Capturing malicious bots using a beneficial bot and wiki

Locating malicious bots in a large network is problematic because its internal firewalls and NAT routers unintentionally contribute to hiding bots' host address and malicious packets. However, eliminating firewalls and NAT routers for merely locating bots is generally not acceptable. In this paper, we propose an easy to deploy, easy to manage network security controlling system for locating a malicious host behind the internal secure gateways. This network security controlling system consists of a remote security device and a command server. Each of the remote security devices is installed as a transparent link (implemented as a L2 switch), between the subnet and its gateway, to detect a host which is compromised with a malicious bot in a target subnet, while minimizing impact of deployment. The security devices are remote controlled by 'polling' the command server in order to eliminating NAT traversal problem and to be firewall friendly. Since the remote security device lives in transparent, remote controlled and robust to security gateways, we regard it as a beneficial bot. We adopt a web server with wiki software as the command server in order to take advantage of its power of customization, easy to use and easy to deployment of the server.