A survey of botnets with cryptography
Abstract.
As technology has developed, the bot network, botnet issue has been huge in the society of information technology. Most causes botnet threats to network security and server are based on C & C as IRC, the common HTTP protocol [1] and recently also botnet P2P connection constructions and characteristics of the robot and the activities are different according the structure of the botnet. Therefore, research is the existence of numerous, too, and is beneficial to categorize and classify the bot defense mechanism. The result bot activities in a lot of negative effects such as DDoS (Distributed Denial of Service) and Spam. The mechanisms for the detection of bots and defenses can be classified as C & C based on the detection of bots and P2P based on the detection of bots. A vital aspect of the administration of botnet is authenticity and integrity of command. Cryptography Asymmetric offers a simple and effective way to do it and the methodology we discuss here.
Keywords: botnet detection Bots, Bot P2P bot C & C, cryptography
1. INTRODUCTION
The property untraceable attacks coordinated is just what hackers / attackers demand to compromise a computer or a network for illegal purposes. Once a group of hosts at different locations are controlled by a malicious individual or organization to launch an attack, one can hardly trace the origin due to the complexity of the Internet. For this reason, the increase of events and the threat to legitimate Internet activities such as information leakage, click fraud, denial of service (DoS) and spam email, etc., have become very serious problems today [1]. The victims controlled by the coordinated attackers are called zombies or robots derives from the word "robot". The duration of robots commonly refers to software applications that run automated tasks over the Internet [2]. In such a command and control (C2, or C & C) infrastructure, a group of robots are capable of forming a self-reproduction, self-organization and autonomy framework, called botnet [3]. In general, endangering a number of systems, master of the botnet (also known as pastors or author) bots remotely control install worms, Trojans or backdoors in them [3]. Most victims are running the Microsoft Windows operating system [3]. The process of computer theft consisting of resources for a botnet called "scrumping" [3].
Botnets can be classified into two broad categories on the basis of typologies of [4]. A typical and most common type is Internet Relay Chat (IRC) based botnets. Because of its centralized architecture, the researchers have designed some countermeasures feasible to detect and destroy as botnets [5, 6]. Therefore, hackers latest and most sophisticated / attackers start using Peer to Peer (P2P) botnets technologies [4,7]. P2P Botnets have been distributed and have no central point of failure. Compared with IRC-based botnets, which are more difficult to detect and remove [4]. In addition, most existing studies are still in the analysis phase [4, 7].
The organization work is as follows. In Section 2, classification of botnet is given.Section 3 describes the relevant attacks. Section 4 elaborates the mechanisms of detection and tracking. The precautionary measures are outlined in Section 5. The conclusion and future challenges are shown in Section 6.
2. CLASSIFICATION
Botnets are emerging threats with billions "infected computers worldwide. Search engines can spread across thousands of computers to an high speed, such as worms do. Unlike worms, bots in a botnet are able to cooperate towards a common malicious purpose. For that reason, Botnets are now playing an important role in the epidemic of malware on the Internet [16]. In [19], WT Strayer, et al. provided some indicators of flow analysis in detecting botnets. After filtering IRC traffic, flow-based methods were applied to discriminate benign malicious IRC channels. Methods proposed by [20] and [21] combined both application and analysis of the network layer. E. Cooke, et al. [22] on IRC activities in the application layer, using information from the monitoring of network activities. Some authors have introduced automatic learning techniques in detecting botnets [23], since it led a better way to characterize botnets. Currently, traps and nets Intrusion Detection System (IDS) are two principal techniques for preventing attacks. Honeynets can be deployed in distribution and the local context [9]. They are able to provide botnet attack, but can not tell the details as if the victim has a certain worm [9]. The IDS uses signatures or behavior botnet to existing references to detect possible attacks. So to summarize botnet characteristics is important for a secure network. To the best of our knowledge, we have not found any other work on anomaly detection botnet.
2.1 Training and exploitation
To illustrate the formation and operation, we take spam botnet as an example. A training typical botnet can be described as following steps [3],
1) The author of the botnet sending viruses or worms to infect the machines of the victims, whose payload robots.
2) The robots in infected hosts sitting in an IRC server or other means of communication, forming a botnet.
3) Spammer makes payment to the owner of this botnet to obtain the right of access.
4) botnet spammer sends commands for this purpose the bots to send spam.
5) The infected hosts to send spam messages to different mail servers on the Internet.
2.2-based IRC Bot
IRC protocol is a text-based instant messaging between people connected to the Internet. It is based on client / server (C / S) model but suitable for environments distributed as follows [18]. Typical short IRC are interconnected and pass messages to one another 18 []. You can connect with hundreds of customers across multiple servers. It is so called multiple IRC (mIRC), in which communications between clients and server are pushed they are connected to the channel. The functions of IRC bots include lists based access management, mobile files, exchange customers, distribution channel information, and so on [18].
• Bot: an executable file is usually caused by a specific command of the IRC Sever. Once a bot is installed on a victim machine that will a copy in a configurable directory and allow the malware to start the operating system. In general, robots are only the payload of the worm or the way to open a back door [18].
• Channel Control: an IRC channel set guaranteed by the attacker to manage all bots.
