A Study on Botnets with cryptography
Abstract.
As technology has developed, the network of bots, botnets, issue has been huge in the information society. Most botnet network threats and security reasons based on C & C server, IRC, protocol Common HTTP [1] and recently also the connection P2P botnet constructed and the characteristics of the robot and the activities are different according to the structure of the botnet. So the research is there were many, too, and is beneficial to categorize and classify bot defense mechanism. Bot activities lead to a lot of negative effects such as DDoS (Distributed Denial of Service) and spam. The mechanisms for the detection of bots and defenses can be classified as C & C detection base of bots and bot P2P-based detection. A vital aspect of the administration botnet is the authenticity and integrity of commands. Asymmetric cryptography provides a way simple but effective way to do this and the methodology is discussed here.
Keywords: botnet, bot detection, P2P bot C & C bot, cryptography
1. INTRODUCTION
The property can not be found of coordinated attacks is just what hackers / Demand attackers to compromise a computer or a network for illegal purposes. Once a group of hosts at different locations are controlled by a malicious individual or organization to launch an attack, you almost can not be traced due to the complexity of the Internet. For this reason, the increase of events and the threat to the legitimate activities Internet such as information leakage, click fraud, denial of service (DoS), and e-mail spam, etc, have become very problems serious today [1]. These victims controlled by the coordinated attackers are called zombies or bots that derives from the word "robot." The term of the robots is commonly referred to the applications software that runs automated tasks over the Internet [2]. Under such a command and control (C2, or C & C) infrastructure, a group of robots are capable of forming a self-propagating, self-organization and autonomous framework, called botnet [3]. In general, endangering a number of systems, the master of the botnet (also called as pastor or author) remotely control robots will be to install worms, trojans, backdoors or on them [3]. Most of these victims are Microsoft Windows operating system [3]. The process of stealing resources consist of a botnet hosts is called "scrumping" [3].
Botnets can be classified into two broad categories according to their topologies [4]. A typical and most common type is Internet Relay Chat (IRC) based botnets. Because of its centralized architecture, researchers have designed some feasible countermeasures to detect and destroy these botnets [5, 6]. Therefore, new and more sophisticated hackers / attackers start using Peer to Peer (P2P) botnets in technologies [4,7]. P2P botnets are distributed and have no central point of failure. In comparison with networks of IRC-based bots are more difficult to detect and remove [4]. In addition, most of existing studies are still in the analysis phase [4, 7].
The organization of work is the following. In Section 2, classification botnet is given.Section 3 describes the attacks of reference. Section 4 discusses the mechanisms of detection and tracking. Preventive measures are given in Section 5. The conclusion and future challenges are shown in Section 6.
2. CLASSIFICATION
Botnets are the new threats with billions "of armies around the world infected. Bots can spread over thousands of computers at a very high speed, as worms do. Unlike worms, bots in a botnet are able to cooperate for a purpose common malicious. For that reason, botnets today play an important role in the epidemic of internet malware [16]. In [19], WT Strayer et al. presented some figures for flow analysis to detect botnets. After filtering off IRC session traffic, flow-based methods were applied to discriminate malicious IRC channel benign. The methods proposed in [20] and [21] combined both application and network analysis layer. E. Cooke et al. [22] on the activities IRC in the application layer, using information from the monitoring of network activities. Some authors have introduced automatic learning techniques the detection of botnets [23], as a way to better characterize botnets. At present, trap nets and Intrusion Detection System (IDS) are two major techniques to prevent their attacks. Honeynets can be deployed both in distribution and the local context [9]. They are able to provide botnet attack, but can not tell details such as whether the victim has a certain worm [9]. The IDS uses signatures or references botnet behavior to identify potential attacks. Therefore, to summarize the characteristics of botnet is significant for a secure network. To the best of our knowledge, we have not found any other work on anomaly detection based on the botnet.
2.1 Formation and Operation
To illustrate the formation and operation, we as spam botnet instance. Training typical botnet can be described as following steps [3]
1) The author of the botnet sending viruses or worms that infect machines of the victims, whose payload is the bots.
2) The bots in the infected hosts have access to an IRC server or other means of communication, training a botnet.
3) Spammer makes payment to the owner of this botnet to obtain the right of access.
4) Spammer sends commands to the botnet to order bots to send spam.
5) infected servers to send spam messages to different mail servers on the Internet.
2.2 Based IRC Bot
IRC is a protocol for text-based instant messaging between people connected to the Internet. It is based on client / server (C / S) of the model but well suited for distributed environments [18]. Typical short IRC are interconnected and pass messages from one to another [18]. You can connect with hundreds customers across multiple servers. It is so called multiple IRC (mIRC), in which communications between clients and server are pushed they are connected the channel. The functions of the IRC-based bots include managing access lists, move files, sharing client, distribution channel information, etc. [18].
• Search Engine: an executable file is usually activated by a specific command to break the IRC. Once the bot is installed on a victim machine to make a copy in a configurable directory and let the malware to start with the operating system. Generally, bots are only the load of worms or how to open a back door [18].
• Channel control: is a secure IRC channel created by the attacker to manage all bots.
