Botnet Detection Techniques: Review, Future Trends, and Issues*
Total Page:16
File Type:pdf, Size:1020Kb
Karim et al. / J Zhejiang Univ-Sci C (Comput & Electron) 2014 15(11):943-983 943 Journal of Zhejiang University-SCIENCE C (Computers & Electronics) ISSN 1869-1951 (Print); ISSN 1869-196X (Online) www.zju.edu.cn/jzus; www.springerlink.com E-mail: [email protected] Review: Botnet detection techniques: review, future trends, and issues* Ahmad KARIM†1, Rosli Bin SALLEH1, Muhammad SHIRAZ1, Syed Adeel Ali SHAH1, Irfan AWAN2, Nor Badrul ANUAR1 (1Faculty of Computer Science and Information Technology, University of Malaya, Kuala Lumpur, Malaysia) (2Department of Computer Science, University of Bradford, Bradford BD7 1DP, UK) †E-mail: [email protected] Received Aug. 31, 2013; Revision accepted Jan. 23, 2014; Crosschecked Oct. 15, 2014 Abstract: In recent years, the Internet has enabled access to widespread remote services in the distributed computing envi- ronment; however, integrity of data transmission in the distributed computing platform is hindered by a number of security issues. For instance, the botnet phenomenon is a prominent threat to Internet security, including the threat of malicious codes. The botnet phenomenon supports a wide range of criminal activities, including distributed denial of service (DDoS) attacks, click fraud, phishing, malware distribution, spam emails, and building machines for illegitimate exchange of information/materials. Therefore, it is imperative to design and develop a robust mechanism for improving the botnet detection, analysis, and removal process. Currently, botnet detection techniques have been reviewed in different ways; however, such studies are limited in scope and lack discussions on the latest botnet detection techniques. This paper presents a comprehensive review of the latest state-of-the-art techniques for botnet detection and figures out the trends of previous and current research. It provides a thematic taxonomy for the classification of botnet detection techniques and highlights the implications and critical aspects by qualitatively analyzing such techniques. Related to our comprehensive review, we highlight future directions for improving the schemes that broadly span the entire botnet detection research field and identify the persistent and prominent research challenges that remain open. Key words: Botnet detection, Anomaly detection, Network security, Attack, Defense, Taxonomy doi:10.1631/jzus.C1300242 Document code: A CLC number: TP393.08 1 Introduction reporting widespread malware infections which affect millions of systems around the world. As a result, The latest developments in the communication botnets, which are remotely controlled networks of and computing technologies have directed users to- hijacked computers, have become popular. The basic wards distributed computing. E-email, web applica- aim of these distributed coordinated networks is to tions, and voice over IP applications are common initiate various malicious activities over the network examples of distributed services employed over the including phishing, click fraud, spam generation, Internet; however, malicious software has acquired an copyright violations, key logging, and most im- important position in the evolving distributed com- portantly, the denial of service (DoS) attacks. Botnets puting models. Software containing malicious func- are viewed as serious threats to network resources tionality has existed ever since the earliest use of over the Internet (Fossi et al., 2011). Currently, there programmable systems; however, malware often has is an increasing competition in the botnet market (Bu limited or just local impact. In recent years, the suc- et al., 2010). A number of new programs were intro- cess of the Internet has become a starting point for duced in the beginning of 2010, such as Buga, Spy Eye, Clod, and Filon (Truhanov, 2010), for the im- plementation of botnets. Moreover, the basic ap- * Project supported by University of Malaya, Malaysia (No. FP034- 2012A) proach of a botmaster is to preserve the bots for the © Zhejiang University and Springer-Verlag Berlin Heidelberg 2014 longest time to achieve the maximum benefit. 