• IRC Server: can be a compromised machine or even legitimate for a public service provider.
• Attack: is the control of bot attack IRC.
The attacker operations has four stages [16]:
Stage 1) Establishment, where the attacker can add malicious code or simply modify the existing, very many configurable bots over the Internet [16].
2) stage configuration, where the IRC server and channel information can be collected [16]. While installing the bot on the victim, will automatically connect to selected host [16]. Then the attacker can restrict access and secure the channel to the bots for business or other purposes [16]. For example, the attacker is able to provide a list of robots to authorized users who want to personalize and use them for their own purposes.
3) stage of infection, where Bots are propagated by various direct and indirect ways [16]. As its name implies, Direct techniques exploit the vulnerabilities of the services or operating systems, and are usually associated with the use of viruses [16]. While the systems jeopardize vulnerable, who continue the infection process such that the time savings add other victims attacker [16]. The most vulnerable systems are Windows 2000 and XP SP1, where the attacker can find easily without patches or unsecured (ie no firewall) hosts [16]. Instead, use indirect approaches other programs as a proxy to spread the robots, for example, by malware distributed via DCC (Direct Client-to-Client) file sharing networks on IRC or P2P to exploit the vulnerabilities of the target computers [16].
4) Control of scene, where the attacker can send instructions to a group of robots through IRC channel to do some malicious tasks.
Based on P2P Bot 2.3
Few works focus on P2P-based bot so far [4, 24-29, 46]. It is still a difficult subject. In fact, the ad hoc P2P network using armies to control the victim is not a new technique [26]. communications system P2P is much more difficult to disrupt. This means that the commitment of a single robot does not necessarily mean the loss of the entire botnet. However, the design P2P systems are more complex and usually there are no guarantees on messages delivery or latency. A P2P-shaped worm called Slapper [27], the Linux system infected by the DoS attack in 2002. Hypothetical clients used to send commands to compromised hosts and receive answers from them [27]. Thus, its location network can be anonymous and not be controlled [27]. A year later, a P2P-based bot appeared, called Dubbed SINIT [28]. It uses key cryptography public update for authentication. Later in 2004, Phatbot [29] was created to send commands to other compromised hosts a P2P system. Today Storm Worm [24] may be the most widespread P2P bot via the Internet. T. Holz et al. analyzed using binary and monitoring of the network [24]. In addition, proposed some techniques to interrupt the communication of P2P-based botnet, such as dwarfing and pollution content of the file.
However, above P2P-based robots are not mature and have many weaknesses. Many P2P networks have a central server or a list of seeds from colleagues who can be contacted to add a new participant. The boot process has appointed a single point of failure aP2P-based botnet [25]. For this reason, the authors in [25] presented a botnet specific hybrid P2P to overcome this problem.
2.4 Types of Bots
Many types of bots in the network has already been discovered and studied [9, 16, 17]. Table I presents several comprehensive and well-known robots, with their basic characteristics.
Types
Features
AGOBOT
Phatbot
Forbot
Xtrembot
- They are so frequent that there are more than 500 variants on the Internet today. AGOBOT is the only robot that can use other control protocols, as well as IRC [9]. It offers various approaches to hide the robot in compromised hosts, including NTFS Alternate Data Stream, polymorphic
Encryptor Antivirus Engine and Killer [16].
SDBot
Rbot
URBOT
UrXBot
SDBot is the basis of the other three robots and 9, probably many more []. Unlike Agobot, your code is unclear and has only limited functionality. Still, this group of robots is still widely used on the Internet [16].
SpyBot
NetBIOS
Kuang
Netdevil
KaZaa
There are hundreds of variants of Spybot today [17]. Most frameworks seem to be shared with C2 or SDBot evolved from [17]. However, provides no accountability or to conceal their malicious purpose on the code base [17].
mIRC-based
GT-Bots
GT (Global Threat) is mIRC based bot bot. Allows a mIRC chat client based on a set of binary files (mostly DLL) and scripts [16]. It is often hidden the application window in the
compromised hosts to make mIRC invisible to the user [9].
Bots DSNX
The DSNX (Data Network Spy X) bot is a plug-in interface for adding a new function [16]. Although the default version does not meet the requirement of tabs, plugins can help address this problem [9].
Q8 Bots
It is designed for Unix / Linux OS with the common features of a robot, such as HTTP dynamic update, several DDoS attacks, the execution of arbitrary commands, etc. [9].
Kaiten
It is very similar to Q8 Bots by the execution environment of the same and and without separator. Kaiten has a remote shell, making it more convenient to check
vulnerabilities through IRC [9].
Based Perl Bots
Many variants today written in Perl [9]. They are so small that only have a few hundred lines of code for robots [9]. Thus, limited basic commands are available for the attacks, especially DDoS attacks on UNIX-based systems [9].
3. BOTNET ATTACKS
Botnets can be used both legitimate and illegitimate purposes [6]. One of the legitimate objectives is to support operations IRC channel using administrative privileges on specific individuals. However, these objectives do not meet the large number of robots we've seen. On the basis wealth of data recorded in Honeypots [9], the possibilities of using botnets to criminally or destructive objectives can be classified as follows.