• IRC Server: can be a compromised machine or even a legitimate supplier of public service.
• Forward: is the IRC bot to control the attack.
The attacker operations has four stages [16]:
1) The stage of creation, where the attacker can add malicious code or simply modify an existing out of numerous highly configurable robots through Internet [16].
2) Setting the stage, where the IRC server and channel information can be collected [16]. While installing the bot to the victim, which will automatically connect to the selected host [16]. Then the attacker can restrict access and secure channel bots for business or for other purposes [16]. For example, the attacker is able to provide a list of bots to authorized users who want to customize further, and uses for its own purposes.
3) Stage infection, where bots are spread through various means direct and indirect [16]. As the name implies, Direct techniques exploit the vulnerabilities of the services or operating systems, and are usually associated with the use of virus [16]. While vulnerable systems from being involved, follow the infection process in a way that saves time attacker to add other victims [16]. The most vulnerable systems are Windows 2000 and XP SP1, the attacker can find easily without patching or not secured (for example, without firewall) hosts [16]. Instead, indirect approaches using other programs as a proxy to spread bots, for example, using malware distributed via DCC (Direct Client to Client) file sharing on IRC or P2P networks to exploit the vulnerabilities of the target computers [16].
4) Control of the stage, where the attacker can send instructions to a group of robots through the channel IRC to do some tasks malicious.
Based on P2P Bot 2.3
Few papers focus on the P2P bot based on the measurement [4, 24-29 46]. It remains a great challenge. In fact, using ad hoc P2P network to control the armies victim is not a new technique [26]. P2P communication system is much more difficult to interrupt. This means that the commitment of a single robot does not necessarily mean the loss of the entire botnet. However, system design P2P is more complex and usually there are no guarantees on messages delivery or latency. A P2P-shaped worm, known as Palette [27], Linux system infection DoS attack in 2002. Hypothetical clients used to send commands to compromised servers and receive responses from them [27]. Thus, its location in the network can be anonymous and almost monitored [27]. A year later, another appeared P2P-based robot, called Dubbed SINIT [28]. Cryptography used public key to authenticate update. Later, in 2004, Phatbot [29] was created to send commands to other teams committed to a P2P system. In Today, Storm Worm [24] may be the most widespread P2P bot via the Internet. T. Holz et al. analyzed using binary and network monitoring [24]. In addition, proposed some techniques to break the P2P-based botnet communication, such as eclipsing the pollutant content and the file.
However, based above P2P bots are not mature and have many weaknesses. Many P2P networks have a central server or a list of the seeds of colleagues who can be contacted to add a new partner. This process called boot has a single point of failure based botnet aP2P [25]. For this reason, the authors in [25] presented a P2P botnet hybrid for overcoming this problem.
2.4 Types of Search Engines
Many types of robots in the network already have discovered and studied [9, 16, 17]. Table I presents a number of widespread and well known-robots, along with its basic features.
Type
Features
Agobot
Phatbot
Forbot
Xtrembot
- They are so common that more than 500 variants exist on the Internet today. Agobot is the only robot that can use other control protocols, as well as IRC [9]. It offers various approaches to hide bots on compromised machines, including NTFS Alternate Data Stream, polymorphic
Antivirus Killer Encryptor Motor and [16].
SDBot
Rbot
URBOT
UrXBot
SDBot is the basis of three robots and probably many [More 9]. Unlike Agobot, your code is unclear and has only limited functions. Still, this group of robots is still widely used on the Internet. [16]
SpyBot
NetBIOS
Kuang
NetDevil
KaZaa
There are hundreds of variants of Spybot today [17]. Most of their frames C2 appear to be shared with or evolved from SDBot [17]. However, no provision for accountability or to conceal its malicious purpose code base [17].
mIRC-based
GT-Bots
GT (Global Threat) is based bot bot mIRC. Allows a mIRC chat client based on a set of binary files (mostly DLL) and scripts [16]. Often hides the window of the application
compromised hosts for mIRC invisible to the user [9].
Bots DSNX
The DSNX (Data Network Spy X) has a comfortable bot plug-in interface to add a new function [16]. Although the default version does not meet the requirement of spreaders, plugins can help address this problem [9].
Q8 Engines
It is designed for operating systems Unix / Linux with the common characteristics of a robot, such as dynamic HTTP update, various DDoS attacks, etc. arbitrary command execution [9].
Kaiten
It is very similar to Q8 Bots due to an execution environment and lack spreader too. Kaiten has a remote shell, making it more convenient to check
vulnerabilities through IRC [9].
Search Engines Perl-based
Many variants currently written Perl [9]. They are so small that only have a few hundred lines of code bots [9]. Thus, limited basic commands are available for the attacks, especially DDoS attacks in Unix-based systems [9].
3. BOTNET ATTACKS
Botnets can be used both legitimate and illegitimate purposes [6]. One of the legitimate purposes is to support operations IRC channel with administrative privileges on specific individuals. However, these goals do not conform to the large number of robots we've seen. On the basis of wealth Data registered in Honeypots [9], the possibilities of using botnets for criminal or destructive objectives can be classified as follows.
