Botnet Detection Tools and Techniques: a Review

Botnet Detection Tools and Techniques: a Review

Botnet Detection Tools and Techniques: A Review A report submitted in partial fulfillment of the requirements for the award of IASc-INSA-NASI SUMMER RESEARCH FELLOWSHIP sponsored by Indian Academy of Sciences, Bangalore By KANCHAN M. BHALE Reg No.- ENGT89 Under the guidance of Dr. B.M.Mehtre Centre for Cyber Security Institute for Development and Research in Banking Technology Established by Reserve Bank of India Castle Hills, Road No.1, Masab Tank, Hyderabad-57, Telangana. June-2016 DECLARATION I hereby declare that the project work entitled Botnet Detection Tools and Tech- niques : A Review submitted to Indian Academy of Sciences, Banglore and at IDRBT, Hyderabad is prepared by me and was not submitted to any other institution for award of any other fellowship for the best of my knowledge. Kanchan M. Bhale Reg. No. ENGT89 i CERTIFICATE OF APPROVAL This is to certify that the project report entitled Botnet Detection Tools and Techniques : A Review submitted to the Indian Academy of Sciences, Banglore and at IDRBT by KANCHAN MOHANIRAJ BHALE, bearing Registration No.: ENGT89, in the partial fulfillment for the requirement for the award of IASc-INSA- NASI SUMMER RESEARCH FELLOWSHIP is a bonafide work carried out by her under my supervision and guidance.The matter submitted in this report is original and has not been submitted for the award of any other fellowship. Dr. B. M. Mehtre (Project Guide) Associate Professor, Center for Cyber Security, IDRBT, Hyderabad ii Abstract A Bot is a type of malware that allows an attacker to take control of infected machine. The Botnet is a network of bots. A Bot infected machine is often called as zombie and cybercriminals who control these bots are called Botherders or Botmasters. Bots are often spread themselves across internet by searching for vulnerable machines to expand. The way the bots are controlled depends upon architecture of botnet Command and Control (C&C) mechanism which may be based on Internet Relay Chat (IRC) or HTTP or Peer to Peer(P2P). Botnet is widely used to carry out malicious activities like Distributed Denial of Service(DDoS) attacks, sending spam mails and click frauds. In recent years, botnet based attacks have become more sophisticated and can bypass all security safeguards. Botnet detection techniques are broadly based on either setting up of a honeypot to collect bot binaries or developing intrusion detection system. The intrusion detection system (IDS) identify botnet traffic by monitoring network and system logs. It can be based on anomaly behavior or signature or DNS. The Netflow analyzer is popular tool for detecting botnet anomaly based detection.The Snort, Suricata, Ntop, Bothunter are other tools which are based on signatures of botnet. The DNS based botnet traffic is monitored by Wireshark. The BotMiner tool uses clustering algorithm to detect botnet. Zeus toolkit is popular among hackers community for analysis of botnet internals. We tested and analyzed Zeus toolkit and Snort IDS for botnet detection. The performance of Snort IDS evaluated on CTU-13 datasets. The CTU-13 contains thirteen datasets of different botnets. The overall efficiency of the present Snort rules for botnet detection is 70 % for all datasets but for some datasets like BOTNET-44, 47, and 49 is very less. The Snort rules are revised and tested on the same datasets. These revised rules contains the new botnet signatures that was not present in old Snort rules. Because of addition of new signatures, the botnet detection efficiency improved to upto 80% and there is significant improvement for datasets like BOTNET-44, 47, and 49. iii ACKNOWLEDGMENT I would like to thank God who gave me the grace and privilege to pursue this pro- gram and successfully complete it in spite of many challenges faced. I express my deepest gratitude to my beloved guide, Dr. B. M. Mehtre, for his precious guidance, valuable suggestions and time that he invested throughout the work. His inspiring suggestions and encouragement helped me in all the time of my research and writing of this report. I would like to express special thanks to, Prof. V.U. Deshmukh, Principal, Vidya Pratishthan's College of Engineering, for encouraging me to attend this program. Finally, I thankful to my family members for their silent sacrifice and heartening inspira- tion that helped me lot. Kanchan M. Bhale Reg.No.- ENGT89 iv Contents Abstract iii List of Figures vi 1 Introduction 1 1.1 Introduction . .1 1.2 Motivation . .3 1.3 Problem Statement . .4 1.4 Organization of the Report . .4 2 Literature Survey 5 2.1 Botnet in DDoS Attacks: Trends and Challenges . .5 2.2 Botnet Detection Techniques: Review, Future Trends, and Issues . .6 2.3 Detecting Botnet by Anomalous Traffic . .7 2.4 An Empirical Comparison of Botnet Detection Methods . .8 3 Evaluation of Botnet Detection Tools and Techniques 11 3.1 Zeus Toolkit Evaluation . 11 3.1.1 Zeus Botnet Network Analysis . 