DDoS 3.1
Botnets are often used for DDoS attacks [9], which can disable the network services of the victim system through consumption of bandwidth. For example, an author may order the botnet to connect an IRC channel of the victim, then this target can be flooded by thousands of service requests of the botnet. In this type of DDoS attack, the victim of the IRC network is down. The evidence reveals that most commonly used by botnets are TCP SYN and UDP flood attacks [30].
General countermeasure against DDoS attacks requires (1) control of a large number of compromised machines, (2) off Remote control mechanism [30]. However, we still need more efficient ways to avoid this type of attack. FC Freiling et al. [30] have presented a method for prevent a DDoS attack through the exploration of robots hidden in honeypots.
3.2 Spamming and spreading malware
About 70% to 90% of spam in the world is caused by botnets today, which has more experience in the security industry on the Internet in [47, 49]. Report study indicates that once the proxy Socks v4/v5 (TCP / IP RFC 1928) opens in compromised hosts for some robots, machines can be used for nefarious tasks, for example, spam. In addition, some of the robots are able to collect email addresses for certain functions in particular [9]. Therefore, attackers can be used as a botnet to send massive amounts of spam [31]. Researchers in [32] have proposed an independent content distribution system of classification of spam, called Trinity, against spam from botnets. The designer assumes that the robots will send a mass spam emails in a short time. Hence, any management letter such as a spam.
To discover the overall performance and benefit botnet spam detection in the future, Y. Xie et al. [33] have developed a spam signature generation framework called authorities. They also found several characteristics of spam botnet: (1) spammers often add some random and legitimate URLs in the letter to evade detection [33], (2) botnet IP addresses are usually distributed in many autonomous systems (systems Self-employed), with machines involving only a few in each AS on average [33], (3) despite the content of spam is different, the addresses of your recipients may be similar [33]. How to use these functions to the capture of botnets and avoid spam is a value to future research. Similarly, the botnets are can also be used to spread malware [9]. For example, Witty worm botnet can launch ICQ protocol to attack because the victims "system has not enabled the Internet Security Systems (ISS) services [9].
3.3 Information Leakage
Because some robots can not only sniff traffic that passes through the compromised machines, but also the data of command within the victims, perpetrators can retrieve sensitive information like usernames and Botnets passwords easily [9]. Evidence indicates that botnets are becoming more sophisticated scan quickly at the headquarters of major corporate and financial data [47]. Since the bots rarely affect the performance of infected systems running, which are often outside the surveillance zone and difficult to capture. Keylogging is the very solution for interior attack [9.16]. This type of bot listens for what the keyboard and then informed his master of useful information after filtering sense inputs. This allows the attacker to steal thousands of private information and credentials data [16].
3.4 Click Fraud
With the help of the botnet, the authors are able to install advertising add-ons and browser helper objects (BHO) for business purpose [9]. Like the Google AdSense program, in order to obtain higher clickthrough rate (CTR), authors may periodically usebotnets click specific links, thereby promoting CTR artificial [9]. This is also effective for surveys or online games [9]. As the host of each victim has a unique IP address dispersed throughout the world, Each click will be considered a valid action of a legitimate person.
Identity Fraud 3.5
Identity Fraud, also known as identity theft is a rapidly growing crime on the Internet [9]. E-mail phishing is a typical case. Usually includes, as legitimate URLs and requests the recipient to submit personal or confidential information. These messages can be generated and sent by a botnet through mechanisms spam [9]. In a step further, botnets can also set up multiple fake websites pretending to be a site information service for victims harvest. Once a fake site is closed by its owner, another may pop up, until the computer turns off.
4. DETECTION AND LOCATION
For now, several different approaches to the identification and traceability botnets have been proposed or tried. First and most generally the use of honeypots, where a subnet is intended to be compromised by a trojan, but actually observing the behavior of the attackers, the hosts are allowed to control the identification [22]. In a relevant case, Freiling et al. [30] have introduced a feasible way to detect certain types of DDoS attacks lunched by the botnet. To begin, use and response honeypot active to collect the bot binary. Then, seek to join the botnet as a compromised machine by running the robot into the trap and allows them to access the server IRC. In the end, the botnet is infiltrated by an unmanned drone "silent" collection of information, which may be useful in dismantling networks zombie. Another and also commonly used method is that, using a form of insider information to track an IRC-based botnet [11]. The third, but it is less common approach for detecting botnets is investigating the DNS caches in the network to resolve the IP addresses of target servers [11].
4.1 Honeypot and Honeynet
Honeypots are well known for their strong ability to detect security threats, malware collection, and to understand behavior and motivations of the authors. Honeynet, to monitor a diverse large-scale network consisting of more than one trap on a network. Most researchers focus on Linux-based Honeynet, for the obvious reason that, compared to any other platform, with more freedom honeynet tools are available at Linux [6]. As a result, only a few tools to support the deployment Windows honeypots and intrusion proactively begin to dismantle the honeypot.