The 3.1 DDoS attacks
Botnets are often used for DDoS attacks [9], which can disable the network services of the victim system by consumption bandwidth. For example, an author can order the botnet to connect a victim IRC channel at first, and then this goal can be flooded by thousands of service requests the botnet. In this type of DDoS attack, the victim is lowered IRC network. The evidence reveals that most commonly applied by botnets are TCP SYN and UDP flood attacks [30].
General countermeasure against DDoS attacks requires: (1) control of a large number of computers infected, (2) off the remote control mechanism [30]. However, we still need more efficient ways to avoid this type of attack. FC Freiling et al. [30] have presented a method to prevent DDoS attacks through exploration of bots hidden in Honeypots.
3.2 Spamming and spreading malware
About 70% to 90% of spam in the world is caused by botnets today that has the most experience in the security industry on the Internet in [47, 49]. Report of the study indicates that once the proxy V4/v5 SOCKS (TCP / IP RFC 1928) in compromised hosts is opened by some robots, machines can be used for nefarious tasks, such as spam. In addition, Some robots are able to collect email addresses with some special functions [9]. Therefore, attackers can use a botnet to send quantities massive spam [31]. Researchers in [32] have proposed a distributed content independent rating system junk mail, called Trinity, from junk trash botnets. The designer assumes that spam bots will send a mass e-mails within a short time. Therefore, any letter from the Board and can be a spam.
To discover the total behavior of spam botnet and the benefit was detected in the future, Y. Xie et al. [33] have designed a firm called Autore spam generation framework. They also found several characteristics of spam botnet: (1) spammer often adds some random and the legitimate URLs Letter to evade detection [33], (2) IP addresses are usually distributed botnet many ASes (Autonomous Systems), with only a few AS participants in each machine on average [33], (3) despite the content of spam is different, the addresses of your recipients "may be similar [33]. How Use these features to capture the botnets to avoid spam is a value to future research. Similarly, botnets can be used to distribute malware also [9]. For example, can throw witty worm botnet to attack ICQ protocol as the victims' system may have no active Internet Security Systems (ISS) services [9].
3.3 Information Leakage
Because some robots can not only sniff traffic passing through compromised machines, but also control data within the victims, perpetrators can retrieve sensitive information like usernames and passwords bot networks easily. [9] The evidence indicates that botnets are becoming more sophisticated quick scan at the headquarters of major corporate and financial data [47]. Since the bots rarely affect the performance of systems running infected, often outside the surveillance area and difficult to capture. Keylogging is the solution accurate interior attack [9.16]. This type of bot listens for keyboard activities and then reports to his master the relevant information after filtering entries meaningless. This allows the attacker to steal private data and thousands of card data [16].
Click Fraud 3.4
With help botnet, the authors are able to install add-ons advertising and browser helper objects (BHO) for business purpose [9]. Like Google's AdSense program, in order get a higher clickthrough rate (CTR), authors can usebotnets periodically click hyperlinks specific and thus promote the CTR artificially [9]. This is also effective in online surveys or games [9]. For each victim host owns a single IP address are dispersed throughout the world, every single click be considered a valid action of a legitimate person.
Identity Fraud 3.5
Identity Fraud, also known as identity theft is a rapidly growing Internet crime [9]. mail "phishing" is a typical case. Usually includes legitimate URLs-like receptor and asked to submit personal or confidential information. These messages can be generated and sent by a botnet of spam through mechanisms [9]. In a step further, botnets can also set up several fake Web sites posing as official sites for a business to information victims of the harvest. "Once a fake site is closed by its owner, another may pop up, until the computer turns off.
4. DETECTION AND TRACING
For now, several different approaches to identify and locate new botnets have been proposed or tried. First and most generally, the use of honeypots, where a subnet is intended to be compromised by a Trojan, but in fact observing the behavior of the attackers, allowing the control of the hosts to be identified [22]. In a relevant case, Freiling et al. [30] have introduced a feasible way to detect certain types of DDoS attacks lunched by the botnet. For starters, the honeypot and personal use active response to pick up the bot binary. It then seeks to join the botnet as a compromised machine by running bots on the honeypot and what allows them to access the IRC server. Ultimately, the botnet is infiltrated by an unmanned "silent" collection of information, which may be useful in dismantling botnet. Another and also commonly used method is that, using a form of insider information to track a botnet IRC-based [11]. The third, but less common approach for detecting botnets is investigating DNS caches in the network to resolve IP addresses of servers target [11].
4.1 Honeypot and Honeynet
Honeypots are well known for its strong ability to detect security threats, collecting malwares, and to understand the behavior and motivations of the authors. Honeynet, to monitor a diverse network of large-scale, consists of more than one honeypot a network. Most researchers focus on Linux-based trap network, due to the obvious reason that, compared to any other platform, with more freedom honeynet are tools available in Linux [6]. As a result, only a few tools to support the honeypots deployed on Windows and start proactively dismantle intruders the honeypot.
