A Framework for Botnet Infection Determination through Multiple Mechanisms Applied on Honeynet Data

Botnets are a class of internet attacks having different characteristics as compared to the normal internet attacks. One of the features that uniquely characterize a botnet attack is that "the infected machine (Bot) is being remotely controlled by an entity called "Botmaster". The Botmaster remotely controls these infected systems through "Command and Control" servers (C&C). Over a period of time complexity of botnets has increased many folds. Advance techniques employed by botnets such as protocol encryption, complex botnet structure and multi stage infection propagation models have made the botnets detection a challenging problem. Hence there is a need of a botnet detection mechanism which is independent of C&C protocol, structure and the infection propagation model used by the botnet. In the work presented in this paper, the experiments have been performed for evaluating the strength of existing botnet detection techniques, and proposed an advance detection mechanism which uses a logical combination of existing open source solutions with Honeynet technologies and our own mechanisms for botnets detection. A test setup as a proof-of-concept of the proposed framework with the experimental results is presented in this paper.

[1]  Sanjeev Kumar,et al.  Botnet Command Detection using Virtual Honeynet , 2011 .

[2]  S. Kumar,et al.  Hybrid honeypot framework for malware collection and analysis , 2012, 2012 IEEE 7th International Conference on Industrial and Information Systems (ICIIS).

[3]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[4]  Sanjeev Kumar,et al.  Distributed Honeynet System Using Gen III Virtual Honeynet , 2012 .

[5]  John Aycock,et al.  Kwyjibo: automatic domain name generation , 2008, Softw. Pract. Exp..

[6]  Vinod Yegneswaran,et al.  Active Botnet Probing to Identify Obscure Command and Control Channels , 2009, 2009 Annual Computer Security Applications Conference.

[7]  Saurabh Chamotra,et al.  Honeysand: An Open Source Tools based Sandbox Environment for Bot Analysis and Botnet Tracking , 2012 .

[8]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[9]  D. S. Bhilare,et al.  An Integrated Framework for Malware Collection and Analysis for Botnet Tracking , 2012 .

[10]  Zhenkai Liang,et al.  Automatically Identifying Trigger-based Behavior in Malware , 2008, Botnet Detection.

[11]  Stefan Katzenbeisser,et al.  Detecting Malicious Code by Model Checking , 2005, DIMVA.

[12]  John C. Mitchell,et al.  Characterizing Bots' Remote Control Behavior , 2007, DIMVA.

[13]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[14]  Paulo Salvador,et al.  Statistical Characterization of the Botnets C&C Traffic , 2012 .

[15]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[16]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[17]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[18]  Sanjeev Kumar,et al.  Optimized virtual honeynet with implementation of host machine as honeywall , 2015, 2015 Annual IEEE India Conference (INDICON).