BOTMINER: CLUSTERING

ANALYSIS OF NETWORK TRAFFIC

FOR PROTOCOL- AND STRUCTURE-

INDEPENDENT BOTNET

DETECTION

�INTRODUCTION:

Botnets are becoming one of the most serious threats to

Internet security. A botnet is a network of compromised machines under the influence

of malware (bot) code. The botnet is commandeered by a “botmaster” and utilized as

“resource” or “platform” for attacks such as distributed denial-of-service (DDoS)

attacks, and fraudulent activities such as spam, phishing, identity theft, and information

exfiltration.

In order for a botmaster to command a botnet, there

needs to be a command and control (C&C) channel through which bots receive

commands and coordinate attacks and fraudulent activities.

The C&C channel is the means by which individual bots

form a botnet.

Centralized C&C structures using the Internet Relay Chat

(IRC) protocol have been utilized by botmasters for a long time.

Therefore,we need to develop a next generation botnet

detection system, which should be independent of the C&C protocol, structure, and

infection model of botnets, and be resilient to the change of C&C server addresses.

In addition, it should require no a priori knowledge of

specific botnets (such as captured bot binaries and hence the botnet signatures, and

C&C server names/addresses).

In order to design such a general detection system that

can resist evolution and changes in botnet C&C techniques, we need to study the

intrinsic botnet communication and activity characteristics that remain detectable

with the proper detection features.

We thus start with the definition and essential properties of a

botnet. We define a botnet as:

“A coordinated group of malware instances that are

controlled via C&C channels”.

If the botmaster commands each bot individually

with a different command/channel, the bots are nothing but some isolated/unrelated

infections. That is, they do not function as a botnet according to our definition and

are out of the scope of this work3.

�ABOUT THE PROJECT:

We propose a general detection framework that is

based on these essential properties of botnets. This framework monitors both who is

talking to whom that may suggest C&C communication activities and who is

doing what that may suggest malicious activities, and finds a coordinated group pattern

in both kinds of activities.

More specifically, our detection framework clusters

similar communication activities in the C-plane (C&C communication traffic), clusters

similar malicious activities in the A-plane (activity traffic), and performs cross

cluster correlation to identify the hosts that share both similar communication patterns

and similar malicious activity patterns.

These hosts, according to the botnet

definition and properties discussed above, are bots in the monitored network.

OBJECTIVE:

The objective of BotMiner is to detect groups of compromised machines

within a monitored network that are part of a botnet.

We do so by passively analyzing network traffic in the monitored network.

DETECTION APPROACH MEETS SEVERAL GOALS:

� It is independent of the protocol and structure used for communicating with

the botmaster, and is resistant to changes in the location of the C&C server(s).

� It is independent of the content of the C&C communication. That is,we do

not inspect the content of the C&C communication itself, because C&C could be

encrypted or use a customized(obscure) protocol.

� It generates a low number of false positive and false negatives.

� The analysis of network traffic employs a reasonable amount of resources

and time, making detection relatively efficient

�EXISTING SYSTEM:

Botnets are now the key platform for many Internet

attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing.

Most of the current botnet detection approaches work only

on specific botnet command and control (C&C) protocols (e.g., IRC) and structures

(e.g., centralized), and can become ineffective as botnets change their C&C techniques.

�PROPOSED SYSTEM:

In this project, we present a general detection framework

that is independent of botnet C&C protocol and structure, and requires no a priori

knowledge of botnets (such as captured bot binaries and hence the botnet signatures,

and C&C server names/addresses). We start from the definition and essential properties

of botnets. We define a botnet as a coordinated group of malware instances that are

controlled via C&C communication channels.

We propose a general detection framework that is based on

these essential properties of botnets.

This framework monitors both who is talking to whom that

may suggest C&C communication activities and who is doing what that may suggest

malicious activities, and finds a coordinated group pattern in both kinds of activities.

More specifically, our detection framework clusters similar

communication activities in the C-plane (C&C communication traffic), clusters similar

malicious activities in the A-plane (activity traffic), and performs cross cluster

correlation to identify the hosts that share both similar communication patterns and

similar malicious activity patterns.

These hosts, according to the botnet definition and properties

discussed above, are bots in the monitored network.

The objective of BotMiner is to detect groups of

compromised machines within a monitored network that are part of a botnet. We do so

by passively analyzing network traffic in the monitored network.

MODULES:

� Loading Screen

� Login Screen

� A-Plane Monitor

� C-Plane Monitor

� A-Plane Clustering

� C-Plane Clustering

MODULE DESCRIPTION

�LOADING SCREEN:

* This module is, just load your project for a certain times. It have

your title of the project and it loads for a time.

� LOGIN SCREEN:

* This module is used for enter the user and password. It have the

Username and Password.

* We have to enter the username and password.

* Then select the login button ,If it is right, then it will go to the next

screen.

* Else it will send the message of enter the correct username and

password.