Some scholars point to the design of a reactive firewall or related means to prevent multiple commitments honeypots [6]. While a port is compromised detected such as a firewall, attacks in which entry can be blocked [6]. This operation should be performed in a disguised form to avoid arousing suspicion of the attacker. The evidence tells us we have to operate fewer covert protection against multiple honeypots compromises by worms, because the worms are used to detect its presence [6]. Because many intruders download toolkits in a victim immediately, which should block traffic correspond only selectively. These sets of tools are significant evidence for future analysis. Therefore, to some extent, access to attackers honeypots should not be prevented very well [6].
As honeypots have become more and more popular in surveillance and defense systems, attackers start looking for a way to avoid avoid the traps of "honeypot" [34]. There are some viable techniques to detect honeypots. For example, to detect VMware or other virtual machines emulated [35,36] or to detect the responses of faulty software in the honeypot [37]. In [38], Bethencourt et al. have successfully identified using honeypots intelligent survey according to the statistics report public. In addition, Krawetz [39] have presented a spam tool capable of commercial anti-honeypot function, called "Send Safe Honeypot Hunter." By checking the response of the proxy remote spammer is able to detect open proxy honeypot [39]. However, this tool can not detect effectively with others, except open proxy honeypot. Recently, CC Zou et al. [34] have proposed another approach for the detection of honeypot based on the software and hardware independent. In his article, have also introduced an effective approach to identify and remove infected honeypots using a structured P2P botnet [34]. All this evidence indicate that, if it becomes invisible to botnet honeypot, relevant research should be improved.
4.2 IRC-based Detection
IRC-based botnet is widely studied, so that several features have been discovered to date detection. One of the easy ways detect such botnets is to track traffic common IRC ports (TCP port 6667), and then check whether the payloadsmarch the strings in our knowledge database [22]. However, botnets can use random ports to communicate. Therefore, another approach for the characteristics of behavior of the robots are coming. S. Racine [40] found based IRC bots were idle and often responded only to receive a specific instruction. Therefore, connections with features such as be marked as potential enemies. However, it still has a high rate of false positives in the result.
There are other existing methodologies for IRC-based botnet detection. Barford et al. [17] proposed some approaches based on analysis of source code. Rajab et al. [11] introduced an amendment IRC client IRC called Tracker, which was able to connect to break the IRC and query response automatically. Given a fingerprint template and relevant, the IRC tracking could instantiate a new session of IRC IRC server [11]. If the bot master can find the true identity of the follower, which appeared as a powerful bot on the Internet and run malicious commands all, including responses to the attacker [11]. Then we introduce some methods of detection against IRC-based botnet.
4.2.1 Detection based on traffic analysis
The firm is a technology often used in anomaly detection. The basic idea is to extract information on the packages of features and traffic patterns progress made in the knowledge base of existing robots. Apparently, it's easy to carry by a simple comparison of each byte in the packet, but also goes with several disadvantages [45]. First, is unable to identify bots undefined [45]. Secondly, you should always update the knowledge base with new firms, increasing management costs and performance reducesthe [45]. Third, bots could launch new attacks before they are patched in the knowledge base [45].
Based on the characteristics IRC, some other techniques to detect botnet rise. Basically, two types of actions are involved in normal communication IRC. One is interactive commands and another is the exchange of messages [45]. If we can identify the operation of IRC with a particular program, it is possible to detect a botnet attack [45]. For example, information private copy elsewhere by some IRC commands, we claim the system is under attack from a normal behavior in the chat never do that [45]. Moreover, traffic can be encrypted or concealed by the noise of the network [21]. Any situation will make the invisible robots.
In [45], the authors observed real traffic in IRC communication ports ranging from 6666-6669. They found some IRC clients can send information access, while the server rejected the connection [45]. Based on the experiment result, they argued that the bots will repeat these actions at certain intervals after rejected by the IRC server and the time intervals are different [45]. However, it felt real IRC botnet attack based on his experiment. This is a possible future work to extend his achievements.
In [49], p. Sroufe et al. proposed an alternative method for the detection of botnets. His approach can efficiently and automatically identify spam bots o. The idea removing the main e-mail form (lines and the number of characters in each line) by applying an estimate of the core density Gaussian [49]. Email with similarly suspect. However, the authors showed how to detect botnets using this method. It may be another future work worthy to study.
4.2.2 Activity Based Anomaly Detection
In [21], the authors propose an algorithm for anomaly detection based botnet. IRC features mesh combined with the integrated anomaly detection based on TCP. First, observed and recorded a large number of TCP packets with respect to the hosts of IRC. Based on the ratio calculated by the total amount of TCP control packets (eg SYN, SYNACK, FIN, and restores) on total number of TCP packets, which is able to detect some of the activities anomaly [21]. They called this ratio as the weight and claimed TCP work of high value that implies a potential attack by a scanner or worm [21]. However, this mechanism can not work if the IRC commands are encoded as discussion in [21].
