Survey botnets with cryptography
Summary.
As technology has developed, bots, botnet, has been enormous problem in the computer company. Most cases of network security threats and is based botnet C & C as IRC server, HTTP protocol common P2P botnet construction [1] and more recently also input and robot characteristics and activities are all different depending on the structure the botnet. That is why research is the existence of numerous, too, and it is useful to categorize and classify the bot's defense mechanisms. Bot activities cause many negative effects such as DDoS (Distributed Denial of Service) and spam. The mechanisms for the detection of bots and defenses can be classified as C and C detection sensors based motion P2P bot bot. An essential aspect of the botnet management is the authenticity and integrity of controls. Asymmetric cryptography provides a simple but effective for this purpose and the method is discussed here.
Keywords: botnets, detection of bots, P2P bot C & bot C, cryptography
1. INTRODUCTION
The role of coordinated attacks is not exactly what the hackers / The attackers to compromise an application or a computer network for illegal purposes. Once a group of hosts at different locations are controlled by a malicious individual or organization to launch an attack, we can hardly trace the origins of complexity due to the Internet. For this reason, increased threats against the events and Internet businesses legitimate such as flight information, click fraud, denial of service (DoS) attack, and spam email, etc, have become very serious problems today [1]. Victims coordinated controlled by the attackers are called zombies or bots, which are derived from the word "robot." The term commonly called applications software robots running on automated tasks on the Internet [2]. In this command and control (C2 or C & C) infrastructure, a group of robots are capable of forming self-reproduction, self-organization, and a self-called botnets [3]. Usually, a series of compromising the systems, botnet master (also known as a pastor or the author) will be controlled remotely to install bots worms, trojans, backdoors or the [three]. Most of these victims is running Microsoft Windows operating system [3]. The process of stealing the resources of host composed of a botnet and is called "scrumping" [3].
Botnets can be classified into two broad categories according to their topologies [4]. A type and most common type is Internet Relay Chat (IRC)-based botnets. Due a centralized architecture, researchers have developed measures to detect and con-destroy these botnets [5, 6]. Thus, new and more sophisticated hackers / attackers began using the Exchange Peer (P2P) botnet technologies [4,7]. P2P botnets are distributed and have no central point of failure. Compared to botnets IRC-based, are more difficult to detect and withdrawal [4]. In addition, most of existing studies are being examined [4, 7].
Document Organization is as follows. In Section 2, botnet attacks given.Section Rating 3 describes relevant. Section 4 establishes the mechanisms for detecting and tracing. Measures preventive are given in Section 5. Conclusions and future challenges are presented in Section 6.
2. CLASSIFICATION
Botnets are the new threats with billions "in the world infected host. Bots can be spread across thousands of computers at very high speeds, such as worms do. Unlike worms, bots in a botnet are able to cooperate in a common malware. For this reason, botnets today play a role very important in the epidemic of malware on the Internet [16]. In [19] WT Strayer et al. introduced some measures flow analysis to detect botnets. After filtration IRC session in traffic, the methods are applied according to discriminate flows malicious IRC channels benign. The methods proposed in [20] and [21] associated with both the implementation and analysis of the network layer. E. Cooke et al. [22] refers to the activities of IRC in the application layer, using information monitoring of network activities. Some authors have introduced automatic learning techniques in the detection of botnets [23], because they have a better way to characterize zombie networks. At present, trap nets and Intrusion Detection System (IDS) are two major techniques to avoid their attacks. Honeynets can be implemented in both distributed and the local context [9]. They are able to provide botnet attack, but you can not know the details, as if the victim has a certain worm [9]. IDS signatures is used or the behavior of existing references to detect botnet attacks. So, to summarize the botnet characteristics is significant for a secure network. To the best of our knowledge, we have not found another job in the botnet-based anomaly detection.
2.1 Training and Exploitation
To illustrate the formation and operation, which spam botnet to take as an example. Training typical botnet can be described as follows in the steps [3]
1) The author botnet sending viruses or worms that infect victim machines, which are the payload robots.
2) The bots in the infected hosts to connect to server IRC or any other means of communication, the formation of a botnet.
3) Spammer makes payment to the owner of this botnet to obtain the right of access.
4) spammer sends commands to the botnet to direct the bots to send spam.
5) infected hosts to send spam mail servers on the Internet.
2.2-based IRC bot
IRC is a protocol based on text messaging between people connected instant Internet. It is based on the client / server (C / S model), but adapted to the environment and distributed [18]. Typical IRC breaks are interconnected and pass messages between them [18]. You can reach hundreds of customers across multiple servers. It is called several IRC (mIRC), in which communications between clients and servers are thrust into those connected to the channel. Basis functions are IRC bots access list management, move files, sharing client, sharing information on channels and so on [18].
• Browser: an executable file is usually triggered by a specific command of the IRC Sever. Once the bot is installed on a victim machine that will make a copy in a configurable directory and allow the malware to start the operating system. In general, bots are only the payload or how to open a back door [18].
• Control channels: IRC secure channel established by the attacker to manage all robots.
