International Conference on Research Advances in Integrated Navigation Systems (RAINS - 2016),
April 06-07, 2016, R. L. Jalappa Institute of Technology, Doddaballapur, Bangalore, India
Analysis on Botnet Detection Techniques
Asha S Harsha T Soniya B M.Tech Student M.Tech Student Associate Professor Department of Computer Science Department of Computer Department of Computer and Engineering Science and Engineering Science and Engineering SCT College of Engineering SCT College of Engineering SCT College of Engineering Trivandrum, India Trivandrum, India Trivandrum, India harshat91@gmail.com soniya.balram@gmail.com asha.kulathinkara@gmail.com
Abstract². Botnet detection plays an important role in network
security. Botnet are collection of compromised computers called key aspect of botnet. Bots communicate over legitimate the bot. For detecting the presence of bots in a network, there are channel [3]. many detection techniques available. Network based detection method is the one of the efficient method in detecting bots. Paper To identify the presence of botnet and to overcome from reviews four different botnet detection techniques and a their negative impact on network, many detection techniques comparison of all these techniques are done. are available [4], [5], [6]. Network based botnet detection is one of the effective detection technique. The other detection Keywords²bots; botnet; C&C server; DNS; IRC server techniques used for the review were signature-based technique, anomaly-based technique and host-based technique. I. INTRODUCTION Internet have been frequently threatened by various types of attacks such as viruses, worms etc. These attacks play a II. LIFE CYCLE OF BOTNET negative impact on the network, which result in network Bot life cycle passes through five different stages. In order congestion, wastage of network bandwidth as well as for a vulnerable machine to become active bot and to be a part corruption on users' computers and data. In addition, some of of botnet, the machine go through a cycle of phases. these attacks are used to control Internet hosts and then use these hosts to launch denial-of-service (DoS) attacks against The first phase is called the initial infection phase. Here other entities [1]. If an attacker can gain access to network the machine is infected and becomes a potential bot. A hosts, this can lead to enormous damage to the network such machine gets infected by unwanted downloading of malwares as disrupting e-commerce sites, news outlets, network from website, by using infected removable disk etc. infrastructure, routers and root name servers. The second phase is the secondary injection phase. Here In modern life, malware, the malicious software has the infected host runs a program that searches bot binaries in occupied an important position. From the earliest use of the network database. Once the machine downloads and programmable systems, techniques to infect those systems execute the file the machine will start to behave like a real bot. with software containing malicious code have existed but, in the past the malware often had just limited or local impact [2]. The third phase is the connection or rallying phase where The network success have became an initial point for reporting the bot tries to locate and connect to the command and control the malicious infections which affects several million systems server. Once it is connected it can receive and respond to the around the world. Thus, the remotely controlled networks of commands from the botmaster. This phase occurs several hijacked computers, so-called botnet, became popular. Botnets times in the bot life cycle. Bots become vulnerable during this are the collection of compromised, remotely controlled phase. computer systems. The main purpose of botnet includes the The fourth phase is the malicious phase where the bot tries distribution of email spam, DDoS (distributed DoS) attacks, to perform series of malicious activities based on the distribution of malicious software etc. commands from its botmaster. The bot can perform several Botnet is a combination of two words 'robot' and 'work'. disruptive attacks such as email spamming, distributed denial Bots are vulnerable machine which gets infected by running of service attack, distributing malicious software etc. malicious code or bot binaries. Once the bot gets infected, it The final phase is the maintenance and upgrading phase. tries to locale and connect with the C&C server. C&C server The botmaster tries to keep its bot under its control as long as is the command and control server which provides a channel possible. Maintenance is required in order to keep the for communication between bots and its master. Bots are botmaster with their army of bots up to date for further to controlled by a master known as botmaster or botherder. The coordinated activities. In this phase the bot update their main aim of botnet is to perform malicious activities on behalf behaviour and perform new malicious activities based on the of its server for making profit since bots are inexpensive and information received from the botmaster. easy to propagate. Communication architecture of botnet is the