4.3 DNS Monitoring
Since usually bots to send DNS queries to access C2's servers, if we are able to intercept their domain names, botnet traffic can be captured by a black list of domain names [41, 42]. In fact, also provides an important secondary route to take down botnets by disabling its ability to spread [11]. H. Choi et al. [41] have discussed botnet DNS features. According to his analysis, botnets DNS queries can be easily distinguished from legitimate [41]. First, bots Only send DNS queries for domain servers C2, a legitimate never do [41]. Secondly, members of the botnet to act together simultaneously and migrate, and their DNS queries [41]. While legitimate occurs continuously vary from a botnet [41]. Third, no legitimate hosts will use very often, while DDNS DDNS botnet typically used for C2 Server [41]. Based on the above elements, developed an algorithm to identify query [41] DNS botnet. Its main idea is to calculate the similarity of group activities, and then distinguish botnet of them on the basis of their value. The similarity value is defined as 0.5 (C / A + C / B), where A and B represent the size of two lists of IP addresses called IP somecommon and have the same domain name, and C represents the size of double IP addresses [41]. If the value approaches zero, the common domain, it is suspected [41].
There are also some other approaches. Dagon et al. [42] presented a method by examining the consultation rates DDNS domain. or temporarily abnormally high rates concentrated suspected, because attackers changed their servers very often C2 [44]. Used both Mahalanobis distance and Chebyshev inequality to quantify the rate is anomalous [44]. Schonewille et al. [43] found that when the C2 servers had been withdrawn, DDNS often called response error. Repeatedly armies such queries could be infected and therefore suspected [43]. In [44], the authors assessed the above two methods through experiments in the real world. They argued that the focus of Dagon was not as effective as it ranked wrong server for some domains of C2 short TTL, while the comparative method was effective Schonewille due to suspicion of independent individuals named [44]. In [48], X. Hu et al. proposed a botnet detection system called RB-Seeker (Seeker Botnet redirection). It can automatically detect botnets in any structure. RB-search first collects information on the activities bots redirection (eg, temporal and spatial characteristics) from two subsystems. Then use the DNS query statistical methodology and survey technique to distinguish the malicious from the legitimate domain. The experiment shows so that is a RB-Seeker effective tool to detect both aggressive and stealthy "botnets.
5. Strong Cryptography
A 5.1Tamper test command and update scheme
A vital aspect of the administration botnet is the authenticity and integrity of the commands. A bot only shall accept commands issued by the Botmaster. In current botnets, frequency botmasters use only a very weak form of authenticity, for example., By one schema simple passwords before sending the corresponding command. Although the use of botnets stronger authentication schemes, which are typically can be broken, for example., Storm Worm uses a 64-bit RSA can be defeated. In centralized IRC botnets, this lack of authenticity could for example be overcome by a patch IRC server used for distributing command so that only the Botmaster can send messages to the designated channel. However, when it is a decentralized network of matched pairs, one Botmaster must ensure that none of the hostile parties, as proponents of other groups or botnet botnet can poison by injecting malicious commands.
Asymmetric cryptography offers a simple but effective way to do this: before launching a bot in nature, the Botmaster creates a public / private cryptographic key of which is pre-encoded binary bot. Doing so allows Botmaster safely to sign all the commands or files using your private key. All pairs in the network of bots are able to verify the commands using the public key encrypted, but given a reasonable period key (bits eg.2048 RSA), no defender manage to forge the signature.
5.2Rent a botnet
With the help of asymmetric cryptography, a Botmaster can assume the role of a trusted certificate authority, which provides an efficient way to rent the botnet to other parts or together, a varying amount of time, and to protect tenants against certain malicious purposes.To is advisable to implement a "black list" containing all public keys.This invalid blacklist is stored in the computer of each bot, and only Botmaster can add or remove public keys using its private key to sign the order. Therefore, all certificates belonging to an attacker may be revoked.
However, this blacklist is of little use against attacks that require only a short time to be carried out successfully. For example, a malicious tenant could buy a certificate of botnet to distribute spam and abuse it by ordering all bots to send an e-mail to a specified address, thereby revealing their IP address or other sensitive data. Indeed, an attacker could conveniently obtain valuable information about the size of a botnet, as well as its overall structure. Therefore, renting a botnet to be considered as an option that should be used cautiously a Botmaster.
6. SAFEGUARDS
You only need a couple of hours for conventional worms around the globe launched from then a single host. If the worms are using botnet of several hosts at the same time, are capable of infecting most armies around the world within vulnerable minutes [7]. Some botnets have been discussed in previous sections. However, many are still unknown to us. How to minimize the risk caused by botnets in the future is the topic discussed in this section.
6.1 Countermeasures botnet attacks
Unfortunately, few solutions exist for a host of denial of service against a botnet attack so far [in March]. Although it is difficult to find patterns of malicious hosts, the Network administrators can identify botnet attacks based on passive fingerprinting technology drawn from the teams last firewall [3]. The life cycle of the botnet we are told, bots often use free hosting services DNS to redirect a subdomain to a zone unreachable IP address. Therefore, the elimination of these services can be downloaded as a botnet [3]. Today, many security companies focus on offerings to stop botnets [3]. Some of them protect consumers, while most others are designed for ISPs or companies [3]. Individual products try to identify bot behavior by the anti-virus software. The company's products have nothing better to nullrouting solutions DNS entries and the closing of the IRC and other key servers after a botnet attack identified [3].