• IRC server: can be a compromised machine or even a legitimate supplier of public service.
• attacker: he who controls the IRC bot attack.
The operations are four steps to follow [16]:
1) start-up phase, where the attacker can add malicious code, or simply modify an existing system of highly customizable bots in many Internet [16].
2) Creation of a framework, where the IRC server and channel information can be collected [16]. While the robot is installed on the victim, which will automatically connect to the selected host [16]. Then the attacker can restrict and secure access channel bots for business or for other purposes [16]. For example, the attacker is able to provide a list of robots to authorized users to customize further and use it for their own purposes.
3) The infection of the stadium, where robots are spread through various direct and [indirect 16]. As its name implies, direct techniques exploit vulnerabilities in services or operating systems, and usually associated with the use of virus [16]. Although vulnerable systems compromised, follow the infection process, such as savings time for the attacker to add more victims [16]. The most vulnerable systems are Windows 2000 and XP SP1, the attacker can easily find unpatched or insecure (for example, without firewall) hosts [16]. However, indirect approaches to other programs like a proxy to distribute spam, for example, using the malware distributed by DCC (Direct Client to Client) file-sharing or IRC P2P networks to exploit the vulnerabilities of the target computers [16].
4) The control of the stadium, where the attacker can send commands to a group of robots through the IRC channel to do some tasks malicious.
2.3 P2P-based bot
Few papers deal with P2P bot based mainly on the measurement [4, 24-29, 46]. Still is a difficult question. In fact, the ad hoc P2P network using the host control victim is not a new technique [26]. P2P communication system is much more difficult interrupt. This means that the commitment of a single robot that does not necessarily mean the loss of the entire botnet. However, the design of P2P systems are more usually complex and there are no guarantees on messages delivery or latency. A worm with a P2P mode, called Palette [27], the Linux system infected by a DoS attack in 2002. It customers used to send responses to hypothetical commands compromised computer and receive them [27]. Therefore, its location in the network could be anonymous and difficult to follow [27]. A year later, another came P2P-based robot, called Dubbed Sinite [28]. It uses public key cryptography for update authentication. Later, in 2004, Phatbot [29] has been launched to send commands to other compromised hosts through a P2P system. Today Storm Worm [24] Perhaps the most popular P2P bot online. T. Holz et al. analyzed using binary and network monitoring [24]. In addition, techniques proposed to interrupt the communication of P2P-based botnet, and the content of eclipses and pollute the file.
However, the highest based on P2P in which robots are not mature and have many weaknesses. Many P2P networks have a central server or a list of the seeds of their colleagues who can be contacted for more than a new pair. This process called "boot" has a single point of failure for botnets aP2P base [25]. For this reason, the authors of [25] a specific hybrid P2P botnet to overcome this problem.
2.4 Types of robots
Many types of robots in the network have already been discovered and studied [9, 16, 17]. The Table I shows several common and well known robots, and their basic characteristics.
Type
Features
Agobot
Phatbot
Forbot
Xtrembot
- They are so common more than 500 variations exist on the Internet today. Agobot is the bot can not use other control protocols outside IRC [9]. It proposes different approaches to hide bots committed teams, including NTFS Alternate Data Stream, polymorphic
Motor encryptor and Virus Killer [16].
SDBot
Rbot
URBOT
UrXBot
SDBot is the basis of the three robots and probably much [More 9]. Unlike Agobot, your code is clear and has only limited functionality. However, this group of robots is still widely used in the Internet [16].
SpyBot
NetBIOS
Kuang
NetDevil
KaZaa
There are hundreds of variants of Spybot today [17]. Most C2 their executives seem to be shared with or evolved from SDBot [17]. However, it provides no liability or hide malicious code in its base [17].
Basic mIRC
GT-Bots
GT (Global Threat) mIRC based bot bot. Allows an mIRC chat client based on a set of binary files (mostly DLL) and scripts [16]. Often hidden in the application window
compromised hosts to make mIRC invisible to the user [9].
Bots DSNX
The DSNX (Information Network Spy X) has a convenient interface bot plug-in to add a new function [16]. Although the default version does not meet the requirement plugins spreaders can help solve this problem [9].
Q8 Engines
It is designed for operating systems Unix / Linux with features common to a robot, such as HTTP dynamic update, different DDoS attacks, arbitrary command execution, etc [9].
Kaiten
It is very similar to Q8 Bots by the runtime and even the lack of bars. Kaiten has a shell remotely easy, it's easy to see other
Vulnerabilities through IRC [9].
Search engines based on Perl
Many variations written in Perl today [9]. They are so small that only a few hundreds of lines of code for robots [9]. Thus, limited basic commands are available for the attack, especially for DDoS-attacks on Unix systems based on [9].
3. BOTNET ATTACKS
Botnets can be used both for legitimate and illegitimate [6]. A legitimate aim is to support IRC channel operations using administrative privileges on specific individuals. However, these objectives are not consistent with the general number of robots we've seen. On the basis of the wealth of data stored in honeypots [9], the possibilities of using botnets for criminal reasons or for destructive purposes can be classified as follows.
