BotNet Detection TechniquesBotNet Detection TechniquesBy By

Team Firefly Team Firefly Technical Support For System ErrorsTechnical Support For System Errors

And Security IssuesAnd Security Issues

Cyber Security Awareness Program

On Friday, October 18, 2013

Page 2

Outline

Introduction to Botnet Botnet Life-cycle Botnet in Network Security Botnet Uses Botnet Detection Preventing Botnet Infection Botnet Research Conclusion References

Page 3

Introduction to Botnet

A Botnet is a network of compromised computers under the control of a remote attacker.

Botnet Terminology Bot Herder (Bot Master) Bot Bot Client IRC Server Command and Control Channel (C&C)

Page 4

Introduction to Botnet (Terminology)

Bot Master

Bots

Code Server

IRC Server

Victim

IRC Channel

Attack

IRC ChannelC&C Traffic

Updates

Page 5

Botnet Life-cycle

Page 6

Botnet Life-cycle

Page 7

Botnet Life-cycle

Page 8

Botnet Life-cycle

Page 9

Botnet In Network Security

Internet users are getting infected by bots

Many times corporate and end users are trapped in botnet attacks

Today 16-25% of the computers connected to the internet are members of a botnet

In this network bots are located in various locations

It will become difficult to track illegal activities

This behavior makes botnet an attractive tool for intruders and increase threat against network security

Page 10 Bot Master

Botnet is Used For

Page 11

Distributed Denial of Service (DDoS) attacks

Sending Spams

Phishing (fake websites)

Addware (Trojan horse)

Spyware (keylogging, information harvesting)

Click Fraud

How Botnet is Used?

So It is really Important to Detect this attack

Page 12

Botnet Detection

Two approaches for botnet detection based on

Setting up honeynets

Passive traffic monitoring

Signature based

Anomaly based

DNS based

Mining based

Page 13

Botnet Detection: Setting up Honeynets

Windows Honeypot

Honeywall Responsibilities:DNS/IP-address of IRC server and port number(optional) password to connect to IRC-serverNickname of botChannel to join and (optional) channel-password

Page 14

Botnet Detection: Setting up Honeynets

1. Malicious Traffic

2. Inform bot’s IP3. Authorize

Bot Sensor

Bot Master

Page 15

Botnet Detection: Traffic Monitoring

Signature based: Detection of known botnets

Anomaly based: Detect botnet using following anomalies

• High network latency

• High volume of traffic

• Traffic on unusual port

• Unusual system behaviour

DNS based: Analysis of DNS traffic generated by botnets

Page 16

Botnet Detection: Traffic Monitoring

Mining based:

• Botnet C&C traffic is difficult to detect

• Anomaly based techniques are not useful

• Data Mining techniques – Classification, Clustering

Page 17

Botnet Detection

Determining the source of a botnet-based attack is challenging:

Traditional approach:

Every zombie host is an attacker

Botnets can exist in a benign state for an arbitrary amount of time before they are used for a specific attack

New trend:

P2P networks

Page 18

Preventing Botnet Infections

Use a Firewall

Patch regularly and promptly

Use Antivirus (AV) software

Deploy an Intrusion Prevention System (IPS)

Implement application-level content filtering

Define a Security Policy and

Share Policies with your users systematically

Page 19

Logging onto herder IRC server to get info

Passive monitoring

Either listening between infected machine and herder or spoofing infected PC

Active monitoring: Poking around in the IRC server

Sniffing traffic between bot & control channel

Botnet Research

Page 20

InfectedIRC Herder

Hi!

Researcher

Botnet Research: Monitoring Attacker

Page 21

Conclusion

Botnets pose a significant and growing threat against cyber security

It provides key platform for many cyber crimes (DDOS)

As network security has become integral part of our life and botnets have become the most serious threat to it

It is very important to detect botnet attack and find the solution for it

Page 22

B. Saha and A, Gairola, “Botnet: An overview,” CERT-In White PaperCIWP-2005-05, 2005

Peer to Peer Botnet detection for cyber-security: A data mining approach - ACM Portal Mohammad M. Masud, Jing Gao, Latifur Khan, Jiawei Han, Bhavani Thuraisingham

A Survey of Botnet and Botnet Detection Feily, M.; Shahrestani, A.; Ramadass, S.; Emerging Security Information, Systems and Technologies, 2009. SECURWARE '09. Third International Conference on Digital Object Publication Year: 2009 , Page(s): 268 – 273 IEEE CONFERENCES

Honeynet-based Botnet Scan Traffic Analysis Zhichun Li, Anup Goyal, and Yan Chen Northwestern University, Evanston, IL 60208

Detecting Botnets Using Command and Control Traffic AsSadhan, B.; Moura, J.M.F.; Lapsley, D.; Jones, C.; Strayer, W.T.; Network Computing and Applications, 2009. NCA 2009. Eighth IEEE International Symposium. Publication Year: 2009 , Page(s): 156 – 162 IEEE CONFERENCES

Spamming botnets: signatures and characteristics Yinglian Xie, Fang Yu

References

Page 23

Page 24