6.2 Public Countermeasures
Personal or corporate security, inevitably, depends on the partners of communication [7]. Building a good relationship with partners is essential. First, one must continuously ask the service provider for security packages, such as firewalls, tools anti-virus-kit, the value of intrusion detection, etc [7]. Once something goes wrong, there should be an appropriate telephone number to call [7]. Secondly, must also pay close attention to the network traffic and report to the ISP if it is attacked by a DDoS attack. ISP can help block malicious IP addresses [7]. Third Instead, one is better to establish accountability in the system, along with an authorized law enforcement [7]. More specifically, academics and industries have proposed some strategies for home users and system administrators to prevent, detect and respond to attacks from botnets [16, 18]. Here we summarize their suggestions.
6.2.1 Home users
TABLE II: RULES OF PREVENTION OF HOME USERS [18]
Type
Strategies
Personal habits
Attention at discharge
Avoid installing useless things
Read carefully before you click
Routine
Use utilities anti-virus/trojan
Updating the system frequently
Shutdown PC when you leave
Optional Operations
Back-up regularly all systems
Keep all software updated
Expand personal firewall
6.2.2 System Administrator
Similarly, there are rules to correspond system administrator to prevent, detect and respond to attacks from botnets [16, 18]. As the methods of prevention, the administrator must follow the guidelines of suppliers update your system and applications [18]. Also, keep abreast of the latest vulnerabilities and access control and use of log files to achieve [the surrender Accounts 18]. As illustrated in Table III, these can help the system administrator to minimize the possibility of botnet attacks.
TABLE III: SCREENING STANDARDS system administrators [18]
Rules
Notes
Regular monitoring records
Analyze Internet traffic for anomalies
Use network packet sniffer
Identify malicious traffic on the intranet
Isolate malicious subnet
Check the activity on the host IRC
Scan each machine
They may contain malware
A Once an attack is detected, the system administrator must isolate those who are hosts and notice to users of origin [16]. Then keep the data on infected hosts including the log files [16]. In addition, the number of victims identified by sniffer tools [16]. Finally, the report of infection security consultant [16].
7. CONCLUSIONS AND FUTURE CHALLENGES
To better understand the botnet and stop the final attack was made a survey of current research botnet. The content of discussion involves the formation and operation botnet, and two typical topologies.
Of According to the analysis of Section 2, we have several ideas of different topologies. For questions IRC-based botnet, the thorny problem is that we can get the code source of most of the robots. Therefore, in-depth analysis in the networking level and system level behavior bots are almost on its business. For P2P botnet issues based on the following practical challenges must be better taken into account: (a) keep the rest of robots after some had been taken by the defenders, (2) hide the zombie network topology while some robots are captured by the defenders, (3) managing the botnet more easily, (4) change patterns traffic more often and make it harder to detect.
As we can see, the detection and monitoring of endangered botnet will host be a difficult task. fingerprinting of traffic is useful for identifying botnet. However, just as previous signature technologies in Section 3, its disadvantages are obvious. We need an updated knowledge base for all robots of freedom in the world, which seems to be an impossible mission. Anomaly detection is another viable approach. However, when infected hosts do not behave as unusual, may be unable to detect a potential threat. Since the current detection technology attack depends on the event happened, there is no guarantee for us to find all possible compromised hosts. An interesting question about the anomaly detection Time is efficiency. If an attack occurs and it can capture the anomaly in the first place and solve relevant problems before it is used for malicious purposes, we will say this is the time of efficient anomaly detection. We need to focus on time efficiency in future work.
In the wireless context, especially for ad hoc network, I have not yet related research, both attacking and defending so far. There are a lot of outstanding issues: (1) How to find shortest route to attack targets, (2) How to prevent compromised hosts fromdetecting wireless network, (3) How to spread the bots on the wireless network, especially before they committed some computers offline.
There are also some other outstanding issues of interest should be considered. To the best of our knowledge, for now, we can not prevent DDoS attacks from botnets. Even the attack has been no effective means to track and fight it. Instead, simply turning off the endangered hosts or network disconnection, waiting for more commands such as virus scanning or format the operating system. As a matter of fact, what we need really is to prevent the spread of bots in the first step. Perhaps the only effective method to eliminate botnets is the deployment of new protocols in routers worldwide. It is really a great project and beyond reality. So why not consider installing on a local gateway? Imagine, if the gateway could block the communication of the robots of several domains, the attacker can not easily manage the teams involved in the whole world. In the meantime, the door link could give our information as to where the malicious command wine. Based on the abundance of evidence on the net, it would be possible traced the initial attack. However, it is very difficult to implement this idea because of the following reasons: (1) It is difficult to distinguish malicious packets in the flow of traffic, (2) Cooperation between the domains is not very easy, and must consider the situation that some gates are in danger, (3) How to trace the possible attack and that it should be noted for further analysis need to be studied.
REFERENCES
[1] K. Ono, I. Kawaishi and T. Kamon, "Evolution of botnet activities" in the 41st Annual IEEE Carnahan Conference on Security Technology, Ottawa, CA
October 2007, pp. 243-249.
[2] Wikipedia, "Internet bot" [Online]. Available: http://en.wikipedia.org/ wiki / Internet_bot.