DDoS 3.1
Botnets are often used for DDoS attacks [9], which can disable network services of the victim system by the consumption of bandwidth. For example, an author can order the botnet IRC channel connecting the first victim, and then this can be invaded by thousands of requests for service of the botnet. In this type of DDoS attack, the victim was taken from the IRC network down. The evidence shows that the most used by botnets attacks are TCP SYN and UDP floods [30].
countermeasures against DDoS attacks General must: (1) controls a large number of infected computers (2) Disable remote control mechanism [30]. However, we still need more effective ways to prevent this type of attack. FC Freiling et al. [30] presented a method to prevent DDoS attacks against the use robots to explore hidden in jars of honey.
Spamming and dissemination Malware 3.2
Approximately 70% to 90% of spam in the world today are caused by botnets, which has the most experience in the field of Internet security in question [47, 49]. Report Study indicates that, once the SOCKS V4/V5 proxy (TCP / IP RFC 1928) in the compromised computer equipment is opened by robots, these machines can be used for harmful tasks, for example, spam. On the other hand, some robots are able to retrieve e-mail for specific functions [9]. Therefore, attackers can use as a botnet to send spam massive amounts [31]. Researchers in [32] have proposed an independent distributor of electronic content classification system called Trinidad, spam botnets. The designer assumes that spam bots, send mass email in a short time. Therefore, any letter the address may be spam.
To discover all the spamming botnet behaviors and benefit from its detection in the future, Y. Xie et al. [33] have developed a framework signature generation autore called spam. They also found several characteristics of spam botnet: (1) spammer often unpredictable and adds some legitimate URL in the letter to evade detection [33], (2) IP addresses are usually distributed botnet in many autonomous systems (Autonomous System), with only a few machines in each participation as a means [33], (3) Despite the content of spam is different addresses their beneficiaries may be similar [33]. Using these features to capture and prevent spam botnets is useful for future research. Similarly, botnets can be used to distribute malware also [9]. For example, botnets can launch the attack Witty worm victims because the ICQ protocol system, there may have enabled Internet Security Systems (ISS) services [9].
3.3 Information Leakage
Because some robots can not only trace the traffic through of compromised machines, but also control data on victims, perpetrators can retrieve sensitive information like usernames and passwords easily botnets [9]. The results show that botnets are becoming more sophisticated quick scan host of major corporate and financial data [47]. Since bots rarely affect the performance of systems running infected, often outside the surveillance zone and difficult to capture. Keylogging is the solution to attack Interior [9.16]. This type of robot to listen to keyboard activities and reports to his master the information after filtering sensor input. This allows the hacker to steal private information of thousands of credentials and data [16].
Click Fraud 3.4
With the help of networks bot, the authors are able to install add-ons to the advertising and browser helper objects (BHO) for commercial purposes [9]. Like Google's AdSense program, for the sake more clickthrough rate (CTR), authors may periodically usebotnets click on specific links and thus promote the CTR artificially [9]. This is also effective online surveys or games [9]. For each victim host has a unique IP address all over the world, every single click is a valid action of a legitimate person.
3.5 Identity Theft
Identity fraud, also known as identity theft is a crime faster Internet growth [9]. Email phishing is a typical case. Usually URL is legitimate, such as the receiver and asked to submit information personal or confidential information. These mails can be generated and sent by a botnet of spam through mechanisms [9]. In a second stage, the botnets can also configure several fake Web sites pretending to be a corporate official sites to gather information from victims. Once a fake site is closed by its owner, another may appear, until you turn off the computer.
4. DETECTION AND MONITORING
Currently, several methods for identification and traceability botnets have been proposed or tried. First and most generally, the use of honeypots, where a subnet is pretending to be compromised by a Trojan, but in reality, observing the behavior of the attackers has been the host of surveillance to identify [22]. In appropriate cases, and Freiling al. [30] have made possible how to detect certain types of DDoS attacks lunched by the botnet. For starters, honeypot use and active players gather bot binary. Then pretend to join the botnet as an infected machine applied against the robots in the honeypot and allows them to access the IRC server. Ultimately, the botnet is infiltrated by a silent drone "To collect information that can help in dismantling the botnet. Another common use and also the method is that, in the form of insider trading to monitor an IRC-based botnet [11]. The third no, but less common method of detecting botnets is investigating DNS caches in the network to resolve IP addresses of target servers [11].
4.1 honeypot and honeynet
Honeypots are well known for their ability to detect security threats, the malware collection, and understanding the behavior and motivations of the authors. Honeynet to monitor a large diverse network, consisting more than a honey pot network. Most researchers focus on Linux-based honeynet, for the obvious reason that, compared to any other platform, the honeynet tools more freely available in Linux [6]. Therefore, only a few tools to support the deployment of honeypots and start Windows intruders proactively dismantle the honeypot.