Some researchers aim to design a reactive firewall or means related to the prevention of multiple commitments of honeypots [6]. While a port is in danger detected by the firewall of this type, the incoming attacks, can be blocked [6]. This operation must be carried out in secret to avoid arousing suspicion that the attacker. The evidence tells us, we have less covert operation on the protection of the honeypots against several undertakings by the worms, because worms are used to detect its presence [6]. Because many toolkits intruders download a victim immediately after, we have to block traffic only correspond to any selective. These toolkits are important evidence for future analysis. Therefore, to some extent, the attackers access to the honeypots should not be prevented very well [6].
Since honeypots have become more and more popular in surveillance and defense systems, the intruders began to find a way to avoid the traps to avoid honeypot [34]. There are some viable techniques to detect honeypots. For example, to detect or VMware virtual machines emulated [35,36] or to detect responses defective program in the trap [37]. In [38], Bethencourt et al. have successfully identified the intelligent use of honeypots according to survey statistics report public. In addition, Krawetz [39] have presented a tool capable of commercial spam anti-trap feature, called "Send-Safe Honeypot Hunter". By controlling the response of the remote proxy, spammer is able to detect open proxy honeypot [39]. However, this tool can not effectively detect the others, except honeypot open proxy. Recently, CC Zou et al. [34] have proposed another method for the detection of honeypot-based independent software and hardware. In his paper, also have introduced an effective method to identify and remove infected honeypots using a structured P2P botnet [34]. All previous evidence indicates that, if botnet becomes invisible to honeypot, relevant research should be improved.
4.2 IRC-based detection
IRC-botnet based is extremely studied and therefore several features have been discovered to date detection. One of the easy ways to detect such networks bots is to sniff traffic in common IRC port (TCP port 6667) and then see if the strings payloadsmarch in our knowledge database [22]. However, the botnets can use random ports to communicate. Therefore, another approach for behavioral characteristics of the bots appear. S. Racine [40] IRC-based bots found often idle and only responded when receiving a specific instruction. Thus, connections with features such as marked as potential enemies. However, it still has a high rate of false positives in the result.
There are other existing methodologies for IRC based in detecting botnet. Barford et al. [17] proposed some approaches based on analysis of source code. Rajab et al. [11] presented an amended IRC IRC client called tracker was able to connect to IRC server and query response automatically. Given a fingerprint template and relevant, the crawler IRC could create an instance of a new IRC session to IRC server [11]. If the bot master could find the true identity of the pursuer, who appeared as a powerful robot and response on the Internet and run malicious commands all, including responses to the attacker [11]. Next, introduce some methods detection against the IRC-based botnet.
4.2.1 Detection based on traffic analysis
Signature technology is often used in anomaly detection. The basic idea is to extract feature information on traffic packages and progress of registered models in the knowledge base of current robots. Apparently, it is easy to perform by simply comparing each byte in the package, but also goes with several drawbacks [45]. First, is unable to identify the indefinite robots [45]. Secondly, you must always update the knowledge base with new signatures, increasing management costs reducesthe and performance [45]. Third, robots can launch new attacks before the patch in the knowledge base [45].
Based on the characteristics IRC, some other techniques to detect botnet rise. Basically, two types of actions are involved in a normal IRC communication. One is interactive commands and another is the exchange of messages [45]. If we can identify the operation of IRC of a given program, it is possible to detect a botnet attack [45]. For example, information private copy elsewhere for some IRC commands, we can say that the system is under attack from a normal behavior in chat will never do that [45]. Moreover, traffic can be encrypted or concealed by the noise of the network [21]. Any situation will make the invisible robots.
In [45], the authors observed actual traffic in IRC communication ports ranging from 6666 to 6669. They found some IRC clients repeated sending login information, while the server was denied his relation [45]. Based on the experiment result, they claimed that the robots are repeating these actions at specified intervals after rejected by the server IRC, and the time intervals are different [45]. However, it is considered a real IRC botnet attack based on his experiment. This is a possible future work to extend their achievements.
In [49], p. Sroufe et al. proposed an alternative method for detecting botnet. His approach can efficiently and automatically identify spam or robots. The main idea is to extract the email form (lines and the character count of each line), using an estimate of the kernel density Gauss [49]. Emails with suspected similarly. However, the authors do not show the way to detect botnet using this method. It may be another job decent future for study.
4.2.2 Anomaly Detection based on activities
In [21], the authors propose An algorithm for anomaly detection based botnet. IRC combined features of the mesh with TCP module based on anomaly detection. First, observed and recorded a large number of TCP packets on IRC hosts. Based on the ratio calculated by the total amount of TCP control packets (for example, SYN, SYNACK, FIN, and resets) the total number of TCP packets, which can detect any abnormalities of the activities [21]. They requested that this relationship because the TCP work weight and said high value which indicates a potential attack by a scanner or worm [21]. However, this mechanism can not work if the commands IRC has been encrypted, as the discussion in [21].