944 Karim et al. / J Zhejiang Univ-Sci C (Comput & Electron) 2014 15(11):943-983 Therefore, for the maximum benefit attainment, bots 2008; Choi et al., 2009). Botnet detection is currently use different vigorous invasive approaches to hide an ongoing challenge for researchers and organiza- their malicious intension. For instance, malware code tions. Botnets are considered moving targets, which can be hidden in a form that may not be detected by means all the aspects of botnets including detection, various signature based antivirus software. Moreover, mitigation, and response are changing over time; bots use standard/common protocols, e.g., HTTP, therefore, no mitigation or detection technique offers Internet Relay Chat (IRC), and peer-to-peer (P2P), to a permanent solution. Similarly, different types of carry out their communications and try to set activity stakeholders, for instance, enterprises, governments, levels below normal computer/user levels (di Pietro networks, and Internet service providers (ISPs), have and Mancini, 2008). different ways and goals to address the issue of bot- As a result, a number of commercial, non- nets. Moreover, with the advent of new technologies commercial, and government organizations have been and increase in the knowledge base, the expertise of the targets for botnet attackers. For example, Estonia botmasters is improving in evading botnet detection in 2007 and Georgia in 2008 were out of service for techniques and trying to rally sophistication for the several days because of DDoS attacks (Nazario, command and control (C&C) architecture. 2009). In addition, the Stuxnet botnet (Falliere et al., Currently, a number of review articles (Paxton et 2011) was observed in 2009, causing cooperate in- al., 2007; Bailey et al., 2009; Feily et al., 2009; Jing et tellectual property to be stolen by capturing SCADA al., 2009; Li et al., 2009; Shin and Im, 2009; systems. In October 2009, the FBI disclosed that its Zeidanloo and Manaf, 2009; Marupally and Paruchuri, losses due to a botnet attack were valued at more than 2011; Plohmann et al., 2011; Silva et al., 2013; 100 million dollars. The intensity of DDoS attacks, Rodríguez-Gómez et al., 2013) are available, which which are considered the most dangerous attacks, is cover only the botnet techniques before 2009 and increasing with the growing use of the Internet. therefore lack analysis of the latest trends in the Therefore, botnets act as a platform for launching state-of-the-art for the botnet detection phenomenon. worms or viruses instantaneously with the help of bot Feily et al. (2009) classified the botnet phenomenon (infected machine) enemies. Statistics show that and categorized botnet detection techniques into four botnet is becoming the curse problem of the current broad categories: signature-, DNS-, mining-, and times. Some reports indicate that more than 80% of anomaly-based. Moreover, they provided a compar- the Internet traffic is propagating through botnets ison chart to highlight the importance of these tech- such as Grum, Cutwail, and Rustock botnets (Mador, niques with respect to their detection approaches such 2012). Although such network spam attacks can be as unknown bot detection, protocol and structure controlled at their destination end, they can still ini- independence, encrypted detection, real-time detec- tiate such attacks and greatly distribute spams through tion, and low false positive rate. Similarly, Bailey et al. network backbones, which will result in the abundant (2009) and Shin and Im (2009) primarily focused on utilization of network resources. It was reported that the botnet environment in general and characterized the distribution of a botnet is as cheap as distributing botnets based on propagation mechanisms (OS, ser- 10 000 bots for only 15 USD (Mador, 2012). The vices, applications, and social engineering), C&C International Telecommunication Union (ITU) re- topologies (centralized C&C, P2P, unstructured), and ported that the malware distribution has caused a different attack classes (DDoS, identity theft, spam, damage of 13.2 billion to 67.2 billion USD to the phishing). Moreover, Bailey et al. (2009) classified global market during the years 2005 to 2007 (Bauer et botnet detection techniques into different approaches, al., 2008). such as detection based on corporate behavior, sig- The botnet has become a most threatening phe- natures, and attack behavior. Li et al. (2009) dis- nomenon and shown its harmful effect on network cussed the botnet and its related research based on communities over the last decade. Researchers, C&C models, infection mechanism, communication law-enforcement authorities, businesses, and indi- protocols, malicious behavior, and defensive mecha- viduals have started to discover methods to combat nisms. Jing et al. (2009) presented the basic archi- this malicious threat (Cooke et al., 2005; Ceron et al., tecture of IRC based botnet attacks, wherein Karim et al. / J Zhejiang Univ-Sci C (Comput & Electron) 2014 15(11):943-983 945 malicious activities were detected by directly moni- thematic taxonomy, analysis of current techniques by toring IRC communication patterns. This scheme discussing the implications and critical aspects, ac- correlates common traffic patterns along with the companied with identification of the open issues and additional features. Common traffic patterns that do challenges. The listing of challenges and open issues