A Proposal of Metrics for Botnet Detection based on its Cooperative Behavior

The primary contribution of the paper is the proposal of three metrics that can help identify the presence of botnets in a wide area network (WAN). The proposed metrics, namely relationship, response and synchronization are measured with respect to the traffic over a WAN. It is assumed that the behavior of botnets will recurrently exhibit these metrics. The authors define relationship as the connection that exists between the bots and bot master of a botnet over one protocol. This metric tries to detect the structure of a botnet’s relationship by analyzing the network traffic.It is observed that the response time to commands received by a legitimate host varies significantly while that of botnets is comparatively constant. The response time as a metric can thus help detect botnets. As the bots present in a botnet are programmed to carry out instructions from the bot master on a predetermined basis, it is assumed that their activities will synchronize. An analysis of the networ k traffic can possible help identify synchronized activity between hosts, thus detecting botnets.The metrics are evaluated by analyzing traffic measured in the Asian Internet Interconnection Initiatives (AIII) infrastructure over a period of 24 hours. The analysis validates the metrics proposed as a dense topology relationship, short range of response times and synchronization of activities are detected in the presence of a botnet. The authors propose that a combination of all the metrics be used for detecting a botnet. The design of an algorithm to detect botnets based on a combination of the three metrics has been identified as future work. Summary of â€Å"IRC Traffic Analysis for Botnet Detection†The paper addresses the problem of detecting botnets by modeling the behavior of botnets. The main idea of the paper is to analyze network traffic, model the behavior of botnets based on the analysis and use pattern recognition techniques to identify a particular behavior model a s belonging to a botnet. The proposed model for detecting botnets analyses traffic that uses the IRC protocol. A traffic sniffer is used to analyze packets in the promiscuous mode. The protocol detector detects traffic using the protocol of interest to the analysis, in this case IRC.The packets are decoded using the IRC decoder and the behavior models are built. The detection engine detects a botnet based on the behavior model. The features used to build a behavior model include features related to a linguistic analysis of the data that passes through an IRC channel in addition to the rate of activity in the channel. It is observed that the language used by bots has a limited vocabulary and uses many punctuation marks. The language used by humans is observed to have a wider mean and variance with respect to the words used in a sentence. The features used to model the behavior of botnets hare listed.The experiments have been conducted with clean data collected from chat rooms and bot net data collected at the Georgia Institute of Technology. Pattern recognition is performed using support vector machines (SVMs) and J48 decision trees and the results are reported in terms of confusion matrices. Though the botnets are detected using the above methods, the authors report that a further analysis of the data is necessary. Unsupervised testing of the model and expansion of the model for adaptation to other scenarios is proposed as future work. Summary of â€Å"The Automatic Discovery, Identification and Measurement of Botnets†The paper proposes a technique for identifying and measuring the botnets used to deliver malicious email such as spam. The implementation and performance of the proposed technique has been presented. The authors are of the opinion that the existing methods for detecting botnets used to send spam use significant amount of resources and are often applicable only after a botnet has been operational over a period of time. The authors propose a passive method for identifying botnets by classifying the email content. The headers present in the emails are used to group the mails.The authors assume that a botnet has a central center for control and that the same program is used by a botnet for creating and sending spam emails. Based on these the authors propose to classify emails by a passive analysis of the header content present in them. The Plato algorithm is proposed to identify the sender and the program used to send the email. The performance of the Plato algorithm is analyzed based on the following factors: clustering, durability, isolation and conflicts. The analysis is performed on a sample data containing 2. 3 million emails. In the dataset 96% emails are identified as having a probability of being spam.The algorithm is observed to successfully reflect the features associated with spam email. It helps group the emails based on the characteristics of the sender and the sending program. This grouping of emails can hel p identify a botnet and thus enable the membership and size of the botnet. The authors propose that the algorithm can be further used for classifying bulk emails, to understand the relationship between spam and viruses and as a replacement for spam filters using statistical methods. Summary of â€Å"Towards Practical Framework for Collecting and Analyzing Network-Centric Attacks†The paper proposes a network-centric framework based on an awareness of risk to help detect attacks from a botnet and prevent these attacks. The authors state that the bots follow certain network traffic patterns and these patterns can be used to identify a bot. The proposed framework consists of three main components, namely bot detection, bot characteristics and bot risks. The first component, bot detection, is used to detect known and unknown bots that try to penetrate the system. A honeypot based malware collection system component is used to attract bots to the honeypot and thus help detect bots. After the bots have been detected the characteristics of the bots are analyzed. The behavior of bots and their characteristics are identified by analyzing known malware, network traffic patterns and detecting the existence of any correlation between various instances of a malware. Various components are used to perform each of the tasks involved in bot characterization. To determine the risks posed by bots, the vulnerabilities present in the existing system are identified. The risk posed by a host with certain characteristics is calculated based on the vulnerabilities associated with the system. Thus the risk factor can be modified on demand.A combination of the identified characteristics and the associated risks is evaluated when a decision regarding the blocking of traffic is made. The authors present results that demonstrate the ability of the proposed framework to detect different types of bots. The feasibility of the proposed framework has been demonstrated. Enhancing of the co rrelation system and integration of the risk aware system with the architecture are proposed as future work. Summary of â€Å"Wide-Scale Botnet Detection and Characterization† The paper proposes a methodology based on passive analysis of the traffic flow data to detect and characterize botnets.A scalable algorithm that gives information about controllers of botnets is proposed based on analysis of data from the transport layer. Four steps have been identified in the process of detecting botnet controllers. Suspicious behavior of hosts is identified and the conversations pertaining to this host are isolated for further evaluation. These are identified as suspected bots. Based on the records of suspected bots, the records that possible represent connections with a controller are isolated. This is referred to as candidate controller conversations in the paper.These candidate controller conversations are further analyzed to identify suspected controllers of botnets. The analysis is based on calculating the following: the number of unique suspected bots, distance between model traffic and the remote server ports, heuristics that gives a score for candidates that are possible bot controllers. The suspected controllers are validated in three possible ways: correlation with other available data sources, coordination with a customer for validation and validation of domain names associated with services (Karasaridis, Rexroad, & Hoeflin, 2007).The botnets are classified based on their characteristics using a similarity function. An algorithm is proposed for the same. The authors report the discovery of a large number of botnet controllers on using the proposed system. A false positive of less than 2% is reported based on correlation of the detected controllers with other sources. Also the proposed algorithm is reported to successfully identify and malicious bots. The future work is identified as the need to expand the algorithm for other protocols and analysis of the evolution of botnets.References Akiyama, M. , Kawamoto, T. , Shimamura, M. , Yokoyama, T. , Kadobayashi Y. , & Yamaguchi, S. (2007). A proposal of metrics for botnet detection based on its cooperative behavior. Proceedings of the 2007 International Symposium on Applications and the Internet Workshops. 82-85. Castle, I. , & Buckley, E. (2008). The automatic discovery, identification and measurement of botnets. Proceedings of Second International Conference on Emerging Security Information, Systems and Technologies. 127-132. Karasaridis, A. , Rexroad, B., & Hoeflin, D. (2007). Wide-scale botnet detection and characterization. Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets. 7-14. Mazzariello, C. (2008). IRC traffic analysis for botnet detection. Proceedings of Fourth International Conference on Information Assurance and Security. 318-323. Paxton, N. , Ahn, G-J. , Chu, B. (2007). Towards practical framework for collecting and analyzing n etwork-centric attacks. Proceedings of IEEE International Conference on Information Reuse and Integration. 73-78.