A Study of Botnets: Systemization of Knowledge and Correlation-based Detection

Botnets have been the cause of some of the gravest cyberthreats in recent times. Despite research and commercial efforts to curb botnets, they continue to grow in size and sophistication. As a response to this persistent yet rapidly-evolving threat, hundreds of scientific reports have been published on botnet architectures, economics, detection, defense and future trends. Resultantly, attackers have become more aggressive by using robust communication mechanisms, decentralized architecture and a number of elaborate evasion techniques. An obvious by-product of this perennial arms race is that the field of botnets has grown quite complex. This complexity is two-fold. Firstly, the vast body of literature on botnets remains largely unstructured. Secondly, a collaborative platform to carry out botnet research is sorely missing. In this thesis, we address the issues identified above by first structuring the knowledge in the area of botnets, and then developing a botnet detection tool. We present three taxonomies related to botnet behaviors/architectures, detection mechanisms, and defense strategies. We assert that our proposed taxonomies aid in visualizing the diversity in botnet research, and in making informed decisions when devising new detection and defense mechanisms. Next, we present BotFlex — an open-source, extensible, tool for botnet detection. We use BotFlex to analyze hundreds of GBs of a home ISP’s traffic, with ground truth provided by a commercial security company. We observe true and false positive rates of 89.6% and 28.6%, respectively. These are very positive results for a system currently using a handful of features and decisions elements from existing literature. We run BotHunter, a closed-source bot detection tool, over the same data set and observe similar detection rates and performance, validating our implementation against the only freely available tool.

[1]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[2]  Andreas Terzis,et al.  My Botnet Is Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging , 2007, HotBots.

[3]  Guofei Gu,et al.  Conficker and beyond: a large-scale empirical study , 2010, ACSAC '10.

[4]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[5]  Vinod Yegneswaran,et al.  Active Botnet Probing to Identify Obscure Command and Control Channels , 2009, 2009 Annual Computer Security Applications Conference.

[6]  Giuseppe Antonio Di Luna,et al.  A Collaborative Event Processing System for Protection of Critical Infrastructures from Cyber Attacks , 2011, SAFECOMP.

[7]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[8]  Tony A. Meyer,et al.  SpamBayes: Effective open-source, Bayesian based, email classification system , 2004, CEAS.

[9]  Atul Singh,et al.  Eclipse Attacks on Overlay Networks: Threats and Defenses , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[10]  Christopher Krügel,et al.  JACKSTRAWS: Picking Command and Control Connections from Bot Traffic , 2011, USENIX Security Symposium.

[11]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[12]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[13]  Wang Wen-rui Distributed Grid Computing Framework and Application in Molecular Dynamics Simulation , 2006 .

[14]  Farnam Jahanian,et al.  A Survey of Botnet Technology and Defenses , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[15]  Hossein Rouhani Zeidanloo,et al.  A taxonomy of Botnet detection techniques , 2010, 2010 3rd International Conference on Computer Science and Information Technology.

[16]  Ali A. Ghorbani,et al.  Automatic discovery of botnet communities on large-scale communication networks , 2009, ASIACCS '09.

[17]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[18]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[19]  Shouhuai Xu,et al.  Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures , 2010, ACNS.

[20]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[21]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.

[22]  John C. Mitchell,et al.  Characterizing Bots' Remote Control Behavior , 2007, DIMVA.

[23]  W. Timothy Strayer,et al.  Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .

[24]  Lei Liu,et al.  BotTracer: Execution-Based Bot-Like Malware Detection , 2008, ISC.

[25]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.

[26]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, ACSAC.

[27]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[28]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[29]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[30]  T. M. Chen,et al.  Stuxnet, the real start of cyber warfare? [Editor's Note] , 2010, IEEE Netw..

[31]  Roberto Baldoni,et al.  Inter-domain stealthy port scan detection through complex event processing , 2011, EWDC '11.

[32]  Mohamed Hefeeda,et al.  Exploiting SIP for botnet communication , 2009, 2009 5th IEEE Workshop on Secure Network Protocols.

[33]  Tillmann Werner,et al.  Proactive Botnet Countermeasures An Offensive Approach , 2009 .

[34]  Michael K. Reiter,et al.  Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots Apart , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[35]  Grenville J. Armitage,et al.  A survey of techniques for internet traffic classification using machine learning , 2008, IEEE Communications Surveys & Tutorials.

[36]  John C. Mitchell,et al.  Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods , 2008, WOOT.

[37]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2008, CCS.