International Conference on Research Advances in Integrated Navigation Systems (RAINS - 2016), April 06-07, 2016, R. L. Jalappa Institute of Technology, Doddaballapur, Bangalore, India
To identify bot infected host machines Rishi [9] approach
III. EXISTING TAXONOMIES OF BOTNET is used. They are the signature based technique. They apply In order to detect and understand how botnets work signatures of current bots into IDS detection system. Signature several studies have been conducted in this area [6]. During is a pattern that is seen inside a packet and it is seen in earlier times, by setting up and installing honeypots on the different parts. From signature database, we perform the internet helps to capture malwares as well as to understand the necessary detection task by comparing every byte in the basic behaviour of botnet. Botnet technology and their packet. For each IRC connection a connection object is characteristics can be understand with the help of honeypots, created, which stores certain information in addition to an but do not necessarily detect bot infections [7], [8]. Botnet additional identifier. This additional identifier consists of the detection techniques based on passive network monitoring and source IP address and destination IP address also the analysis are useful, these techniques can be further classified destination port. Using this identifier it is possible to update an into signature-based technique, anomaly based technique, already existing object with new parameters. Rishi listens for DNS-based technique and mining-based technique. the connection of infected machines to IRC server hosting the botnet. Then they captures TCP packet contain the IRC Signature-based detection techniques were used for command [15]. From the captured packets certain information detecting known form of bots, but they are not useful for are extracted and then analyze the extracted information. detecting unknown bots [9]. Anomaly-based detection Analysis focus on nickname extracted. Analysis function techniques[10] tries to detect botnets based on different implements a scoring [15].When the analysis is finished, the network traffic anomalies such as high volume of network connection object contains the final number of points for the traffic, high network latency, traffic on unusual ports and nickname and other related information. The higher the score unusual system behaviour which indicate the presence of bots a nicknames receives, then there is more chance that it is a bot in the network. Several anomaly-based detection techniques infected machine which tries to contact its C&C server. The are there [10]. DNS detection techniques uses DNS main advantage of Rishi is that they can detect well known information of the botnet [11]. Bots execute DNS queries for bots. It has a disadvantage that it is not functional for locating their Command and Control server. In this way by unknown bots. And also an effort is needed to update using DNS traffic, bots can be detected. knowledge base with new signature. Several data mining techniques like machine learning, The anomaly detection technique [10] make use of classification, clustering etc can be used to efficiently detect network behaviour to identify bots. Anomalies are the botnet. In [9], Geobl and Holz proposed Rishi, mainly based unexpected behaviour in the network rather than the normal on traffic monitoring of the network traffic in passive manner. behaviour. A comparison of network behaviour is made with In [12], Strayer et al. showed that using the passive traffic its previous behaviors. The new behavior is either accepted or analysis, it is possible to extract the evidence of botnet can be used to initiate events for anomaly detection. The IDS command and control activities from the network flow. In engine helps in specifying network behavior. It model normal [13], Livadas et al. suggested a machine learning based or expected behaviour in a system and may detect deviation of approach for detecting the botnet using some general network interest that may indicate a security breach or an attempted traffic features of chat like protocols. attack. By examining the headers of the packets in the network, bots can be detected. Unknown bots