Some researchers aim to design a firewall or reactive means to prevent multiple honeypots commitment [6]. If a port is detected compromised by a firewall, attacks in which entry can be blocked [6]. This should be done about illegally to avoid raising the suspected attacker. The evidence tells us to use less intelligence on honeypots protection against many compromises by worms, because worms are used to detect its presence [6]. Because many hacker tools download games immediately after a victim, you must correspond only block traffic selectively. These tools are important evidence for future analysis. Thus, in a certain extent, access to attackers honeypots should not prevent good [6].
Since honeypots have become increasingly popular in surveillance and defense systems, hackers began to find a way to prevent the escape of traps honeypot [34]. There are techniques that can detect honeypots. For example, to detect VMware or other virtual machines emulated [35,36], or detect responses faulty software honeypot [37]. In [38], Bethencourt et al. were able to identify honeypots intelligently according to survey statistics the public report. In addition, Krawetz [39] presented a tool capable of spamming trade based on anti-honeypot, called "Safe Send Honeypot Hunter. "By checking the response from the remote proxy, spammer honeypot is able to detect open proxies [39]. However, this tool can not effectively detect with others, except open proxy honeypot. Recently, CC Zou et al. [34] have proposed another method to detect honeypot software-based Independent and equipment. In his article, which also introduced an efficient approach to locate and remove infected honeypots using a structured P2P botnet [34]. All the above evidence suggests that, botnet becomes invisible to the honeypot, the investigation of reference should be improved.
Based on the detection of 4.2 IRC
IRC botnet based largely what is being studied and therefore have several features have been discovered for the detection of the measure. One of easy ways detect such botnets is to track the traffic on common IRC ports (TCP port 6667), then check if the strings payloadsmarch in our knowledge base [22]. However, botnets can use random ports to communicate. It therefore seeks another approach the performance characteristics of the spam that comes along. S. Racine [40] found based IRC bots are often reduced and only responded after receiving a specific instruction. Thus, connections with the characteristics these may be marked as potential enemies. However, there is a high rate of false positives.
There are also other methods for detection IRC-based botnet. Barford et al. [17] proposed approaches based on source code analysis. Rajab et al. [11] introduced an amendment to the IRC client named IRC tracker was able to connect to IRC and the response to separate requests automatically. Given a fingerprint template and relevant IRC can be instantiated follow-up of a new session in the IRC server IRC [11]. If the master bot to find the true identity of followers, who appeared as a precise and powerful bot Internet and run malicious commands all, including responses to the attacker [11]. Then we introduce methods based on the detection of IRC botnet cons.
4.2.1 Detection based on traffic analysis
signature technology is often used in the detection of anomalies. The basic idea is to extract information on the background traffic packets and March, registered designs in the knowledge base of current robots. Apparently, it's easy to carry by a simple comparison between each byte in the packet, but also goes with several disadvantages. [45] First, robots are unable to identify undefined [45]. Secondly, you should always update the knowledge base with new signatures, which increases the cost of management and performance reducesthe [45]. Third, the robots Collectors can launch new attacks before they are patched into the knowledge base [45].
Based on the characteristics of other techniques to IRC detect botnet come. Essentially, two types of actions are involved in normal communication IRC. One is interactive and controls other is the exchange of messages [45]. If we can identify the functioning of the IRC with a specific program, it is possible to detect botnet attack [45]. For example, personal information that is copied to another place for a few IRC commands, we claim the system is under attack from normal behavior in the chat is that [45]. Furthermore, traffic can be encrypted or be hidden by the noise of the network [21]. All bots invisible status.
In [45], the authors observed the actual traffic on the communication ports IRC 6666-6669. Some IRC clients found repeated sending of login information when the server refused the connection [45]. According to the result of experimentation, robots argued that these actions are repeated with some frequency after rejected by the IRC server, and the time intervals are different [45]. However, do not consider a true IRC botnet attack based on his experience. This work is possible to extend his achievements.
In [49], p. Sroufe et al. proposed an alternative method for the detection botnets. His approach can automatically identify and efficiently robots or "bots." The main idea is to extract the email form (the number of lines and characters of each line) by applying a Gaussian kernel density estimator [49]. Emails are similarly suspect. However, the authors have shown the way to detect botnet using this method. It may be another value of future work to study.
4.2.2 Detection anomalies on the basis of activities
In [21], the authors propose an algorithm for anomaly detection based botnet. It combines the features IRC mesh with the integrated anomaly detection based on TCP. It was first observed and recorded a large number of TCP packets against hosts IRC. With Based on the rate calculated by the total number of TCP control packets (eg SYN, SYNACK, FIN, and reset) by the total number of TCP packets, which can detect certain anomaly activities [21]. They asked that the report that the TCP workload and stated that the high value implies a potential attack by a scanner or worm [21]. However, this mechanism can not work if the IRC commands were coded, as the discussion in [21].
