Wiley, and Theodore W. Hong, “Freenet: A distributed anonymous information storage and retrieval system”, Lecture Notes in Computer Science, 2009:46+, 2001. [15] Ian Clarke, Oskar Sandberg, Brandon Wiley, and Theodore W. Hong, “Freenet: A distributed anonymous information storage and retrieval system”, Lecture Notes in Computer Science, 2009. [16] J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang and D. Dagon, “Peer-to-peer botnets: Overview and case study”, In USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), 2007. [17] J. Goebel and T. Holz. Rishi, “Identify bot contaminated hosts by IRC nickname evaluation”, In USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), 2007. [18] Jonell Baltazar,Joey Costoya, Ryan Flores, "Infiltrating WALEDAC Botnet's Covert Operations", TREND MICRO, 2009 [19] J. Zhuge, X. Han, J. Guo, W. Zou, T. Holz, and Y. Zhou, “Characterizing the IRC-based botnet phenomenon”, China Honeynet Technical Report, 2007. [20] Lasse Trolle Borup, "Peer-to-peer botnets: A case study on Waledac", Technical University of Denmark, 2009 [21] M. Collins, T. Shimeall, S. Faber, J. Janies, R. Weaver, M. D. Shon, and J. Kadane, “Using uncleanliness to predict future botnet addresses”, In Proceedings of the 2007 Internet MeasurementConference (IMC’07), 2007. [22] N. lanelli, A. Hackworth, “Botnets as a Vehicle for Online Crime”, CERT, December 2005. [23] P. Baecher, M. Koetter, T. Holz, M. Dornseif., and F. Freiling, "The nepenthes platform: An efficient approach to collect maiware", In Proceedings of International Symposium on Recent Advances in Intrusion Detection (RAID'06), (Hamburg), September 2006. [24] P. Barford and V.Yagneswaran, "An Inside Look at Botnets", In: Special Workshop on Malware Detection, Advances in Infonnation Security, Springer, Heidelberg , 2006. [25] P. Porras, H. Saidi, and V. Yegneswaran, “A foray into conficker’s logic and rendezvous points”, In 2nd Usenix Workshop on LargeScale Exploits and Emergent Threats (LEET), 2009. [26] P. Wang, S. Sparks, and C. C. Zou, “An Advanced Hybrid Peer-toPeer botnet”, in Proceedings of the 1st Workshop on Hot Topics in Understanding. Botnets (HotBots 2007), April 2007. [27] P. Wang, S. Sparks, C. C. Zou, "An Advanced Hybrid Peerto- Peer Botnet", IEEE Transactions on Dependable and Secure Computing, 11 July 2008. [28] P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, and E. Kirda, “Automatically generating models for botnet detection”, In 14th European Symposium on Research in Computer Security (ESORICS’09), 2009. [29] R. Vogt, J. Aycock, and J. M. J. Jacobson, “Army of botnets”, in Proceedings of the 14th annual Network and Distributed System Security Symposium (NDSS 2007), March 2007. [30] S. Gianvecchio, M. Xie, Z. Wu, and H. Wang, “Measurement and classification of humans and bots in internet chat”, In Proceedings of the 17th USENIX Security Symposium (Security’08), 2008. [31] T. F. Yen and M. K. Reiter, “Traffic aggregation for malware detection”, In Proceedings of the Fifth GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’08), 2008. [32] T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling, “Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm”, in Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’08), April 2008. [33] V. Yegneswaran, C. Alfeld, P. Barford, and J. Y. Cai. Camouflaging, “honeynets”, In Proceedings of IEEE Global Internet Symposium, 2007. [34] http://www. honeynet.org/papers/Bots/.

[2]

[3]

[4] [5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

572 575 570

Similar Documents