are also IV. REVIEW OF BOTNET DETECTION TECHNIQUES detectable using this method. Botnet attack is done in a group for cyber crimes; they are Host based detection technique looks for signs of bot like extremely dangerous and can crash any network, server, behaviour on a host. Schiller et al [18] suggested identifying organization, or internet as a whole [14]. As C&C traffic the infected host by monitoring the events and the firewall appears as legitimate traffic among traditional botnet. details to determine the payload and the functions of the bot. Therefore hard work has to be done to save network They also suggested a method to identify the location of the organizations, data and economic losses by designing malware by looking for the malicious start up processes. algorithms and techniques, which can detect Botnet as it is Barford [19] specifies a deep analysis in bot source code taken formed [15]. from infected hosts. A straight forward host based detection Data mining techniques which are used to extract, analyze, technique monitors outbound packet from a host and compares recognize and discover the normal patterns and abnormalities it with destination based white-lists. The white-lists contains in huge volume of data. For this correlation, classification, the list of uninfected PC. clustering etc can be used [15]. Honeynet project took the Botnet detection based on network traffic behaviour [3] is first step in this regard for the recognition of Botnet a network based detection technique. Here network traffic are characteristics, while after that many used honeynet in analyzed for botnet detection. Traffic behavior analysis different forms to detect and know the behavior of Botnet [8], methods can work with encrypted channels. If there are bots in [16]. Other botnet detection techniques such as Signature- the network, then shutting down the IRC server is most based techniques, Anomaly-based techniques, Host-based suitable measure to prevent from botnet. In network, botnet techniques and Network-based techniques were discussed are examined by splitting it into multiple time windows[20]. below. Then from each time window extract a set of attributes which
International Conference on Research Advances in Integrated Navigation Systems (RAINS - 2016), April 06-07, 2016, R. L. Jalappa Institute of Technology, Doddaballapur, Bangalore, India is then used to classify malicious or non malicious traffic. Bots The host based method helps in efficient detection than show similarities in there traffic which helps in detecting them signature based and anomaly based detection schemes but has from the normal traffic. The common features that established very high processing overhead. In network based method, bot by the bot within a botnet are their uniformity of traffic activities are identified directly from the network flow. This behaviour, communication behaviour etc. The main idea is helps in detecting bots at its primary stage of development that there exists a unique signature for flow behaviour of a itself. This method overcomes the problem in signature based single bot. This signature can be used to detect many bots method by detecting unknown bots with high accuracy. But within the same botnet. This technique make use of encryption this method cannot be used when payload of the packet is used algorithms and is cheaper than other approaches. It is able to for malicious activities, since it do not inspect packet payload. detect bot activity quickly by splitting individual flow into multiple time windows. VI. CONCLUSION BotFinder [17] without inspecting the packet content The four different botnet detection techniques for finding detects bots. BotFinder compares the bot activity features, malwares have been mentioned in the paper. Even though statistical, with previous results in the network traffic. Multi- several techniques are available for detecting the presence of faceted models are created for C&C traffic. For this approach bot in the network, the network based technique is commonly high level network information is required. The bots can be used. Network based technique finds both known as well as detected even when they use encrypted form of C&C channels unknown bot. The detection becomes a challenge when the for communicating with other bots. botnets change their C&C architecture. The main challenge in botnet detection is the difficulty to testing the detection V. RESULTS AND DISCUSSION approaches with real world datasets. Four different botnet detection techniques are mentioned in this paper. The comparison of botnet detection technique is ZĞĨĞƌĞŶĐĞƐ shown in the TABLE1. The signature based detection method [1] 9,JXUHDQG5:LOOLDPV³7D[RQRPLHVRIDWWDFNVDQGYXOQHUDEilities in mainly focuses on the signature of bots, which is useful for FRPSXWHUV\VWHPV´,(((&RPPXQ6XUYH\V7XWVYROQRSS± known bots only. Anomaly based detection identifies the 19, 1st Quart. 