4.3 DNS Monitoring
Since the robots often send DNS queries for able to access servers C2, if we can intercept your domain name, the bot network traffic can be captured on a blacklist of domain names [41, 42]. In reality, it also provides a secondary route to be taken by botnets by disabling its ability to spread [11]. H. Choi et al. [41] have examined botnet DNS features. According to their analysis, botnets, DNS queries can be easily distinguished from legitimate [41]. First, the robots only send DNS queries for domain servers C2, never legitimate to do so [41]. Secondly, members of the botnet Law and migrate together simultaneously, and their DNS queries [41]. Whereas the self occurs continuously vary from botnets [41]. Third, legitimate hosts will not use very often while DDNS DDNS botnet typically used for C2 Server [41]. Based on the above characteristics, developed an algorithm to identify botnet DNS query [41]. Its main idea is to compute the similarity of group activities and then the botnet distinguish them based on their value. The similarity value is defined as 0.5 (C / A + C / B), where A and B represent the size of two lists of IP called somecommon same IP address and domain name, and C represents the size of the duplicate IP addresses [41]. If the value close to zero, the common domain, it is suspected [41].
There are also some other approaches. Dagon et al. [42] presents a method by examining Consultation rates DDNS domain. Abnormally high rates or temporarily concentrated suspected, because attackers changed from C2 servers very often [44]. It is used both Mahalanobis distance and Chebyshev's inequality to quantify the rate is anomalous [44]. Schonewille et al. [43] found that when the C2 servers had been removed, DDNS often called error response. Hosts who repeatedly made such a consultation might be infected and therefore suspected [43]. In [44], the authors assessed the above two methods through experiments in the real world. They argued that the approach of Dagon was as effective as a misclassification server of some C2 domains with short TTL, while Schonewille comparative method was effective because of the suspected name comes from independent individuals [44]. In [48], X. Hu et al. proposed a detection system called botnets RB-Seeker (Seeker Botnet redirection). It can automatically detect botnets in any structure. Features RB-Seeker first collects information about the activities of the redirection of robots (eg, temporal and spatial) of two subsystems. Then use the statistical methodology and the DNS query probing technique to distinguish the malicious from the legitimate domain. Experiment result shows that the RB-Seeker is an effective tool for detecting both "aggressive" and "cautious" botnets.
5. Strong cryptography
5.1Tamper command and update test System
A vital aspect of the administration of botnet is authenticity and integrity of the commands. A bot should only accept commands issued by Botmaster. In current botnets, the botmasters commonly use only a very weak form of authenticity, for example., Using a simple password scheme before sending the corresponding command. Even if the botnets use stronger authentication schemes, these can usually be broken, for example., The Storm Worm uses implementation of 64-bit RSA can be defeated. In centralized IRC botnets, this lack of authenticity, for example, could be overcome by a patch on the IRC server used to control the distribution so that only the Botmaster can send messages to the designated channel. However, when it is a decentralized network of equal peers, Botmaster one must ensure that no hostile parties, as advocates or other groups of bots can poison the botnet by injecting malicious commands.
Asymmetric cryptography offers a simple but effective way to do this: before launching a robot in nature, Botmaster creates a public / private cryptographic key pair of which the first is encoded in binary bot. Doing so allows Botmaster sure to sign any form or by using scripts private key. All partners in the botnet are able to verify the use of public key commands coded, but given reasonable key length (bit eg.2048 RSA), no defender manage to forge the signature.
5.2Rent a botnet
With the help of asymmetric cryptography, Botmaster one can assume the role of a trusted certification authority, which provides an efficient solution for renting the botnet to others in part or whole, for an amount time-varying, and to protect tenants against certain malicious purposes.To is advisable to apply a blacklist that contains all keys.This invalidated public blacklist is stored on the computer of each bot, and only Botmaster can add or remove public keys using its private key to sign the order. Thus, all the certificates that belong an attacker may be revoked.
However, this black list is of little use against attacks that require only a short time that took place successfully. For example, a malicious tenant could buy a certificate of botnet to distribute spam and abuse it by asking everyone to send robots e-mail to a specific address, revealing your IP address or other sensitive data. Indeed, an attacker could conveniently obtain valuable information about the size of a botnet, as well as its overall structure. Therefore, renting a botnet to be considered as an option that should be used cautiously by a Botmaster.
6. PREVENTIVE MEASURES
You only need a couple of hours for conventional worms around the world and released a single host. If using botnet worms appear from multiple hosts at the same time, are capable of infecting most vulnerable computers worldwide within minutes [7]. Some botnets have been discussed in previous sections. However, there are still many of them are unknown to us. How to minimize the risk caused by botnets in the future is the issue we discuss in this section.
6.1 Countermeasures for botnet attacks
Unfortunately, few solutions for a series against a denial of service attack botnet to date [3]. Although it is difficult to find patterns of malicious hosts, administrators network can identify botnet attacks based on passive operating system identification taken from the latest equipment firewall [3]. The life cycle tell us botnet, bots often use free hosting services from DNS to redirect a subdomain to an IP address inaccessible. Therefore, the elimination of these services can take down a botnet [3]. Today, many security companies focus on the offers to stop botnets [3]. Some of them protect consumers, while most others are designed for ISPs or enterprises [3]. Individual products try to identify bot behavior by Anti-Virus software. The company's products have nothing better to nullrouting solutions DNS entries and closure of the IRC and other servers after a major botnet attack identified [3].