[3] Wikipedia, "Botnet" [online]. Available: http://en.wikipedia.org/wiki/ Botnet.
[4] B. Thuraisingham, "Mining Data for Security Applications: Mining concept-drifting data streams to detect peer to peer botnet traffic, "in IEEE International
Conference Intelligence and Security Informatics, ISI 2008, Taipei, Taiwan, June 2008, pp. Xxix-xxx.
[5 Mazzariello] C., "The IRC traffic analysis to detect botnets, "in 4th International Conference on Information Security and Security, Naples, Italy, September 2008
pp. 318-323.
[6] B. McCarty, "Botnets: Big and bigger," IEEE Security and Privacy, vol. 1, no. 4, pp. 87-90, July 2003.
[7] GP Schaffer, "The worms and viruses and botnets, oh my!: Rational responses to new Internet threats," IEEE Security and Privacy, vol. 4, no. 3 pp. 52-58, May
2006.
[8] J. Mirkovic, G. Prier and P. Reiher, "Attacking DDoS at the source," in ICNP'02: Proceedings of the 10th IEEE International Conference Hall on the Net
Protocols, Paris, France, November 2002, pp. 312-321.
[9] P. Bacher, T. Holz, M. Kotter and Wicherski G., "Know your enemy: Tracking botnets" [online]. Available: http://www.honeynet.org/papers/bots/.
[Holz 10] T. S. Marechal, and F. Raynal, "New Web threats and attacks on the World Wide", IEEE Security & Privacy, vol. 4, no. 2, pp.72-75, Mar / April 2006.
[11] MA Rajab, J. Zarfoss, F. Monrose and A. Terzis, "A multifaceted approach to understanding the botnet phenomenon," in Proceedings of the sixth ACM
SIGCOMM Internet Conference on Control, Janeriro Rio, Brazil, October, 2006, pp. 41-52.
[12] E. Levy, "The creation of an army of zombies spam: Dissecting the Sobig worms "IEEE Security and Privacy, vol. 1, no. 4, pp. 58-59, July 2003.
[13] D. Cook, J. Hartnett, K. Manderson and Scanlan J., "The capture of spam before it arrives: domain blacklists specific dynamic," in Proceedings of 2006
computer workshops Australasia Grid and e-research, Hobart, Australia, pp. 193-202, January 2006.
[14] J. Jung and E. Sit, "An empirical study of spam traffic and the use of DNS black lists, "in IMC '04: Proceedings of the fourth conference on ACM SIGCOMM
Internet measurement, Taormina, Italy, pp. 370-375, October 2004,.
[15] A. Ramachandran, N. Feamster, and D. Dagon, "The botnet membership using DNSBL Revelation counter-intelligence", in Proceedings of the 2nd Conference on
Steps to reducing unwanted traffic on the Internet – Volume 2, San Jose, USA, pp. 8-8, 2006.
[16] J. Govil, "Review of criminology Zoo bot" in the Sixth International Conference on Information, Communications and Signal Processing, Singapore, pp. 1-6
December 2007.
[17] P. Yegneswaran Barford and V., "An inside look at botnets," in the series: Advances in Security Information, Springer, 2006.
[18] R. Puri, "Bots and botnets: An Overview", Technical report, SANS Institute, 2003.
[19] WT Strayer, R. Walsh, C. Livadas and D. Lapsley, "Detecting botnets with tight command and control," in Proceedings 31st Conference 2006 IEEE on local development
Computer Networks, Tampa, USA, pp.195-202, November 2006.
[20 Akiyama] M., T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, and S. Yamaguchi, "A proposal for indicators for botnet detection based on their
cooperative behavior ", in Proceedings of 2007 International Symposium on Applications and the Internet Conference, Washington DC, USA, pp. 82-82,
January 2007.
[21] JR Binkley and S. Singh, "An algorithm for anomaly detection based botnet," in Proceedings of the 2nd Conference on Steps to reducing unwanted traffic
Internet, San Jose, USA, pp. 7-7, 2006.
[22] E. Cooke, M, Jahanian and D. McPherson, "The Zombie Roundup: Understanding, detecting and disrupting botnets" in the Proceedings of the steps to reduce
Unwanted traffic on the Internet, Cambridge, USA, pp. 6-6, 2005.
[23 Livadas] C., R. Walsh, D. Lapsley, and W. Strayer, "Using machine learning techniques to identify botnet traffic," in Proceedings of IEEE 2006 Congress in the 31st
Networks local team, Tampa, USA, pp. 967-974, November 2006.
[24] T. Holz, M. Steiner, F. Dahl, EW Biersack and F. Freiling, "The measurement and mitigation peer-to-peer-based botnets: A case study on Storm Worm, "in
Proceedings of the Workshop on the attacks by Usenix first large-scale and emerging threats San Francisco, USA, pp. 1-9 April, 2008.
[25] P. Wang, S. Sparks, and CC Zou, "A botnet advanced hybrid peer-to-peer", in Proceedings of the First Conference on First Workshop on Hot Topics in
Understanding Botnets, Cambridge, USA, pp. 2-2 July 2008.
