260 likes | 633 Views
SURVEY ON BOTNET: ITS ARCHITECTURE, DETECTION, PREVENTION AND MITIGATION . Networking, Sensing and Control (ICNSC), 2013 10th IEEE International Conference on. 102064535 黃川洁. Outline. INTRODUCTION BOTNET LIFE CYCLE BOTNET ARCHITECTURES DETECTION OF BOTNET ATTACK
E N D
SURVEY ON BOTNET: ITS ARCHITECTURE, DETECTION, PREVENTION AND MITIGATION Networking, Sensing and Control (ICNSC), 2013 10th IEEE International Conference on 102064535 黃川洁
Outline • INTRODUCTION • BOTNET LIFE CYCLE • BOTNET ARCHITECTURES • DETECTION OF BOTNET ATTACK • PREVENTION & MITIGATION OF BOTNET • FUTURE PROSPECTS • CONCLUSION
INTRODUCTION-1 • BOTNET is a large network of compromised computers used to attack other computer systems for malicious intent. • NetBusand BackOrifice2000 • several techniques for BOTNET attack detection • data mining, fuzzy logic based on some statistical data, anomaly based, structure based
INTRODUCTION-2 • Testbedenvironment should focus on following requirements: • The ability to test with a variability of bot types (both known and unknown) deploy on variety of standard operating system. • To be capable of conducting experiments in a secure mode such as one that poses no threat to the greater internet • To be able to form a flexible and realistic botnet technologies and configuration. • To perform and conduct experiments at scale and under realistic conditions.
BOTNET LIFE CYCLE-1 • In start it primarily infects other computer. • Then injects small code • File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Peer to Peer (P2P), and combination of HTTP and P2P (HTTP2P) etc. • When user connects to internet code is executed automatically to establish a connection in which it connects to Command & Control (C&C) server.
BOTNET LIFE CYCLE-2 • Command and control the zombie computers through C & C server. • To remain transparent and active by using Dynamic Domain Name Server (DNS) and keeping zombie updated and in existence to maintain and use them accordingly.
BOTNET ARCHITECTURES • Centralized Botnet Architecture • Peer to Peer (P2P) Botnet Architecture • Hybrid Botnet Architecture • Hypertext Transfer Protocol Peer to Peer (HTTP2P) Botnet Architecture
Hypertext Transfer Protocol Peer to Peer (HTTP2P) Botnet Architecture • P2P has threat of Sybil attacks • Sybil Attack:是一種攻擊者透過大量匿名實體增加不成比例的巨大影響,來破壞P2P網路的信譽系統。(TWCERT/CC) • Combined HTTP and P2P • Become harder to be detected by to bypass firewall and client server architecture • Cipher the message • While the Soldier-Bot does not contact dynamically to Supervisor-Bot or other soldier-bots rather it waits for a call from its supervisor.
DETECTION OF BOTNET ATTACK • Structured Based Detection • Signature Based Detection • DNS Based Detection • Behavior Based Detection • Anomaly Based Detection • Communication Pattern of Botnet
Signature Based Detection • The first and most widely • Only successful for already known Botnets • Two way • list of IRC nicknames and applied n-gram analysis • IP addresses • Other system • Honeynet, Honeypots, and Snort • good cost and without false positives
DNS Based Detection-1 • DNS queries • In 2004-05 ideas were given to detect domain names by unusually high or temporary intense DDNS queries. • In following year, abnormally recurring NXDOMAIN reply rates approach was proposed.
DNS Based Detection-2 • Passive analysis of DNS based Black-hole list (DNSBL) lookup traffic • Two problems • high false positive • cannot detect distributed inspection • Hyunsang Choi et al
Anomaly Based Detection-1 • high network latency, high volumes of traffic, traffic on unusual ports, and unusual system behavior • cannot detect a BOTNET in sleeping mode • Binkley and Singh solved by combining TCP based anomaly with IRC tokenization and IRC message statistics to create a system
Anomaly Based Detection-2 • Gu et al. have proposed Botsniffer • Botnet C&C channels • local area network • low false positive • Basheer Al-Duwairi and Lina Al-Ebbini proposed BotDigger • fuzzy logic • not work on a specific pattern • the most reliable and flexible
Communication Pattern of Botnet -1 • Cyber security defenders checks the communication characteristics between a Supervisor-Bot and a Soldier-Bot on transport layer such as for TCP or UDP. • Defenders check its source and destination IP, Port and Protocol Identifier. • Static characteristics • header • dynamic characteristics • arrival, departure, throughput, and burst time of payload information
Communication Pattern of Botnet-2 • selecting precise set of characteristic and defining unique flow as object • comparing with other objects provide more information • encrypted with the evolution of Botnet • data mining techniques are applied on that limited data to overcome the problem
PREVENTION & MITIGATION OF BOTNET • In 2007 Collins et al. work to detect future botnet address by the help of unclean network • spatial (compromised hosts to cluster) • temporal (tendency to contain compromised hosts for extended period) • Alex Brodsky et al. proposed a distributed content independent spam classification system to defend from Botnet generated Spam’s. • Trend Micro provided Botnet Identification services • real- time Botnet C&C bot-master address list
FUTURE PROSPECTS-1 • Some of the steps to be taken to study the mind of supervisor- bot are as follow: • Make data warehouse of known bots for future use in data mining, and to make an algorithm to use that data as mitigation for attacks. • Honeypots based defense is so popular and used mostly; it is predicted and possible that one day supervisor- bots will have a defense mechanism for detection of honeypots in their bots.
FUTURE PROSPECTS-2 • To make anti-bot application software which can work against Botnet attack as antivirus does against viruses etc. • New Testbeds are required to be developed which allow testing in large-scale network either open or closed environments. • Getting of Botnet sample code is required for analyzing but criminals don’t want to examine their malware as well as cyber defender also feels hesitation with un-trusted ones.
CONCLUSION • In this survey we analyzed the protocols being used by the Supervisor-bots and how they evolved with the passage of time. How cyber defenders proposed and work for the detection of a cyber-attack from known and unknown BOTNETs and given ideas and techniques for its prevention and mitigation. But unfortunately for prevention and mitigation till now no sufficient work has been done.