BotNet Detection Techniques

By
Shreyas Sali

Course: Network Security (CSCI 5235)

Instructor: Dr. T Andrew Yang
Outline
Introduction to Botnet
Botnet Life-cycle
Botnet in Network Security
Botnet Uses
Botnet Detection
Preventing Botnet Infection
Botnet Research
Conclusion
References
Page 2
Introduction to Botnet

A Botnet is a network of compromised

computers under the control of a remote attacker.

Botnet Terminology
Bot Herder (Bot Master)
Bot
Bot Client
IRC Server
Command and Control Channel (C&C)
Page 3
Introduction to Botnet (Terminology)
IRC Server
IRC Channel

Code Server
Bot Master
IRC Channel
C&C Traffic

Updates

Attack
Victim
Bots
Page 4
Botnet Life-cycle

Page 5
Botnet Life-cycle

Page 6
Botnet Life-cycle

Page 7
Botnet Life-cycle

Page 8
Botnet In Network Security

Internet users are getting infected by bots

Many times corporate and end users are trapped in botnet attacks
Today 16-25% of the computers connected to the internet are
members of a botnet
In this network bots are located in various locations
It will become difficult to track illegal activities
This behavior makes botnet an attractive tool for intruders and
increase threat against network security

Page 9
Botnet is Used For

Page 10 Bot Master

How Botnet is Used?

Distributed Denial of Service (DDoS) attacks

Sending Spams
Phishing (fake websites)
Addware (Trojan horse)
Spyware (keylogging, information harvesting)
Click Fraud
So It is really Important to Detect this attack
Page 11
Botnet Detection

Two approaches for botnet detection based on

Setting up honeynets
Passive traffic monitoring
Signature based
Anomaly based
DNS based
Mining based
Page 12
Botnet Detection: Setting up Honeynets

Windows Honeypot

Honeywall Responsibilities:
DNS/IP-address of IRC server and port number
(optional) password to connect to IRC-server
Nickname of bot
Channel to join and (optional) channel-password

Page 13
Botnet Detection: Setting up Honeynets
Bot Sensor
1. Malicious Traffic

3. Authorize 2. Inform bots IP

Page 14 Bot Master

Botnet Detection: Traffic Monitoring
Signature based: Detection of known botnets
Anomaly based: Detect botnet using following
anomalies
High network latency
High volume of traffic
Traffic on unusual port
Unusual system behaviour
DNS based: Analysis of DNS traffic generated by
botnets
Page 15
Botnet Detection: Traffic Monitoring

Mining based:
Botnet C&C traffic is difficult to detect
Anomaly based techniques are not useful
Data Mining techniques Classification, Clustering

Page 16
Botnet Detection

Determining the source of a botnet-based attack is challenging:

Traditional approach:
Every zombie host is an attacker
Botnets can exist in a benign state for an arbitrary amount of
time before they are used for a specific attack
New trend:
P2P networks

Page 17
Preventing Botnet Infections

Use a Firewall

Patch regularly and promptly

Use Antivirus (AV) software

Deploy an Intrusion Prevention System (IPS)

Implement application-level content filtering

Define a Security Policy and

Share Policies with your users systematically

Page 18
Botnet Research

Logging onto herder IRC server to get info

Passive monitoring
Either listening between infected machine and
herder or spoofing infected PC
Active monitoring: Poking around in the IRC server
Sniffing traffic between bot & control channel

Page 19
Botnet Research: Monitoring Attacker

Infected Hi!
IRC Herder

Researcher

Page 20
Conclusion
Botnets pose a significant and growing threat against cyber
security

It provides key platform for many cyber crimes (DDOS)

As network security has become integral part of our life and

botnets have become the most serious threat to it

It is very important to detect botnet attack and find the solution

for it

Page 21
References
B. Saha and A, Gairola, Botnet: An overview, CERT-In White PaperCIWP-2005-05, 2005
Peer to Peer Botnet detection for cyber-security: A data mining approach - ACM Portal
Mohammad M. Masud, Jing Gao, Latifur Khan, Jiawei Han, Bhavani Thuraisingham
A Survey of Botnet and Botnet Detection Feily, M.; Shahrestani, A.; Ramadass, S.;
Emerging Security Information, Systems and Technologies, 2009. SECURWARE '09. Third
International Conference on Digital Object Publication Year: 2009 , Page(s): 268 273 IEEE
CONFERENCES
Honeynet-based Botnet Scan Traffic Analysis Zhichun Li, Anup Goyal, and Yan Chen
Northwestern University, Evanston, IL 60208
Detecting Botnets Using Command and Control Traffic AsSadhan, B.; Moura, J.M.F.;
Lapsley, D.; Jones, C.; Strayer, W.T.; Network Computing and Applications, 2009. NCA 2009.
Eighth IEEE International Symposium. Publication Year: 2009 , Page(s): 156 162 IEEE
CONFERENCES
Spamming botnets: signatures and characteristics Yinglian Xie, Fang Yu

Page 22
Page 23
Page 24