12 3.2 Snort Intrusion Detection System . 13 3.2.1 Snort Rule Sets . 14 3.3 CTU-13 Datasets . 15 4 Proposed Approach 17 4.1 Proposed System Architecture . 17 4.2 Experimental Results . 18 5 Conclusion 20 Bibliography List of Figures 1.1 Bot Lifecycle . .2 1.2 Botent Architecture . .3 2.1 DDoS attack using Botnet . .6 2.2 Taxonomy of Botnet Detection Techniques . 10 3.1 Zeus Toolkit . 11 3.2 Network Traffic Capture of Zeus bot . 13 3.3 Snort Rule Header Format . 14 4.1 Evaluation System Architecture . 17 Chapter 1 Introduction 1.1 Introduction A Bot is an autonomous program automatically perform task without knowing to a real user. A collection of machines which run such autonomous bot is called as botnets. Bot is remotely controlled by command and control server. The black-hat developers cre- ated highly sophisticated malwares that are difficult to detect and remove. Bot program is stealthy during its whole life cycle. They had generated relatively small network footprint and most of time remains ideal for stealing information. The concept of remote-controlled computer bot originated from Internet Relay Chat (IRC). It provides one to many com- munications channels and support very large number of concurrent users. Eggdrop was first bot developed in 1993. As internet connects billions of computers, tablets, smart phones together to share the information across the globe, peoples are relying on these technologies to share their per- sonal as well as business information.The black hat hackers used its vulnerabilities to perform attacks. The initial intention of these cyber criminals was just to gain fame but over the period they are doing criminal activities to earn money. The bot lifecycle consists of following phases shown in figure 1.1 • Creation: Firstly, botmaster develop his software mostly by extending previous code or by adding new features. This is very well tested in isolated environment. • Infection: There are many ways for infecting victims machine through software vul- nerabilities, email attachments and trojan horse. Once victims machine is infected by this software then it is called zombie. • Rallying: After infection, zombie machine attempts first and try to contact com- 1 Botmaster (C&C Server) Creation Infection Rallying Waiting Executing Figure 1.1: Bot Lifecycle mand and control machine. This process is called Rallying. In centralized botnet topology, this could be IRC or HTTP servers whereas in P2P topology zombie tries to locate peer machine and join the network. Bot program contains multi- ple addresses of servers. Some C&C servers are configured in such a way that it immediately reply to bots initial request. • Waiting: After joining to network, bot waits for command from C&C server. During this phase very little traffic is found between bot and its master. • Executing: Once the bot received command from its master, it starts executing it. After execution it sends result to bot master via C&C network. Typical commands are: scanning for new victims, sending spam, and sending DoS flood. There are two main botnet topologies: centralized and peer to peer (P2P). In centralized botnets, IRC is still pre dominant protocol of C&C channel. Now this trend is decreasing 2 and new bots come with HTTP for their C&C channel. The major drawback of centralized botnets is single point failure. If centralized entity is removed the entire network is unusable. But, modern botnets overcome this problem by using fast-flux DNS techniques. In fast flux DNS techniques it is very difficult to trace central entity. The compromised hosts are used as proxies to hide identities of true C&C servers. These hosts constantly alternates DNS configuration to resolve one hostname with multiple IP addresses. Popular examples of IRC bots are Agobot, Spybot, and Sdbot. The botnet architecture is explained by figure 1.2 There are many protocols available for Botnet Architectures Peer to Peer Centralized Hybrid Web Based Application based HTTP IRC Social VPNs HTTPS Figure 1.2: Botent Architecture P2P networks, each differing in the way nodes first join the network and the role they later play in passing traffic along. Some popular protocols are BitTorrent, WASTE, and Kademlia. 1.2 Motivation Botnets are network of compromised hosts and remotely controlled computer system. In recent years, the diversity of malware has grown almost exponentially. The main goal of botnet master is to gain financial profit from the activities they allow and other include political or even military interests. In the last few years, some applications related to botnets have taken a leading role which motivates researchers to resolve these issues. The major applications based on botnets are listed below: 3 1. Identity Theft: The major aim of the botnet master is gaining financial benefits. Botmaster auto- matically extract users data and credentials from infected hosts.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    29 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us