论文信息 - Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation

Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation

In this paper, we describe a simple, yet effective method to detect bot-infected machines within a given network that relies on detection of the communication channel between bot and Command & Control server (C&C server). The presented techniques are mainly based on passively monitoring network traffic for unusual or suspicious IRC nicknames, IRC servers, and uncommon server ports. By using n-gram analysis and a scoring system, we are able to detect bots that use uncommon communication channels, which are commonly not detected by classical intrusion detection systems. Upon detection, it is possible to determine the IP address of the C&C server, as well as, the channels a bot joined and the additional parameters which were set. The software Rishi implements the mentioned features and is able to automatically generate warning emails to report infected machines to an administrator. Within the 10 GBit network of RWTH Aachen university, we detected 82 bot-infected machines within two weeks, some of them using communication channels not picked up by other intrusion detection systems.

Thorsten Holz | Jan Göbel | Jan Göbel | Thorsten Holz

[1] W. Timothy Strayer,et al. Detecting Botnets with Tight Command and Control , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[2] W. Timothy Strayer,et al. Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .

[3] Nick Mathewson,et al. Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[4] P. Nather. N-Gram based Text Categorization , 2005 .

[5] Thomas Dübendorfer,et al. Analysis of Internet Relay Chat Usage by DDoS Zombies , .

[6] Suresh Singh,et al. An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[7] Christophe Kalt. Internet Relay Chat: Architecture , 2000, RFC.

[8] Peter Reiher,et al. A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[9] Felix C. Freiling,et al. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[10] Jens Hektor,et al. Advanced Honeypot-Based Intrusion Detection , 2006, login Usenix Mag..