BotMosaic: Collaborative network watermark for the detection of IRC-based botnets

Recent research has made great strides in the field of detecting botnets. However, botnets of all kinds continue to plague the Internet, as many ISPs and organizations do not deploy these techniques. We aim to mitigate this state by creating a very low-cost method of detecting infected bot host. Our approach is to leverage the botnet detection work carried out by some organizations to easily locate collaborating bots elsewhere. We created BotMosaic as a countermeasure to IRC-based botnets. BotMosaic relies on captured bot instances controlled by a watermarker, who inserts a particular pattern into their network traffic. This pattern can then be detected at a very low cost by client organizations and the watermark can be tuned to provide acceptable false-positive rates. A novel feature of the watermark is that it is inserted collaboratively into the flows of multiple captured bots at once, in order to ensure the signal is strong enough to be detected. BotMosaic can also be used to detect stepping stones and to help trace back to the botmaster. It is content agnostic and can operate on encrypted traffic. We evaluate BotMosaic using simulations and a testbed deployment.

[1]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM 2006.

[2]  Vasif V. Nabiyev,et al.  Distortion free geometry based secret image sharing , 2011, WCIT.

[3]  Loucif Kharouni SDBOT IRC Botnet Continues to Make Waves , 2009 .

[4]  Nick Feamster,et al.  Revealing Botnet Membership Using DNSBL Counter-Intelligence , 2006, SRUTI.

[5]  Agostino Cortesi,et al.  A Distortion Free Watermark Framework for Relational Databases , 2009, ICSOFT.

[6]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[7]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[8]  Xuxian Jiang,et al.  A First Step towards Live Botmaster Traceback , 2008, RAID.

[9]  David E. Culler,et al.  Operating Systems Support for Planetary-Scale Network Services , 2004, NSDI.

[10]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[11]  Niels Provos,et al.  03-1 A Virtual Honeypot Framework , 2004 .

[12]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[13]  José Carlos Brustoloni,et al.  Bayesian bot detection based on DNS traffic similarity , 2009, SAC '09.

[14]  Agostino Cortesi,et al.  A Generic Distortion Free Watermarking Technique for Relational Databases , 2009, ICISS.

[15]  Nikita Borisov,et al.  Multi-flow attack resistant watermarks for network flows , 2009, 2009 IEEE International Conference on Acoustics, Speech and Signal Processing.

[16]  Wei Zou,et al.  Characterizing the IRC-based Botnet Phenomenon , 2007 .

[17]  Joseph B. Kadane,et al.  Using uncleanliness to predict future botnet addresses , 2007, IMC '07.

[18]  Nikita Borisov,et al.  SWIRL: A Scalable Watermark to Detect Correlated Network Flows , 2011, NDSS.

[19]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[20]  Chin-Chen Chang,et al.  Distortion-free secret image sharing mechanism using modulus operator , 2009, Pattern Recognit..

[21]  Nikita Borisov,et al.  RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows , 2009, NDSS.

[22]  Xinwen Fu,et al.  DSSS-Based Flow Marking Technique for Invisible Traceback , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[23]  Douglas S. Reeves,et al.  Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking , 2011, IEEE Transactions on Dependable and Secure Computing.

[24]  Nikita Borisov,et al.  Multi-flow Attacks Against Network Flow Watermarking Schemes , 2008, USENIX Security Symposium.

[25]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[26]  Nikita Borisov,et al.  Stegobot: A Covert Social Network Botnet , 2011, Information Hiding.

[27]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[28]  Christophe Kalt,et al.  Internet Relay Chat: Server Protocol , 2000, RFC.

[29]  Ibrahim Kamel,et al.  Distortion-Free Watermarking Scheme for Wireless Sensor Networks , 2009, 2009 International Conference on Intelligent Networking and Collaborative Systems.

[30]  Sushil Jajodia,et al.  Tracking anonymous peer-to-peer VoIP calls on the internet , 2005, CCS '05.

[31]  Lance Spitzner,et al.  The Honeynet Project: Trapping the Hackers , 2003, IEEE Secur. Priv..

[32]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[33]  Peng Ning,et al.  Tracing Traffic through Intermediate Hosts that Repacketize Flows , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[34]  Wang Jinsong,et al.  The Detection of IRC Botnet Based on Abnormal Behavior , 2010, 2010 Second International Conference on Multimedia and Information Technology.