Behavioural correlation for malicious bot detection

Over the past few years, IRC bots, malicious programs which are remotely controlled by the attacker, have become a major threat to the Internet and its users. These bots can be used in different malicious ways such as to launch distributed denial of service (DDoS) attacks to shutdown other networks and services. New bots are implemented with extended features such as keystrokes logging, spamming, traffic sniffing, which cause serious disruption to targeted networks and users. In response to these threats, there is a growing demand for effective techniques to detect the presence of bots/botnets. Currently existing approaches detect botnets rather than individual bots. In our work we present a host-based behavioural approach for detecting bots/botnets based on correlating different activities generated by bots by monitoring function calls within a specified time window. Different correlation algorithms have been used in this work to achieve the required task. We start our work by detecting IRC bots' behaviours using a simple correlation algorithm. A more intelligent approach to understand correlating activities is also used as a major part of this work. Our intelligent algorithm is inspired by the immune system. Although the intelligent approach produces an anomaly value for the classification of processes, it generates false positive alarms if not enough data is provided. In order to solve this problem, we introduce a modified anomaly value which reduces the amount of false positives generated by the original anomaly value. We also extend our work to detect peer to peer (P2P) bots which are the upcoming threat to Internet security due to the fact that P2P bots do not have a centralized point to shutdown or traceback, thus making the detection of P2P bots a real challenge. Our evaluation shows that correlating different activities generated by IRC/P2P bots within a specified time period achieves high detection accuracy. In addition, using an intelligent correlation algorithm not only states if an anomaly is present, but it also names the culprit responsible for the anomaly.

[1]  Jose Nazario,et al.  The Future of Internet Worms , 2001 .

[2]  C. Janeway Approaching the asymptote? Evolution and revolution in immunology. , 1989, Cold Spring Harbor symposia on quantitative biology.

[3]  NetComm Limited UDP(User Datagram Protocol) , 2010 .

[4]  Claudia Eckert,et al.  A Comparative Study of Real-Valued Negative Selection to Statistical Anomaly Detection Techniques , 2005, ICARIS.

[5]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[6]  Thomas Dübendorfer,et al.  Analysis of Internet Relay Chat Usage by DDoS Zombies , .

[7]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[8]  A S Perelson,et al.  Immune network behavior--I. From stationary states to limit cycle oscillations. , 1993, Bulletin of mathematical biology.

[9]  Ryan Cunningham,et al.  Honeypot-Aware Advanced Botnet Construction and Maintenance , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[10]  Guo Tian,et al.  API Intercept Techniques for Windows 9x, NT and 2000 , 2001 .

[11]  Sven Dietrich,et al.  Analysis of the Storm and Nugache Trojans: P2P Is Here , 2007, login Usenix Mag..

[12]  Julie Greensmith,et al.  The Application of a Dendritic Cell Algorithm to a Robotic Classifier , 2007, ICARIS.

[13]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[14]  Andreas Terzis,et al.  My Botnet Is Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging , 2007, HotBots.

[15]  Peter J. Bentley,et al.  Towards an artificial immune system for network intrusion detection: an investigation of clonal selection with a negative selection operator , 2001, Proceedings of the 2001 Congress on Evolutionary Computation (IEEE Cat. No.01TH8546).

[16]  Joseph Massi,et al.  Botnet Detection and Mitigation , 2010 .

[17]  Claudia Eckert,et al.  Artificial Immune Systems for IT-Security (Künstliche Immunsysteme für IT-Sicherheit) , 2006, it Inf. Technol..

[18]  Claudia Eckert,et al.  Is negative selection appropriate for anomaly detection? , 2005, GECCO '05.

[19]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[20]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[21]  Yi-Min Wang,et al.  Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files , 2004 .

[22]  Cormac Herley,et al.  How to Login from an Internet Cafe Without Worrying about Keyloggers , 2006 .

[23]  David Mazières,et al.  Kademlia: A Peer-to-Peer Information System Based on the XOR Metric , 2002, IPTPS.

[24]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[25]  Stephanie Forrest,et al.  An immunological model of distributed detection and its application to computer security , 1999 .

[26]  Claudia Eckert,et al.  On Permutation Masks in Hamming Negative Selection , 2006, ICARIS.

[27]  I. Cohen Tending Adam's Garden: Evolving the Cognitive Immune Self , 2004 .

[28]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[29]  John W. Lockwood,et al.  Application of Hardware Accelerated Extensible Network Nodes for Internet Worm and Virus Protection , 2003, IWAN.

[30]  Julie Greensmith,et al.  Articulation and Clarification of the Dendritic Cell Algorithm , 2006, ICARIS.