4.3 DNS Monitoring
Given the bots used to send queries to DNS servers to access C2, if we are able to intercept their domain names, botnet traffic can be captured by a black list DNS [41, 42]. In fact, it also provides an important form of secondary disabling botnets diffusion capacity [11]. H. Choi et al. [41] have examined the characteristics of botnet DNS. According to their analysis, the botnet DNS queries can be easily distinguished from legitimate [41]. First, the robots only C2 send DNS queries to the server space, never fulfill [41]. Secondly, members of the botnet to act together and migrate at once, and DNS queries [41]. While the car is produced continuously vary from a botnet [41]. Third, the hosts no legitimate use DDNS often only botnet C2 normally uses DDNS Server [41]. Based on the above characteristics, have developed an algorithm to identify queries [41] DNS botnet. Its main idea is to calculate the similarity of activities group, as distinguished from the botnet in terms of its value. Similarity value is defined as 0.5 (C / C + A / B) where A and B represent the size of each requested lists IP Address IP somecommon and have the same domain, and C is the size of two IP addresses [41]. If the approximate value of zero, as the common property is suspected [41].
There are other approaches. Dagon et al. [42] presented a method by examining the implementation of DDNS domain fees. Abnormally high or temporarily concentrated suspected, because attackers often changed their servers C2 [44]. They used two Mahalanobis distances and Chebyshev inequality to quantify the rate is abnormal [44]. Schonewille et al. [43] found that when removed from C2 servers, DDNS is the name of the reply is often wrong. Armies repeatedly, such applications could be infected and therefore are suspected [43]. In [44], the authors evaluate the two methods through experiments in the real world. They argued that the Dagon approach was not as effective as some server C2 misclassified short TTL fields, while the comparative method Schonewille effective because the name comes from suspect and independent individuals [44]. In [48] X. Hu et al. proposed a detection system called botnet RB-Seeker (Search Redirect botnet). It is able to automatically detect botnets at any structure. RB-Finder information together for the first time in activities bots redirection (eg, the temporal and spatial) of the two sub-systems. It then uses the DNS query and statistical methodology technical study of the area to distinguish the legitimate malicious. result shows that the experience RB-Seeker is an effective tool to detect both aggressive "and" stealth "botnets.
5. strong cryptography
Evidence Control and Update System 5.1Tamper
A key aspect of the botnet management is the authenticity and integrity command. A robot must accept the orders of the Botmaster. In botnets during botmasters often use only a very weak form of authenticity, for example., Using a simple password scheme before submitting the application. Although botnets use strong authentication schemes, these can generally be divided, for example. Storm Worm is using a 64-bit RSA, which can be defeated. In centralized IRC botnets, lack of authenticity could for example be overcome by a patch on the server IRC used to control the distribution so that only Botmaster send messages to the designated channel. However, in the case of a decentralized network of matched pairs, Botmaster one must ensure that no hostile parties such as lawyers or other groups may poison the botnet by injecting malicious botnet commands.
The asymmetric cryptography provides a simple but effective way to do this: before launching a bot in nature, the Botmaster creates a public / private cryptographic key pair, including former is encoded in binary Bot. Doing so allows the safe Botmaster sign all orders or files using its private key. All pairs in the network of bots are able to verify the commands using the public key unit, but given a reasonable time Key (eg.2048 bit RSA), the defender will be successful in the creation of the firm.
5.2Rent a botnet
With the help key cryptography, a Botmaster can act as an entity certification, which provides an effective way to rent the botnet to others in whole or in part, by a variable amount of time, and to protect against certain tenants purposes.To malicious, it is advisable to implement a black list containing all public keys.This invalidated the blacklist is stored on the computer of each bot, and Botmaster can add or remove public keys, using its private key to sign the order. Therefore, all certificates belonging to an attacker may be revoked.
But this black list is of little use against attacks that require only a short period of time to complete. For example, a tenant malicious botnet can purchase a certificate for the distribution and abuse of email by ordering all the bots to send an e-mail to a specified address, reveal your address IP or other sensitive data. In fact, an attacker could easily gain valuable information about the size of a botnet, and general structure. Therefore, the rent of a botnet to be considered as an option that should be used cautiously by a Botmaster.
6. MEASURES
You only need a couple of hours to the classics to get everyone from a single host. If using worms botnet appears simultaneously from multiple computers, which are capable to infect the majority of vulnerable hosts in the world in a matter of minutes [7]. Some botnets have been discussed in previous sections. However, we still there are many of them are unknown. Reducing the risk posed by botnets in the future is the topic discussed in this section.
6.1 Countermeasures in botnet attacks
Unfortunately, few solutions exist for the accommodation of a DoS attack against a botnet up this [3]. But it is difficult to find patterns malicious hosts, network administrators can identify botnet-based attacks on the system equipment operation passive fingerprinting latest firewall [3]. The life cycle of the botnet that we often use bots free DNS hosting service to redirect a subdomain to an IP address unreachable. By Therefore, the removal of these services can take a botnet [3]. At present, many companies are focused on safety features to stop botnets [3]. Some them to protect consumers, while most others are designed for suppliers or companies [3]. The different products to try to identify the bot behavior by the anti-virus software. The company products have nothing better solutions nullrouting DNS entries or closure of the IRC and other key servers after identified a botnet attack [3].