[38]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[39]  Richard A. Clarke,et al.  Cyber War: The Next Threat to National Security and What to Do About It , 2010 .

[40]  Shunzheng Yu,et al.  Centralized Botnet Detection by Traffic Aggregation , 2009, 2009 IEEE International Symposium on Parallel and Distributed Processing with Applications.

[41]  Gianluca Stringhini,et al.  The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns , 2011, LEET.

[42]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[43]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[44]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[45]  Xuxian Jiang,et al.  A First Step towards Live Botmaster Traceback , 2008, RAID.

[46]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[47]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[48]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[49]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[50]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[51]  Richard Ford,et al.  Cent, five cent, ten cent, dollar: hitting botnets where it really hurts , 2006, NSPW '06.

[52]  Michael G. Bailey,et al.  The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems , 2004, CITC5 '04.

[53]  Helen J. Wang,et al.  Characterizing Botnets from Email Spam Records , 2008, LEET.

[54]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[55]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[56]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[57]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[58]  Sven Dietrich,et al.  Analysis of the Storm and Nugache Trojans: P2P Is Here , 2007, login Usenix Mag..

[59]  Leyla Bilge,et al.  Automatically Generating Models for Botnet Detection , 2009, ESORICS.

[60]  Phillip A. Porras,et al.  A Multi-perspective Analysis of the Storm ( Peacomm ) Worm , 2007 .

[61]  R. Villamarin-Salomon,et al.  Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[62]  John R. Vacca Network and System Security , 2010 .

[63]  Alma Cole,et al.  Botnets: The Rise of the Machines , 2007 .

[64]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[65]  Srdjan Stankovic,et al.  Defense Strategies Against Modern Botnets , 2009, ArXiv.

[66]  Daniel Massey,et al.  On design and evaluation of "intention-driven" ICMP traceback , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[67]  Sotiris Ioannidis,et al.  Antisocial Networks: Turning a Social Network into a Botnet , 2008, ISC.

[68]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[69]  Prepared by: BBN Technologies , 2003 .

[70]  Lasse Trolle Borup,et al.  Peer-to-peer botnets: A case study on Waledac , 2009 .

[71]  Douglas S. Reeves,et al.  Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework , 2001, SEC.

[72]  Heejo Lee,et al.  Botnet Detection by Monitoring Group Activities in DNS Traffic , 2007, 7th IEEE International Conference on Computer and Information Technology (CIT 2007).

[73]  Lorenzo Martignoni,et al.  FluXOR: Detecting and Monitoring Fast-Flux Service Networks , 2008, DIMVA.

[74]  Brent Byunghoon Kang,et al.  Peer-to-Peer Botnets: Overview and Case Study , 2007, HotBots.

[75]  W. Timothy Strayer,et al.  Detecting Botnets with Tight Command and Control , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[76]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[77]  Marco Balduzzi,et al.  Take a Deep Breath: A Stealthy, Resilient and Cost-Effective Botnet Using Skype , 2010, DIMVA.

[78]  Sureswaran Ramadass,et al.  A Survey of Botnet and Botnet Detection , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[79]  Frank Doelitzscher,et al.  Incident Detection for Cloud Environments , 2011 .

[80]  Nick Feamster,et al.  Revealing Botnet Membership Using DNSBL Counter-Intelligence , 2006, SRUTI.

[81]  Amr M. Youssef,et al.  Defaming Botnet Toolkits: A Bottom-Up Approach to Mitigating the Threat , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[82]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[83]  Chris Kanich,et al.  Botnet Judo: Fighting Spam with Itself , 2010, NDSS.

[84]  Syed Ali Khayam,et al.  Poster : Bottleneck : A Generalized , Flexible , and Extensible Framework for Botnet Defense , 2012 .

[85]  Felix C. Freiling,et al.  Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones , 2009, ESORICS.

[86]  Christian Kreibich,et al.  Policy-controlled event management for distributed intrusion detection , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[87]  Nirwan Ansari,et al.  IP traceback with deterministic packet marking , 2003, IEEE Communications Letters.

[88]  Iván Arce,et al.  An Analysis of the Slapper Worm , 2003, IEEE Secur. Priv..

[89]  Nick Feamster,et al.  Boosting the scalability of botnet detection using adaptive traffic sampling , 2011, ASIACCS '11.

[90]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[91]  Yong Guan,et al.  Detection of stepping stone attack under delay and chaff perturbations , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[92]  W. Timothy Strayer,et al.  Botnet Detection Based on Network Behavior , 2008, Botnet Detection.

[93]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.