[31]  Wu Yang,et al.  Intrusion detection system for high-speed network , 2004, Comput. Commun..

[32]  A. Coutinho,et al.  The Le Douarin phenomenon: a shift in the paradigm of developmental self-tolerance. , 2005, The International journal of developmental biology.

[33]  Julie Greensmith,et al.  The dendritic cell algorithm , 2007 .

[34]  Dong Lan Detection of Peer-to-Peer Botnets , 2008 .

[35]  Gu Ji-yan,et al.  The Dendritic Cell Algorithm , 2011 .

[36]  Brent Byunghoon Kang,et al.  Peer-to-Peer Botnets: Overview and Case Study , 2007, HotBots.

[37]  Zbigniew Michalewicz,et al.  Evolutionary Computation 1 , 2018 .

[38]  Harley Kozushko,et al.  Intrusion Detection : Host-Based and Network-Based Intrusion Detection Systems , 2003 .

[39]  A. Silverstein Cellular versus humoral immunology: a century-long dispute , 2003, Nature Immunology.

[40]  Marc Dacier,et al.  A revised taxonomy for intrusion-detection systems , 2000, Ann. des Télécommunications.

[41]  Vrizlynn L. L. Thing,et al.  A Survey of Bots Used for Distributed Denial of Service Attacks , 2007, SEC.

[42]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[43]  John C. Mitchell,et al.  Characterizing Bots' Remote Control Behavior , 2007, DIMVA.

[44]  W. Timothy Strayer,et al.  Detecting Botnets with Tight Command and Control , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[45]  Julie Greensmith,et al.  Artificial Dendritic Cells: Multi-faceted Perspectives , 2009, Human-Centric Information Processing Through Granular Modelling.

[46]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[47]  Eugene H. Spafford,et al.  The internet worm program: an analysis , 1989, CCRV.

[48]  R. Schoof,et al.  Detecting peer-to-peer botnets , 2007 .

[49]  Satoshi Kondo,et al.  Botnet Traffic Detection Techniques by C&C Session Classification Using SVM , 2007, IWSEC.

[50]  Julie Greensmith,et al.  Introducing Dendritic Cells as a Novel Immune-Inspired Algorithm for Anomoly Detection , 2005, ICARIS.

[51]  Julie Greensmith,et al.  Information fusion for anomaly detection with the dendritic cell algorithm , 2010, Inf. Fusion.

[52]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[53]  Ellen W. Zegura,et al.  Bootstrapping in Gnutella: A Measurement Study , 2004, PAM.

[54]  Uwe Aickelin,et al.  Danger Theory: The Link between AIS and IDS? , 2003, ICARIS.

[55]  Peter J. Bentley,et al.  An evaluation of negative selection in an artificial immune system for network intrusion detection , 2001 .

[56]  Hugues Bersini,et al.  Hints for Adaptive Problem Solving Gleaned from Immune Networks , 1990, PPSN.

[57]  M. Eaman Immune system. , 2000, Nursing standard (Royal College of Nursing (Great Britain) : 1987).

[58]  Christopher Leckie,et al.  Anomaly detection for Internet worms , 2005, 2005 9th IFIP/IEEE International Symposium on Integrated Network Management, 2005. IM 2005..

[59]  NetComm Limited ISP(Internet Service Provider) , 2010 .

[60]  Ninghui Li,et al.  PRECIP: Towards Practical and Retrofittable Confidential Information Protection , 2008, NDSS.

[61]  Randy H. Katz,et al.  BINDER: An Extrusion-Based Break-In Detector for Personal Computers , 2005, USENIX Annual Technical Conference, General Track.

[62]  P. Matzinger Tolerance, danger, and the extended family. , 1994, Annual review of immunology.

[63]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[64]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[65]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[66]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.

[67]  NetComm Limited,et al.  TFTP(Trivial File Transfer Protocol) , 2010 .

[68]  Vincenzo Cutello,et al.  An Immune Algorithm for Protein Structure Prediction on Lattice Models , 2007, IEEE Transactions on Evolutionary Computation.

[69]  Richard Bejtlich Extrusion Detection: Security Monitoring for Internal Intrusions , 2005 .

[70]  P. Delves,et al.  The Immune System , 2000 .

[71]  Beatrice Gralton,et al.  Washington DC - USA , 2008 .

[72]  Iván Arce,et al.  An Analysis of the Slapper Worm , 2003, IEEE Secur. Priv..

[73]  W. Timothy Strayer,et al.  Botnet Detection Based on Network Behavior , 2008, Botnet Detection.

[74]  Julie Greensmith,et al.  The Deterministic Dendritic Cell Algorithm , 2008, ICARIS.