6.2 Public Countermeasures
Personal or company security is inevitably dependent on communication partners [7]. Building a good relationship with partners is essential. First, a constant should ask the service provider for security packages, such as firewall, antivirus, intrusion detection kits, and so useful [7]. Once something goes wrong, there must be a contact number for call [7]. Secondly, also must pay close attention on network traffic and report to the ISP if attacked by a DDoS attack. ISP can help block malicious IP addresses [7]. In Thirdly, it is better to establish accountability in the system, along with the authority of law enforcement [7]. More specifically, researchers and industries have proposed some strategies for both home users and system administrators to prevent, detect and respond to attacks from botnets [16, 18]. Here we summarize their suggestions.
6.2.1 Home users
TABLE II: RULES OF PREVENTION home users [18]
Type
Strategies
Personal habits
The attention in the discharge of
Avoid installing useless things
Read carefully before you click
Routine
Public services use anti-virus/trojan
Update frequency system
Shutdown PC when you leave
Optional Operations
Back-up systems to regulate all
Keep all software up-to-date
Expand personal firewall
6.2.2 System Administrator
Similarly, there are rules to match the system administrator to prevent, detect and respond to attacks from botnets [16, 18]. As the methods of prevention, the administrator must follow guidelines for suppliers update your system and applications [18]. Also, keep informed about the latest vulnerabilities and access control and use of log files to ensure accountability account [18]. As illustrated in Table III, they can help the system administrator to minimize the possibility of botnet attacks.
TABLE III: RULES FOR DETECTING system administrators [18]
Rules
Notes
The regular tracking logs
Analyze Internet traffic for anomalies
Use network packet sniffer
Identify malicious traffic on the intranet
Isolate Malicious subnet
Verify the activity of CRF in the host
Individual scan machine
They may contain malware
Once an attack is detected, the system administrator must isolate compromised hosts and warning users of origin [16]. Then keep the data on infected hosts including log files [16]. In addition, identify the number of casualties through the sniffer tools [16]. Finally, the report of infection adviser security [16].
7. CONCLUSIONS AND FUTURE CHALLENGES
To better understand the botnet and stop the final attack, offer a survey of current research botnet. The content of the discussion is the formation of botnets and exploitation, and two typical topologies.
Of According to the discussion in Section 2, we have several ideas for different topologies. For IRC-based botnet topics thorny problem is that we can get the source code most of the robots. Therefore, a thorough analysis at network level and system level behavior bots are hardly carried out. For P2P-based issues botnet, due to practical problems that should be better taken into account: (1) keep the rest of robots after some have been taken by the defenders, (2) hide the topology of the botnet, while some robots are captured by the defendants, (3) managing the botnet more easily, (4) change traffic patterns more frequently and make it harder to detect.
As we can see, the detection and monitoring of compromised host in botnet will remain a difficult task. Fingerprinting of traffic is useful for identifying botnet. However, just as technologies for signature discussed above in section 3, its disadvantages are obvious. We need an up-to-date knowledge base for all robots in the world at large, which seems a mission impossible. Anomaly Detection is another possible approach. However, when infected hosts do not behave as unusual, may be unable to detect a potential threat. Since the current detection technology depends on the case of attack occurred, there is no guarantee that we can find all the possible hosts compromised. An interesting question about the detection of anomalies is time efficiency. If an attack occurs and we catch the anomaly in the first place and solve problems relevant before being used for malicious purposes, tell us that this is a time efficient anomaly detection. It is necessary to focus on time efficiency future work.
In this context, wireless, especially for ad hoc network, I have not yet research activities in both attack and defense so far. There are many open questions: (1) How to find the shortest route to attack targets, (2) How to prevent compromised hosts fromdetecting wireless network, (3) How do they spread the robots in the wireless network, especially before some compromised hosts offline.
There are also some other interesting issues to be considered open. To the best of our knowledge, for now, we can not avoid DDoS attacks from botnets. Even The attack has been found no effective way to track and combat it. Instead, simply, simply turning off the danger hosts or network disconnection, waiting further order such as virus scanning or formatting the OS. As the matter of fact, what we really need is to keep the number of robots of the first step. Perhaps the only effective way to eliminate botnets is the deployment of new protocols in routers worldwide. It's really a great project and beyond of reality. So why not consider installing a local gateway? Imagine, if the gateway can block the communication of robots among multiple domains, the attacker would not be easy to manage compromised hosts worldwide. In the meantime, the gateway could give our information as to where the malicious command wine. On the basis of abundant evidence of the network, it is possible the tracing of the initial attack. However, it is very difficult to implement that idea because of the following reasons: (1) It is difficult to distinguish malicious packets in traffic flow, (2) cooperation between the domains is not very easy, and consider the situation that would jeopardize some gateways, (3) How to draw a possible attack and should be watched for further analysis need be studied.
REFERENCES
[1] K. Ono, I. Kawaishi, and T. Kamon, "Evolution of botnet activity," at the 41st Annual IEEE International Carnahan Conference on Security Technology, Ottawa, CA,
October, 2007, pp. 243-249.
[2] Wikipedia, "Bot" [Online]. Available: http://en.wikipedia.org/ wiki / Internet_bot.
[3] Wikipedia, "Botnet" [online]. Available at: http://en.wikipedia.org/wiki/ Botnet.