2008. abnormalities in the network traffic. The abnormal behavior [2] $&ROH00HOORUDQG'1R\HV³%RWQHWV7KHULVHRIWKHPDFKLQHV´ helps in detecting bots. This method cannot be used when the in Proc. on the 6th Annual Security Conference, 2007. traffics are encrypted, since most of the botnet make use of [3] David Zhao, IssaTraore, BassamSayed, Wei Lu, SherifSaad, Ali encrypted channel for communication nowadays identification *KRUEDQL DQG 'DQ *DUDQW´%RWQHW GHWHFWLRQ EDVHG RQ WUDIILF EHKDYLRU of the host behavior is the principle behind host based DQDO\VLVDQGIORZLQWHUYDOV´(OVHYLHU&RPSXWHUV 6HFXULW\YROSS 2-16,November 2013. detection. [4] -/LX<;LDR.*KDERRVL+'HQJ-=KDQJ³%RWQHWFODVsification, DWWDFNVGHWHFWLRQWUDFLQJDQGSUHYHQWLYHPHDVXUHV´(85$6,3-RXUQDO TABLE1 COMPARISON OF VARIOUS DETECTION METHODS of Wireless Communication Networks 2009. [5] ' 'DJRQ ³%RWQHW 'HWHFWLRQ DQG 5HVSRQVH-The network is the Technique Feature Advantages Disadvantages LQIHFWLRQ´ &RRSHUDWLYH $VVRFLDWLRQ IRU ,QWHUQHW 'DWD $QDO\VLV '16- OARC Workshop, July, vol. 25, 2005. Detection [6] 7 6WUD\HU ' /DSVOH\ 5 :DOVK & /LYDGDV ³%RWQHW 'HWHFWLRQ based on the &RXQWHULQJ WKH /DUJHVW 6HFXULW\ 7KUHDW´ 6SULQJHU &KDSWHU %RWQHW Signature- signature of Detect known Cannot detect Detection Based on Network Behavior , vol. 36, 2008. based bot bots unknown bots [7] P. Bacher, T. Holz, M. Kotter, G. Wicherski, Know Your Enemy: Tracking Botnets (using honeynets to learn more about bots),Technical Report, The Honeynet Project, 2008. [8] / 6SLW]QHU ³7KH +RQH\QHW 3URMHFW 7UDSSLQJ WKH +DFNHUV´ ,((( Identifies Analyze several Security & Privacy, vol. 1, no. 2, 2003, pp. 15±23. Anomaly- the network traffic Unable to scan based abnormal irregularities encrypted channel [9] J. Goebel,T. Holz, Rishi: identify bot contaminated hosts by behavior of IRCnickname evaluation, in: Proceedings of the first conference on First network Workshop on Hot Topics in Understanding Botnets, USENIX Association, Berkeley, CA, USA, p. 8. Looks for [10] Este´vez-7DSLDGRU-0*DUFÕD-Teodoro P, 'ÕD]-Verdejo JE. Anomaly the bot like Produces a low Processing detection methods in wired networks: a survey and taxonomy. Computer Host-based behavior in false positive overhead Networks 2004;27(16):1569±84. the host rate. [11] Hyunsang Choi, Hanwoo Lee, Heejo Lee, Hyogon Kim. Botnet Detection by Monitoring Group Activities in DNS Traffic. Computer Monitors Detect bot and Information Technology, 2007. CIT 2007. 7th IEEE International Network- the network activity at the Does not inspect Conference on, s. 715 ±720, oct. 2007. based flow for the early stage the payload of bot activity -detect packet [12] W. Strayer, R. Walsh, C. Livadas, D. Lapsley, Detecting botnets with unknown bots tight command and control, in: Proceedings 2006 31st IEEE Conference on Local Computer Networks, pp. 195±202. [13] C. Livadas, R. Walsh, D. Lapsley, T. Strayer, "Using machine learning techniques to identify botnet traffic," In Proceedings 2006 31st IEEE Conference on Local Computer Networks, pp. 967-974, Nov. 2006.
International Conference on Research Advances in Integrated Navigation Systems (RAINS - 2016), April 06-07, 2016, R. L. Jalappa Institute of Technology, Doddaballapur, Bangalore, India [14] Basil AsSadhan, Jose M.F. MourD ³ $Q (IILFLHQW PHWKRG WR GHWHFW SHULRGLFEHKDYLRXULQERWQHWWUDIILFE\DQDO\]LQJFRQWUROSODQHWUDIILF´ in Proc.Elsevier, 2013. [15] P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, E. Kirda, Automatically generating models for botnet detection, in: M. Backes, P. Ning (Eds.), Computer Security ± ESORICS 2009, Lecture Notes in Computer Science, vol. 5789, Springer, Berlin/Heidelberg,2009, pp. 232±249. [16] Y. Kugisaki, Y. Kasahara, Y. Hori, K. Sakurai, Bot detection based on traffic analysis, in: The 2007 International Conference on Intelligent Pervasive Computing, IPC, 2007, pp. 303±306. [17] Florian Tegeler, Xiaoming Fu, Giovanni Vigna, Christopher Kruegel, BotFinder: Finding bots in network traffic without deep packet inspection, ACM 2012. [18] Schiller, C., Binkley, J., Evron, G., Willems, C.: Botnets ± The killer web app. Syngress, 179±208 (February 2007). [19] Barford, P., Yegneswaran, V.: An inside look at BotNets. In: Proceedings of Special Workshop on Malware Detection. Advances in Information Security. Springer, Heidelberg (2006). [20] + 5 =HLGDQORR DQG $]L]DK %W $EGXO 0DQDI ³ %RWQHW 'HWHFWLRQ E\ 0RQLWRULQJ 6LPLODU &RPPXQLFDWLRQ 3DWWHUQV´ ,Q ,QWHUQDWLRQDO -RXUQDO of Computer Science and Information Security, Vol. 7, No. 3, pp. 36-45, 2010.