SURVEY ON BOTNET: ITS ARCHITECTURE, DETECTION, PREVENTION AND MITIGATION

Networking, Sensing and Control (ICNSC), 2013 10th IEEE International Conference on

102064535 黃川洁

1/25

OutlineINTRODUCTION BOTNET LIFE CYCLE BOTNET ARCHITECTURES DETECTION OF BOTNET ATTACK PREVENTION & MITIGATION OF BOTNET FUTURE PROSPECTS CONCLUSION

2/25

BOTNET is a large network of compromised computers used to attack other computer systems for malicious intent.

NetBus and BackOrifice2000 several techniques for BOTNET attack detection

data mining, fuzzy logic based on some statistical data, anomaly based, structure based

INTRODUCTION-1

3/25

INTRODUCTION-2 Testbed environment should focus on following

requirements: The ability to test with a variability of bot types (both known and unknown)

deploy on variety of standard operating system. To be capable of conducting experiments in a secure mode such as one that

poses no threat to the greater internet To be able to form a flexible and realistic botnet technologies and

configuration. To perform and conduct experiments at scale and under realistic conditions.

4/25

BOTNET LIFE CYCLE-1In start it primarily infects other computer. Then injects small code

File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Peer to Peer (P2P), and

combination of HTTP and P2P (HTTP2P) etc. When user connects to internet code is executed

automatically to establish a connection in which it connects to Command & Control (C&C) server.

5/25

BOTNET LIFE CYCLE-2Command and control the zombie computers through C &

C server. To remain transparent and active by using Dynamic

Domain Name Server (DNS) and keeping zombie updated and in existence to maintain and use them accordingly.

6/25

BOTNET ARCHITECTURESCentralized Botnet Architecture Peer to Peer (P2P) Botnet Architecture Hybrid Botnet Architecture Hypertext Transfer Protocol Peer to Peer (HTTP2P)

Botnet Architecture

7/25

Centralized Botnet Architecture

8/25

Peer to Peer (P2P) Botnet Architecture

9/25

Hybrid Botnet Architecture

10/25

Hypertext Transfer Protocol Peer to Peer (HTTP2P) Botnet Architecture P2P has threat of Sybil attacks

Sybil Attack:是一種攻擊者透過大量匿名實體增加不成比例的巨大影響，來破壞 P2P網路的信譽系統。 (TWCERT/CC)

Combined HTTP and P2P Become harder to be detected by to bypass firewall and

client server architecture Cipher the message While the Soldier-Bot does not contact dynamically to

Supervisor-Bot or other soldier-bots rather it waits for a call from its supervisor.

11/25

Centralized Botnet Architecture

Peer to Peer (P2P) Botnet Architecture

Hybrid Botnet Architecture

Hypertext Transfer Protocol Peer to Peer (HTTP2P) Botnet Architecture

隱密性 低 高 高 高加密 無 有 有 有管理 容易 困難 困難偵測 容易 較困難 較困難 困難阻絕 容易 較困難 較困難 困難monitoring and healing (for Supervisor-bot )

容易 困難 較容易

12/25

DETECTION OF BOTNET ATTACKStructured Based Detection

Signature Based Detection DNS Based Detection

Behavior Based Detection Anomaly Based Detection Communication Pattern of Botnet

13/25

Signature Based Detection The first and most widely Only successful for already known BotnetsTwo way

list of IRC nicknames and applied n-gram analysis IP addresses

Other systemHoneynet, Honeypots, and Snort good cost and without false positives

14/25

DNS Based Detection-1 DNS queriesIn 2004-05 ideas were given to detect domain names by

unusually high or temporary intense DDNS queries.In following year, abnormally recurring NXDOMAIN

reply rates approach was proposed.

15/25

DNS Based Detection-2Passive analysis of DNS based Black-hole list (DNSBL)

lookup trafficTwo problems

high false positivecannot detect distributed inspection

Hyunsang Choi et al

16/25

Anomaly Based Detection-1 high network latency, high volumes of traffic, traffic on

unusual ports, and unusual system behaviorcannot detect a BOTNET in sleeping mode Binkley and Singh solved by combining TCP based

anomaly with IRC tokenization and IRC message statistics to create a system

17/25

Anomaly Based Detection-2Gu et al. have proposed Botsniffer

Botnet C&C channelslocal area networklow false positive

Basheer Al-Duwairi and Lina Al-Ebbini proposed BotDigger fuzzy logicnot work on a specific patternthe most reliable and flexible

18/25

Communication Pattern of Botnet -1Cyber security defenders checks the communication

characteristics between a Supervisor-Bot and a Soldier-Bot on transport layer such as for TCP or UDP.

Defenders check its source and destination IP, Port and Protocol Identifier. Static characteristics

header dynamic characteristics

arrival, departure, throughput, and burst time of payload information

19/25

Communication Pattern of Botnet-2selecting precise set of characteristic and defining unique

flow as object comparing with other objects provide more information

encrypted with the evolution of Botnet data mining techniques are applied on that limited data to

overcome the problem

20/25

PREVENTION & MITIGATION OF BOTNETIn 2007 Collins et al. work to detect future botnet address

by the help of unclean network spatial (compromised hosts to cluster)temporal (tendency to contain compromised hosts for

extended period)Alex Brodsky et al. proposed a distributed content

independent spam classification system to defend from Botnet generated Spam’s.

Trend Micro provided Botnet Identification servicesreal- time Botnet C&C bot-master address list

21/25

FUTURE PROSPECTS-1 Some of the steps to be taken to study the mind of

supervisor- bot are as follow:Make data warehouse of known bots for future use in data

mining, and to make an algorithm to use that data as mitigation for attacks.

Honeypots based defense is so popular and used mostly; it is predicted and possible that one day supervisor- bots will have a defense mechanism for detection of honeypots in their bots.

22/25

FUTURE PROSPECTS-2To make anti-bot application software which can work

against Botnet attack as antivirus does against viruses etc. New Testbeds are required to be developed which allow

testing in large-scale network either open or closed environments.

Getting of Botnet sample code is required for analyzing but criminals don’t want to examine their malware as well as cyber defender also feels hesitation with un-trusted ones.

23/25

CONCLUSION In this survey we analyzed the protocols being used by the

Supervisor-bots and how they evolved with the passage of time. How cyber defenders proposed and work for the detection of a cyber-attack from known and unknown BOTNETs and given ideas and techniques for its prevention and mitigation. But unfortunately for prevention and mitigation till now no sufficient work has been done.

24/25

Thank You

25/25