6.2 Countermeasures to the public
Personal safety or morals depends inevitably partners communication [7]. Building a good relationship with these partners is essential. First, we must continually ask the service provider security packages, as firewalls, anti-virus tool-kit, the use of intrusion detection, etc [7]. Once something goes wrong, there must be a phone number to call [7]. Secondly, we must also focus on network traffic and report the supplier in case of attack by a DDoS attack. ISPs can help block addresses Malicious IP [7]. Thirdly, it is better to establish responsibilities in your system, with enforcement authority [7]. In particular, academics and industry have proposed strategies for users and system administrators at a time, to prevent, detect and respond to attacks from botnets [16, 18]. We summarize their suggestions.
6.2.1 home users
Table II: Standards FOR HOME USERS prevention [18]
Type
Strategies
Personal habits
Care during the download
Avoid installing unnecessary things
Read carefully before click
Routine
Use utilities anti-virus/trojan
Frequently updated system
Shutdown PC when you leave
Optional Operations
Back-up regularly all systems
Keep all software updates
Expand personal firewall
6.2.2 System Administrator
Similarly, there are rules for the system administrator to prevent, detect and respond to attacks from botnets [16, 18]. As the methods of prevention, the administrator must follow the vendor to update the system and applications [18]. Also, please informed of the latest vulnerabilities and access control and use log files to achieve [accountability 18]. As illustrated in Table III, which can help system administrator to minimize the possibility of botnet attacks.
Table III: RULES FOR DETECTION by system administrators [18]
Rules
Notes
Newspapers regularly monitor
Analyze Internet traffic for anomalies
Use network packet sniffer
Identify malicious traffic in Intranet
Isolate malicious subnet
Check activity IRC Host
Exploration of personal computers
They may contain viruses
Once an attack is detected, the administrator system must isolate compromised hosts and comments at home [16]. Then, keep the data on infected hosts, including log files [16]. In addition, identify the number of victims by sniffer tools [16]. Finally, the report of the infection Security Advisor [16].
7. CHALLENGES Conclusion and outlook
To better understand the botnets and stopping their attack, possibly, give us an overview on existing research botnet. The content of the discussion involves the formation and operation of botnets, and two typical topologies.
According to the analysis in section 2, we have several ideas on different topologies. For questions about IRC botnet, the thorny problem is that we can get the source of most bots. Therefore, a thorough analysis at the network level and system level behavior bots are only for their activity. For questions P2P based botnet as a result of practical problems still need to take into account: (a) keep the rest of a few bots have been adopted by the defenders, (2) hide the network topology of zombies while Some robots are captured by the defenders, (3) botnet management easier (4) changing traffic patterns more often and harder detect.
As you can see, detecting and tracking a botnet Start commitment remains a difficult task. fingerprinting is useful traffic to identify botnets. However, like the previous signature technologies in Section 3, its disadvantages are obvious. We need a database update knowledge for all robots published in the world, which seems to be an impossible mission. anomaly detection is another possible approach. However, when guests infected do not behave as unusual, may be unable to detect any possible threat. As the current detection technology depends on the event attack occurred, not guaranteed any obligations for us to find potential hosts. An interesting question about anomalies detection efficiency is time. If an attack occurs and we can take advantage of the anomaly in the first place and resolve the relevant issues before it is used with malicious intent, we anomaly detection is efficient time. We must focus on time efficiency in future work.
In the wireless context, especially for ad hoc networks, we have no research on the attack and defense of the measure. There are many open questions: (1) How to find the shortest way to attack the target, (2) How committed prevent fromdetecting network servers Wireless (3) How to distribute spam on the wireless network, especially before some compromised hosts online.
There are also some other interesting outstanding issues must be addressed. To the best of our knowledge, now can not prevent DDoS attacks from botnets. Even the attack was detected no effective means to monitor and control it. Instead, just close the compromised hosts or disconnect the network, waiting for additional commands such as antivirus or operating system format. As a matter of fact, what we need in effect, to avoid multiple bots in the first step. Perhaps the only method effective in removing botnets new protocols deployed on the routers in the world. It is really a great project and beyond reality. Why not consider installing a bridge that Local? Imagine, if the gateway can block the communication between the robots in several areas, the attacker would not be easy to administer hosts committed throughout the world. Meanwhile, the gateway to provide information about where our order came malicious. On the basis of abundance Evidence available over the network, it would be possible to make the first attack. However, it is very difficult to implement this idea for the following reasons: (1) It is difficult to distinguish malicious packets of traffic flow, (2) interacting across domains is not very easy, and should reflect the situation that some bridges are danger (3) How to trace the attack to take into account potential for further analysis should be studied.
REFERENCES
[1] K. Ono, I. Kawaishi, and T. Kamon, "Evolution of botnet" in 41st Annual Conference of the IEEE International Carnahan Security Technology, Ottawa, CA
October, 2007, pp. 243-249.
[2] Wikipedia, bot "Internet" [Online]. Available: http://en.wikipedia.org/ wiki / Internet_bot.
[3] Wikipedia, "Botnet" [Online]. Available: http://en.wikipedia.org/wiki/ Botnet.