�A-PLANE MONITOR:

The A-Plane Monitor logs information on who is doing

what. It analyzes the outbound traffic through the monitored network and is capable

of detecting several malicious activities that the internal hosts may perform.

The malware activities are like

* Spam

* Task Report

* SPAM:

* If anyone sending Bulk of messages then it will be stored

in a Spam folder and it also referred as unwanted messages.

* To Stop that kind of activities we are splitting the message

by a packets.

* It checks the header, body and content.

* TASK REPORT:

* It generates the report of the task list performed by other

nodes on the network.

�C-PLANE MONITOR:

* It retrieves the type of message transferred and to find the

protocol used for communication.

�A-PLANE CLUSTERING:

* The spam activity clustering, because there are very few

hosts that show spamming activities in our monitored network, we simply cluster hosts

together if they perform spamming.

�C-PLANE CLUSTERING:

C-plane clustering is responsible for reading the logs

generated by the C-plane monitor and finding clusters of machines that share similar

communication patterns.

�ARCHITECTURE OF BOT-MINER:

Network

Traffic

A-Plane Monitor

Spam

Task Report

Activity

Log

C-Plane Monitor

Flow Log C-Plane

Clustering

A-Plane

Clustering

A-Plane

Clustering

Report

�ACTIVITY DIAGRAM:

Traffic

Monitoring

Receiving By Botnet

Sending the Spam

Attack the near node

Detect the content

In Correct then save

it in Spam

Who is Bot Master

and Who Is Bot Net Correct then save it

in Inbox

�USE CASE DIAGRAM:Sending the Content

Receiving the content

Traffic

Forwarding to the next node which

is going to be attack by the bot net

Checking the

content

If the content is good then it

will save in Inbox If the content is good then it

will save in Spam

It will display who is bot

master and which is bot

net

SCREEN SHOTS

SYSTEM REQUIREMENTS:

Software:

• Client : Windows Client

• Software : JAVA

Hardware:

• Memory : 128MB RAM or above

• Secondary Storage : 40 GB HDD or above

• FLOPPY DISK : .44 MB or above

• Display unit : Color Monitor and other suitable accessories

• Processor : PIII or above

�SOFTWARE FEATURES:

Simple:

Java was designed to be easy for the professional programmer to

learn and use effectively. Java has another attribute that makes it easy to learn. It makes

an effort not to have surprising features.

Object-Oriented:

Although influenced by its predecessors, Java was not designed to be

source-code compatible with any other language. This allowed the Java team the

freedom to design with a blank slate

Robust:

The multiplatformed environment of the web pages extraordinary

demands on a program, because the program must execute reliably in a variety of

systems. Thus the ability to create robust programs was given a high priority in the

design of Java.

Multithreaded:

Java was designed to meet the real-world requirement of creating

interactive, networked programs. To accomplish this, Java supports multithreaded

programming, which allows you to write programs that do many things simultaneously.

Architectural-Neutral:

A central issue for the designers was that of code longevity and

portability. One of the main problems facing programmers is that no guarantee exists

that if you write a program today, it will run tomorrow-even on the same machine.

Interpreted and High Performance:

Java enables the creation of cross-platform programs by compiling

into an intermediate representation called java bytecode. This code can be interpreted

on any system that provides a Java Virtual Machine.

Distributed:

Java is designed for the distributed environment of the Internet,

because it handles TCP/IP protocols. In fact, accessing a resource using a URL is not

much different from accessing a file. The original version of Java(Oak) included

features for intra-address-space messaging..For example:RMI

Dynamic:

Java programs carry with them substantial amounts of run-time type

information that is used to verify and resolve accesses to objects at run time. This

makes it possible to dynamically link code in a safe and expedient manner.

FUTURE SCOPE:

In future botnets (especially P2P botnets) may utilize

evasion techniques to avoid detection, as discussed in Section 4. In our future work, we

will study new techniques to monitor/cluster communication and activity patterns of

botnets, and these techniques are intended to be more robust to evasion attempts.

In addition, we plan to further improve the efficiency of the

C-flow converting and clustering algorithms, combine different correlation techniques

(e.g., vertical correlation and horizontal correlation), and develop new real-time

detection systems based on a layered design using sampling techniques to work in very

high speed and very large network environments.

BIBLIOGRAPHY:

1) N. Ianelli and A. Hackworth. Botnets as a vehicle for online crime.

http://www.cert.org/archive/pdf/Botnets.pdf, 2005.

2) A. Karasaridis, B. Rexroad, and D. Hoeflin. Widescale

botnet detection and characterization. In Proceedings of USENIX

HotBots’07, 2007.

3) A. Ramachandran and N. Feamster. Understanding the network-

level behavior of spammers. In Proceedings of ACM SIGCOMM’06,

2006.

4) E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup:

Understanding, detecting, and disrupting botnets. In Proceedings of

USENIX SRUTI’05, 2005.

THANK YOU