[26] R. Lemos, software Bot looks to improve nobility "[Online]. Available: http://www.securityfocus.com/news/11390.
[27] I. E. Arce and the quote, "A Percussion worm analysis, "IEEE Security and Privacy Magazine, vol. 1, no. 1, pp. 82-87, January 2003.
[28] J. Stewart, "P2P SINIT Trojan Analysis "[online]. Available: http://www.secureworks.com/research/threats/sinit/.
[29] J. Stewart, "Phatbot analysis Trojan [online]. Available: http://www.secureworks.com/research/threats/phatbot.
[30] FC Freiling, T. Holz and Wicherski G., "Botnet tracking: Exploring a root-cause methodology to prevent distributed denial of service, "Lecture Notes in
Computer Science, Springer-Verlag, Germany, 2005, No. 3679, pp. 319-335.
[31] K. Chiang and L. Lloyd, a case study of the rootkit and spam bot restocking " in Proceedings of 1st Workshop on Hot Topics in Understanding Botnets
Cambridge, USA, pp. 10-10, 2007.
[32] A. Brodsky and D. Brodsky, "A content distribution method for independent spam detection, "in Proceedings of 1st Workshop on Hot Topics in Understanding
Botnets, Cambridge, USA, pp. 3-3, 2007.
[33] Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten and Osipkov I., "spamming botnets: signatures and characteristics," in Proceedings of the ACM SIGCOMM
2008 Conference on Data Communication, Seattle, USA, pp. 171-182, August 2008.
[34] CC Zou and R. Cunninqham, "Honeypot-Aware advanced botnet construction and maintenance" in 2006 International Conference on Dependable Systems
and Networks, Philadelphia, USA, pp. 199-208, June 2006.
[35] J. Corey, "Advanced honey pot identification and exploitation" [online]. Available: http://www.phrack.org/fakes/p63/p63-0×09.txt, 2004.
[36] K. Seifried, "with the basics Honeypotting VMware" [online]. Available: http://www.seifried.org/security/index.php/Honeypotting_With_VMWare_Basics, 2002.
[37] Honeyd Security Advisory 2004-001, remote sensing probe packets through simple "[online]. Available: http://www.honeyd.org/adv.2004-01.asc, 2004.
[38] J. Bethencourt, J. Franklin, and M. Vernon, "Mapping Internet Sensors with attacks response probe ", in Proceedings of the 14th USENIX Security Conference
Symposium, Baltimore, USA, pp. 193-208, August 2005.
[39] N. Krawetz, "Anti-Honeypot Technology", IEEE Security and Privacy Magazine, vol. 2, no. 1, pp. 76-79, January 2004.
[40] S. Racine, "Analysis the use of Internet Relay Chat by DDoS zombies, "MA thesis, Swiss Federal Institute of Technology Zurich, April 2004.
[41] H. Choi, Lee H., H. Lee, H. Kim, "Botnet Detection by monitoring the activities of the group in DNS traffic," in Proceedings of the IEEE 7th International Conference
Computer and Information Technology, Washington DC, USA, pp. 715-720, October 2007.
[42] D. Dagon, "botnet detection and response, the network is infected "[online]. Available: http://www.caida.org/workshops/dns-oarc/200507/
slides/oarc0507-Dagon.pdf 2005.
[43] A. Schonewille and DJ Van Helmond, The Domain Name Service as an IDS, "Master Project, University of Amsterdam, Netherlands February 2006
~ http://staff.science.uva.nl/ delaat/snb-2005-2006/p12/report.pdf.
[44] R. Villamarín Brustoloni-Salomon and JC, "Identification of botnets using techniques applied to the detection of DNS traffic anomalies, "in Proceedings of the fifth IEEE
Consumer and Communications Conference Networks, Las Vegas, USA, pp. 476-481, January 2008.
[45] Y. Kugisaki, Y. Kasahara, Y. Hori, and K. Sakurai, "based on the analysis Bot detection Traffic, in Proceedings of the 2007 International Conference on Intelligent
Pervasive Computing, Washington, DC, USA, pp 303-306, October 2007.
[46] C. Langin, H. Zhou, and S. Rahimi, "A model for using Internet traffic refused to discover indirectly internal security problems network, "the draft submitted to WIDA08.
[47] K. Pappas, "Back to basics to fight botnets," Journal of Communications Bulletin vol. 45, n. 5, pp. 12 (1), May 2008.
[48] X. Hu, M. Knyz, and KG Shin, "RB-Seeker: auto-detection redirect botnets," in Proceedings of the 16th Annual Network and Distributed System Security
Symposium (NDSS'09), February 2009.
[49] P. Sroufe, Phithakkitnukoon S., R. Dantu and Cangussu J., "analysis of how e-mail to detect spam botnet" in Consumer Communications and Networking
Conference (CCNC 2009), pp. 1-2, January 2009.
About the Author
Authors
1.G. Satyavathy, Lecturer,Department of Computer Science, Sri Ramakrishna College Of Arts and Science For Women,Coimbatore-641 044.
2.Dr. M. Punithavalli, Director and Head, Department Of Computer Science, Sri Ramakrishna College Of Arts and Science For Women,Coimbatore-641 044.