[4] B. Thuraisingham, "Data mining for security applications: Mining concept drifting data streams to detect peer to peer botnet traffic" in IEEE International
Intelligence conference and information security, ISI 2008, Taipei, Taiwan, June 2008, pp. XXIX-xxx.
[5] C. Mazzariello, "The traffic analysis of IRC botnet detection," in the Fourth International Conference on Security and Information Security, Naples, Italy September 2008
pp. 318-323.
[6] B. McCarty, "Botnets: Big and bigger," IEEE Security and Privacy, vol. 1, no. 4 pp. 87-90, July 2003.
[7] GP Schaffer, "worms and viruses and botnets, oh my!: Rational responses to new Internet threats," Security and privacy IEEE, vol. 4, no. 3, pp. May 52-58
2006.
[8] J. Mirkovic, G. Praying, and P. Reiher, "Attacking DDoS at the source" in ICNP'02: Proceedings of the 10th IEEE International Conference Hall on the Net
Protocols, Paris, France, November 2002, pp. 312-321.
[9] P. Bacher, T. Holz, Mr. Kotter, and G. Wicherski, "Know your enemy: Tracking botnets" [online]. Available: http://www.honeynet.org/papers/bots/.
[10] T. Holz, S. Mariscal and F. Raynal, "Web-based threats and attacks on the World Wide Web", IEEE Security & Privacy, vol. 4, no. 2, pp.72-75, March / April 2006.
[11] MA Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A multidimensional approach to understanding the botnet phenomenon," in Proceedings of the Sixth ACM
SIGCOMM Internet Measurement Conference, Rio de Janeriro, Brazil, October 2006, pp. 41-52.
[12] E. Levy, "The creation of a spam zombie army: Dissecting the Sobig worms, IEEE Security and Privacy, vol. 1, no. 4, pp. 58-59, July 2003.
[13] D. Cook, J. Hartnett, K. Manderson, J. Scanlan, "stop the spam before it arrives: domain blacklists specific dynamic", in Proceedings of 2006
Australasian workshops Grid computing and e-Research, Hobart, Australia, pp. 193-202, January 2006.
[14] J. Jung and E. Sit down, "an empirical study and traffic spam using DNS blacklists, "in IMC '04: Proceedings of the 4th ACM SIGCOMM Conference
Internet measurement, Taormina, Italy, pp. 370-375, October 2004.
[15] A. Ramachandran, N. Feamster, and D. Dagon, "Revealing the accession cons of using" botnet DNSBL-espionage in Proceedings of the 2nd Conference on
Steps to reducing unwanted traffic on the Internet – Volume 2, San Jose, USA, pp. 8-8, 2006.
[16] J. Govil, "Review of criminology at the bot zoo 'at the 6th International Conference on Information, Communications and Signal Processing, Singapore, pp. 1-6
December 2007.
[17] p. and V. Yegneswaran Barford, "Insights botnets," in the series: Advances in Safety Information, Springer, 2006.
[18] R. Puri, "Bots and botnets: an overview", Technical report, SANS Institute, 2003.
[19] WT Strayer, R. Walsh, C. Livadas and D. Lapsley, "Detecting botnet command and with tight control," in proceedings 2006 IEEE 31st Conference on local development
Computer Networks, Tampa, USA, pp.195-202, November 2006.
[20 Akiyama] M., T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, S. Yamaguchi, "A proposal of metrics for botnet detection feature your
cooperative behavior ", in Proceedings of Symposium 2007 International on applications and the Internet Workshops, Washington DC, USA, pp. 82-82,
January 2007.
[21] JR and S. Binkley Singh, "A algorithm for anomaly detection based botnet, "in Proceedings of the 2nd Conference on measures to reduce unwanted traffic
The Internet, San Jose, USA, pp. 7-7, 2006.
[22] E. Cooke, M, Jahanian, and D. McPherson, "The Zombie Roundup: Understanding, detecting and disrupting botnets ", in Proceedings of measures to reduce
Unwanted traffic on the Internet, Cambridge, USA, pp. 6-6, 2005.
[23] C. Livadas, R. Walsh, D. Lapsley, and W. Strayer, "Using machine learning techniques to identify botnet traffic," in Proceedings of the IEEE Conference 2006 on 31
Local Networks, Tampa, USA, pp. 967-974, November 2006.
[24] T. Holz, M. Steiner, F. Dahl, EW Biersack, and F. Freiling, "Measurement and Mitigation botnets peer-to-peer-based: A Case Study on Storm Worm, "in
Proceedings of 1st Workshop on Usenix attacks by large-scale and emerging threats, San Francisco, USA, pp. 1-9 April 2008.
[25] p. Wang, S. Sparks, and CC Zou, "An advanced hybrid peer-to-peer botnet" in the Proceedings of the First Conference First Workshop on Hot Topics
Understanding Botnets, Cambridge, USA, pp. 2 to 2 July 2008.
[26] R. Lemos, "The bot is software designed to improve the nobility "[online]. Available: http://www.securityfocus.com/news/11390.
[27] I. Arce and E. Levy, "An analysis Percussion worm, "IEEE Security Privacy Magazine, vol. 1, no. 1, pp. 82-87, January 2003.