[75]  J. Govil,et al.  Criminology of BotNets and their detection and defense methods , 2007, 2007 IEEE International Conference on Electro/Information Technology.

[76]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[77]  Sorana D. Bolboacă,et al.  PEARSON VERSUS SPEARMAN, KENDALL'S TAU CORRELATION ANALYSIS ON STRUCTURE-ACTIVITY RELATIONSHIPS OF BIOLOGIC ACTIVE COMPOUNDS , 2005 .

[78]  Robin Sharp,et al.  An Introduction to Malware , 2007 .

[79]  Sven Dietrich,et al.  P2P as botnet command and control: A deeper insight , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[80]  Jamie Paul Twycross,et al.  Integrated innate and adaptive artificial immune systems applied to process anomaly detection , 2007 .

[81]  Thorsten Holz A Short Visit to the Bot Zoo , 2005, IEEE Secur. Priv..

[82]  Richard Ford,et al.  THE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL , 2002 .

[83]  Arthur M. Silverstein Paul Ehrlich, archives and the history of immunology , 2005, Nature Immunology.

[84]  Julie Greensmith,et al.  The DCA: SOMe comparison , 2008, Evol. Intell..

[85]  Παρασκευά Φούτρη DDOS - Distributed Denial of Service Attack , 2008 .

[86]  Uwe Aickelin,et al.  Behavioural Correlation for Detecting P2P Bots , 2010, 2010 Second International Conference on Future Networks.

[87]  Jonathan Timmis,et al.  Artificial immune systems - a new computational intelligence paradigm , 2002 .

[88]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[89]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[90]  Uwe Aickelin,et al.  libtissue - implementing innate immunity , 2006, 2006 IEEE International Conference on Evolutionary Computation.

[91]  Alan S. Perelson,et al.  Searching for Diverse, Cooperative Populations with Genetic Algorithms , 1993, Evolutionary Computation.

[92]  Justin Balthrop RIOT: A Responsive System for Mitigating Computer Network Epidemics and Attacks , 2005 .

[93]  Alan S. Perelson,et al.  The immune system, adaptation, and machine learning , 1986 .

[94]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[95]  Julie Greensmith,et al.  Performance Evaluation of DCA and SRC on a Single Bot Detection , 2009, ArXiv.

[96]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[97]  Peter Szor,et al.  An Analysis of the Slapper Worm Ex-ploit , 2003 .

[98]  Mayukh Bhaowal,et al.  Machine Learning Based Botnet Detection , 2006 .

[99]  NetComm Limited IP(Internet protocol) , 2010 .

[100]  Jeffrey O. Kephart,et al.  Blueprint for a Computer Immune System , 1999 .

[101]  Zhou Ji,et al.  Revisiting Negative Selection Algorithms , 2007, Evolutionary Computation.

[102]  Nicolas Ianelli,et al.  Botnets as a Vehicle for Online Crime , 2007 .

[103]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[104]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[105]  Alan S. Perelson,et al.  Self-nonself discrimination in a computer , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[106]  Gerold Schuler,et al.  Immature, semi-mature and fully mature dendritic cells: which signals induce tolerance or immunity? , 2002, Trends in immunology.

[107]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[108]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[109]  W. Timothy Strayer,et al.  Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .

[110]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[111]  Julie Greensmith,et al.  Further Exploration of the Dendritic Cell Algorithm: Antigen Multiplier and Time Windows , 2008, ICARIS.

[112]  Phillip A. Porras,et al.  A Multi-perspective Analysis of the Storm ( Peacomm ) Worm , 2007 .

[113]  Leandro Nunes de Castro,et al.  The Clonal Selection Algorithm with Engineering Applications 1 , 2000 .

[114]  Muhammad Aslam,et al.  Anti-Hook Shield against the Software Key Loggers , 2004 .

[115]  Detecting Bots in Internet Relay Chat Systems , 2004 .

[116]  Julie Greensmith,et al.  Dendritic cells for SYN scan detection , 2007, GECCO '07.

[117]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[118]  S Hendry,et al.  Searching for diversity. , 1997, Australian nursing journal (July 1993).

[119]  Adam Jaworski,et al.  Silence : interdisciplinary perspectives , 1997 .

[120]  Randy H. Katz,et al.  Design and implementation of an extrusion-based break-in detector for personal computers , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[121]  Nick Feamster,et al.  Revealing Botnet Membership Using DNSBL Counter-Intelligence , 2006, SRUTI.

[122]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[123]  Uwe Aickelin,et al.  Detecting Botnets Through Log Correlation , 2010, ArXiv.

[124]  Jonathan Timmis,et al.  Artificial immune systems—today and tomorrow , 2007, Natural Computing.