[4] B. Thuraisingham, "Data mining for security applications: mining concept and derived data streams to detect peer to peer traffic "botnet", in IEEE International
Conference on Intelligence and Security Informatics, ISI 2008, Taipei, Taiwan, June 2008, pp. xxix-xxx.
[5] C. Mazzariello, "IRC Traffic Analysis for detecting botnets" at the 4th International Conference on Information Assurance and Security, Naples, Italy, September 2008
pp. 318-323.
[6] B. McCarty, "Botnets: big and bigger," IEEE Security and Privacy, vol. 1, no. 4, pp. 87-90, July, 2003.
[7] GP Schaffer, worms and viruses and botnets, oh my!: rational response to emerging Internet threats, "IEEE Security and Privacy, vol. 4, no. 3, pp. 52-58, May
2006.
[8] J. Mirkovic, G. Prier, and P. Reiher, "Attack DDoS at the source," in ICNP'02: Proceedings of the 10th International IEEE Conference Network
Protocols, Paris, France, November 2002, pp. 312-321.
[9] P. Bacher, T. Holz, M. Kotter, and G. Wicherski, "Know your enemy: Tracking botnets "[online]. Available at: http://www.honeynet.org/papers/bots/.
[10] T. Holz, S. Marechal, and F. Raynal, "New threats and attacks on the World Wide Web, "IEEE Security & Privacy, vol. 4, no. 2, pp.72-75, Mar / April 2006.
[11] MA Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A multifaceted approach to understanding the botnet phenomenon," in Proceedings of the 6th ACM
SIGCOMM Conference on Internet Measurement Janeriro River, Brazil, October, 2006, pp. 41-52.
[12] E. Levy, "The creation of a spam zombie army: Dissection Sobig worms ", IEEE Security and Privacy, vol. 1, no. 4, pp. 58-59, July, 2003.
[13] D. Cook, J. Hartnett, K. Manderson, and J. Scanlan, "captures of spam before it arrives: domain blacklists specific dynamic ", in Proceedings of the 2006
Australasian workshops on Grid computing and e-research, Hobart, Australia, pp. 193-202, January 2006.
[14] J. Jung and E. Sit down, "An empirical study of spam traffic and the use of DNS black lists" in IMC '04: Proceedings of the 4th ACM SIGCOMM Conference
Internet measurement, Taormina, Italy, pp. 370-375, October 2004.
[15] A. Ramachandran, N. Feamster, and D. Dagon, "Revealing botnet Membership using DNSBL counter-intelligence", in Proceedings of the 2nd Conference on
Measures to reduce unwanted traffic on the Internet – Volume 2, San Jose, USA, pp. 8-8, 2006.
[16] J. Govil, "Review of criminology bot zoo "at the 6th International Conference on Information, Communications and Signal Processing, Singapore, pp. 1-6
December 2007.
[17] P. Barford and V. Yegneswaran, "Insights from botnets", in the series: Advances in Information Security, Springer, 2006.
[18] R. Puri, "Bots and Botnets: An Overview", Technical report, SANS Institute, 2003.
[19] WT Strayer, R. Walsh, C. Livadas and D. Lapsley, "Detecting botnets with tight command and control", in Proceedings 2006 31st IEEE Conference on Local
Computer Networks, Tampa, USA, pp.195-202, November 2006.
[20] M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, and S. Yamaguchi, "A proposal indicators for botnet detection based on their
cooperative behavior ", in Proceedings of the 2007 International Symposium on Applications and the Internet Workshops, Washington DC, USA, pp. 82-82,
January 2007.
[21] JR Binkley and S. Singh, "An algorithm for anomaly-based botnet detection, in Proceedings of the 2nd Conference on Steps to reducing unwanted traffic on the
Internet, San Jose, USA, pp. 7-7, 2006.
[22] E. Cooke, M, Jahanian, and D. McPherson, "The zombie Abstract: To understand, detect, disrupt and botnets", in Proceedings of the Plaza de la reduction
Unwanted traffic on the Internet, Cambridge, USA, pp. 6-6, 2005.
[23] C. Livadas, R. Walsh, D. Lapsley, and W. Strayer, "Using learning techniques Automatic identify botnet traffic, "in Proceedings 2006 31st IEEE Conference on
Local Computer Networks, Tampa, USA, pp. 967-974, November 2006.
[24] T. Holz, M. Steiner, F. Dahl, EW Biersack, and F. Freiling, "measurement and mitigation of peer-to-peer-based botnets: A case study on the Storm Worm, "in
Proceedings of the 1st Usenix Workshop on Large-scale Exploits and emerging threats, San Francisco, USA, pp. 1-9 April, 2008.
[25] P. Wang, S. Sparks, and CC Zou, "An advanced hybrid peer-to-peer botnet", in Proceedings of the First Conference on the First Workshop on Hot Topics in
Botnets, understanding, Cambridge, USA, pp. 2-2 July 2008.
[26] R. Lemos, "Bot software seeks to improve nobility" [Online]. Available at: http://www.securityfocus.com/news/11390.