[28] J. Stewart, "Analysis Sinite P2P Troy "[online]. Available: http://www.secureworks.com/research/threats/sinit/.
[29] J. Stewart "Analysis Phatbot Trojan [Online]. Available: http://www.secureworks.com/research/threats/phatbot.
[30] FC Freiling, T. Holz, and G. Wicherski "Botnet monitoring: study of root-cause methodology to prevent distributed denial of service, "Notes on Reading
Computer Science, Springer-Verlag, Germany, 2005, No. 3679, pp. 319-335.
[31] K. Chiang and L. Lloyd, "A case study reconstructions rootkit and spam bot", in Proceedings of 1st Workshop on Hot Topics in Understanding Botnets
Cambridge, U.S., pp. 10-10, 2007.
[32] A. Brodsky and D. Brodsky, "a method of distribution content for independent spam detection, "in Proceedings of 1st Workshop on burning issues in understanding
Botnets, Cambridge, USA, pp. 3-3 2007.
[33] Y. Xie, F. Yu, K. A. Acan Panigrahy, G. Hulten and I. Osipkov "spamming botnets: signatures and characteristics," in Proceedings of ACM SIGCOMM
2008 Conference data communications, Seattle, USA, pp. 171-182, August 2008.
[34] CC Zou, R. Cunninqham, "the building Honeypot-aware advanced and maintenance botnet "in 2006 International Conference on Dependable Systems
and Networks, Philadelphia, USA, pp. 199-208, June 2006.
[35] J. Corey, "Advanced Honeypot Identification and exploitation" [online]. Available: http://www.phrack.org/fakes/p63/p63-0×09.txt, 2004.
[36] K. Seifried, "Honeypotting with the basics of VMware" [online]. Available: http://www.seifried.org/security/index.php/Honeypotting_With_VMWare_Basics, 2002.
[37] Honeyd Security Advisory 2004-001, "Remote sensing single probe packet" [online]. Available: http://www.honeyd.org/adv.2004-01.asc, 2004.
[38] J. Bethencourt, J. Franklin, and Mr. Vernon, "Mapping Internet Sensors with the response of the probe attacks", in Proceedings of the 14th USENIX Security Conference
Symposium, Baltimore, USA, pp. 193-208, August 2005.
[39] N. Krawetz, "Technology Anti-Honeypot, "IEEE Security and Privacy Magazine, vol. 2, no. 1, pp. 76-79, January 2004.
[40] S. Racine, "Internet Relay Analysis Chat use by DDoS zombies, "MA thesis, Swiss Federal Institute of Technology Zurich, April 2004.
[41] H. H. Choi Lee, H. H. Lee Kim, "Botnet Detection Monitoring Group Activities in DNS traffic," in Proceedings of IEEE 7th International Symposium
on the computer and information technology, Washington DC, USA, pp. 715-720, October 2007.
[42] D. Dagon, "Botnet Detection and Response, the network is infection "[online]. Available: http://www.caida.org/workshops/dns-oarc/200507/
slides/oarc0507-Dagon.pdf, 2005.
[43] A. Schonewille and DJ Van Helmond, The Domain Name Service as an IDS, "Masters Project, Univ. Amsterdam, Netherlands, February 2006
delaat/snb-2005-2006/p12/report.pdf http://staff.science.uva.nl/ ~.
[44] R. Brustolon Villamarín-Salomon and JC, "Identification of zombie networks using techniques to detect traffic anomalies DNS applied "in Proceedings of the Fifth IEEE
Consumer Communications Conference and creation Networking in Las Vegas, USA, pp. 476-481, January 2008.
[45] Y. Kugisaki, Y. Kasahara, Y. Hori, and K. Sakurai, "based on the detection Search in traffic analysis, "in Proceedings of the 2007 International Conference on Intelligent
Pervasive Computing, Washington, DC, USA, pp 303-306, October 2007.
[46] C. Langin, H. Zhou, S. Rahimi, "A model for using Internet traffic refused to explore indirectly the internal problems Network Security ", draft presented to WIDA08.
[47] K. Pappas, "Back to Basics in the fight against botnets," Journal of News Communications, vol. 45, No. 5, pp. 12 (1), May 2008.
[48] X. Hu, M. Knyz, and KG Shin, "RB-Seeker: auto-detection of botnets redirection" in Proceedings of the 16 and distributed network security system
Symposium (NDSS'09), February 2009.
[49] p. Sroufe, S. Phithakkitnukoon, R. Dantu, J. Cangussu, analysis of the form E-mail for spam botnet "in consumer communications and networking
Conference (CCNC 2009), pp. 1-2, January 2009.
About the Author
Authors
1.G. Satyavathy, Lecturer,Department of Computer Science, Sri Ramakrishna College Of Arts and Science For Women,Coimbatore-641 044.
2.Dr. M. Punithavalli, Director and Head, Department Of Computer Science, Sri Ramakrishna College Of Arts and Science For Women,Coimbatore-641 044.
Magnitude 2007 – SF Fog vs Seattle Quake (Part 1)
Leave a Reply