[27] I. E. Arce and quotation, "An analysis of the worm percussion" IEEE Security & Privacy Magazine, vol. 1, no. 1, pp. 82-87, January, 2003.
[28] J. Stewart, "SINIT P2P Trojan Analysis" [online]. Available at: http://www.secureworks.com/research/threats/sinit/.
[29] J. Stewart, "Phatbot Trojan analysis" [online]. Available in: http://www.secureworks.com/research/threats/phatbot.
[30] FC Freiling, T. Holz, and G. Wicherski, "Botnet tracking: Exploring a root-cause methodology to prevent distributed denial of service attacks, "Lecture Notes in
Computer Science, Springer-Verlag, Germany, 2005, No. 3679, pp. 319-335.
[31] K. Chiang and L. Lloyd, "A case study of reforestation rootkit and spam bot," in Proceedings of 1st Workshop on hot topics in Understanding Botnets
Cambridge, USA, pp. 10-10, 2007.
[32] A. Brodsky and D. Brodsky, "A method of distributing independent of content for spam detection, "in Proceedings of 1st Workshop on hot topics in Understanding
Botnets, Cambridge, USA, pp. 3-3, 2007.
[33] Y. Xie, F. Yu, K. Achar, R. Panigrahy, G. Hulten, and I Osipkov, "Spamming Botnets: Signatures and Characteristics", in Proceedings of the ACM SIGCOMM
2008 Conference on Data Communication, Seattle, USA, pp. 171-182, August 2008.
[34] CC Zou and R. Cunninqham, "Honeypot-Aware advanced construction and maintenance of botnets," in 2006 International Conference on Dependable Systems
and Networks, Philadelphia, USA, pp. 199-208, June 2006.
[35] J. Corey, "Advanced honey pot identification and exploitation" [online]. Available at: http://www.phrack.org/fakes/p63/p63-0×09.txt, 2004.
[36] K. Seifried, "the basic elements Honeypotting VMware" [online]. Available at: http://www.seifried.org/security/index.php/Honeypotting_With_VMWare_Basics, 2002.
[37] Honeyd Security Advisory 2004-001, "remote sensing through simple test deck" [online]. Available in: http://www.honeyd.org/adv.2004-01.asc, 2004.
[38] J. Bethencourt, J. Franklin, M. Vernon, "Mapping Internet Sensors with attacks response of the probe, "in Proceedings of the 14th Usenix Security Conference
Symposium, Baltimore, USA, pp. 193-208, August 2005.
[39] N. Krawetz, "Anti-honeypot technology," IEEE Security & Privacy Magazine, vol. 2, no. 1, pp. 76-79, January, 2004.
[40] S. Racine, "Analysis Internet Relay Chat use DDoS zombies, "MA thesis, Swiss Federal Institute of Technology Zurich, April, 2004.
[41] H. Choi, H. Lee, H. Lee, and H. Kim, "botnet detection by monitoring group activities in DNS traffic," in Proceedings of the IEEE 7th International Conference
Computer and Information Technology, Washington DC, USA, pp. 715-720, October 2007.
[42] D. Dagon, "Botnet detection and response, the network is infected "[online]. Available at: http://www.caida.org/workshops/dns-oarc/200507/
slides/oarc0507-Dagon.pdf, 2005.
[43] A. Schonewille and DJ van Helmond, The Domain Name Service as an IDS, "Masters Project, UNIV. Amsterdam, Netherlands, February 2006
http://staff.science.uva.nl/ ~ delaat/snb-2005-2006/p12/report.pdf.
[44] R. Villamarín Brustoloni-Salomon and JC, "Identification botnets using anomaly detection techniques applied to DNS traffic, "in Proceedings of the IEEE 5
Consumer Communications and Networking Conference, Las Vegas, USA, pp. 476-481, January 2008.
[45] Y. Kugisaki, Y. Kasahara, Y. Hori, and K. Sakurai, "based on the detection Bot traffic analysis ", in Proceedings of the 2007 International Conference on Intelligent
Pervasive computing, Washington, DC, USA, pp 303-306, October 2007.
[46] C. Langin, H. Zhou, S. Rahimi, "A model for using Internet traffic declined indirectly discover problems internal security of the network, "the draft presented to WIDA08.
[47] K. Pappas, "Back to basics to fight botnets," Journal Communications News, vol. 45, n. 5, pp. 12 (1), May 2008.
[48] X. Hu, M. Knyz, and KG Shin, "RB-Finder: auto-detection of botnets redirection, "in Proceedings of 16th Annual Network & Distributed System Security
Symposium (NDSS'09), February 2009.
[49] P. Sroufe, S. Phithakkitnukoon, R. Dantu, J. Cangussu "Email form analysis for the detection of spam botnet," Consumer communications and networking
Conference (CCNC 2009), pp. 1-2, January, 2009.
About the Author
Authors
1.G. Satyavathy, Lecturer,Department of Computer Science, Sri Ramakrishna College Of Arts and Science For Women,Coimbatore-641 044.
2.Dr. M. Punithavalli, Director and Head, Department Of Computer Science, Sri Ramakrishna College Of Arts and Science For Women,Coimbatore-641 044.
Spam Email & Virus Protection
