A Proposal of Metrics for Botnet Detection based on its Cooperative Behavior

The primary contribution of the wallpaper is the proposal of three metrics that can succor name the presence of botnets in a wide atomic number 18a internet (WAN). The proposed metrics, namely relationship, response and synchronization atomic number 18 measured with respectfulness to the dealing oer a WAN. It is hired that the expression of botnets will recurrently read these metrics. The authors define relationship as the connection that exists between the bots and bot master of a botnet over one protocol. This metric tries to see the structure of a botnets relationship by analyzing the network traffic.It is observed that the response time to commands certain by a legitimate host varies significantly while that of botnets is relatively constant. The response time as a metric can so help detect botnets. As the bots present in a botnet be political platformmed to carry out instructions from the bot master on a pre check out basis, it is assumed that their activiti es will synchronize. An analysis of the network traffic can affirmable help delineate synchronized activity between hosts, thus sensing botnets.The metrics are evaluated by analyzing traffic measured in the Asiatic Internet Interconnection Initiatives (AIII) infrastructure over a period of 24 hours. The analysis validates the metrics proposed as a dense topology relationship, piddling range of response times and synchronization of activities are detected in the presence of a botnet. The authors propose that a combination of all the metrics be use for sleuthing a botnet. The design of an algorithm to detect botnets ground on a combination of the three metrics has been determine as future day work. Summary of IRC Traffic Analysis for Botnet sleuthingThe paper addresses the problem of signal detection botnets by representativeing the demeanor of botnets. The main desire of the paper is to analyze network traffic, model the behavior of botnets based on the analysis and use pattern actualisation proficiencys to identify a special(prenominal) behavior model as belonging to a botnet. The proposed model for detection botnets analyses traffic that uses the IRC protocol. A traffic sniffer is use to analyze packets in the light-colored mode. The protocol detector detects traffic using the protocol of interest to the analysis, in this case IRC.The packets are decoded using the IRC decoder and the behavior models are built. The espial engine detects a botnet based on the behavior model. The features used to constitute a behavior model include features related to a linguistic analysis of the selective information that passes through an IRC channel in addition to the number of activity in the channel. It is observed that the language used by bots has a limited vocabulary and uses many punctuation marks. The language used by humans is observed to have a wider mean and variance with respect to the words used in a sentence. The features used to model the be havior of botnets hare listed.The experiments have been conducted with clean entropy collected from chat retinue and botnet data collected at the Georgia Institute of Technology. Pattern recognition is performed using support vector machines (SVMs) and J48 decision trees and the results are reported in terms of confusion matrices. Though the botnets are detected using the supra methods, the authors report that a nevertheless analysis of the data is necessary. Unsupervised scrutiny of the model and expansion of the model for adaptation to other scenarios is proposed as future work. Summary of The Automatic Discovery, Identification and Measurement of BotnetsThe paper proposes a technique for identifying and measuring the botnets used to deliver malicious email such as spam. The implementation and performance of the proposed technique has been presented. The authors are of the opinion that the existing methods for detecting botnets used to send spam use significant amount of resou rces and are often applicable only after a botnet has been operational over a period of time. The authors propose a supine method for identifying botnets by classifying the email content. The head teachers present in the emails are used to group the mails.The authors assume that a botnet has a central center for control and that the same schedule is used by a botnet for creating and sending spam emails. Based on these the authors propose to classify emails by a passive analysis of the header content present in them. The Plato algorithm is proposed to identify the sender and the program used to send the email. The performance of the Plato algorithm is analyzed based on the go alonging factors clustering, durability, isolation and conflicts. The analysis is performed on a sample data containing 2. 3 million emails. In the dataset 96% emails are identified as having a probability of being spam.The algorithm is observed to successfully study the features associated with spam email. It helps group the emails based on the characteristics of the sender and the sending program. This grouping of emails can help identify a botnet and thus enable the rank and file and size of the botnet. The authors propose that the algorithm can be further used for classifying bulk emails, to understand the relationship between spam and viruses and as a replacement for spam filters using statistical methods. Summary of Towards Practical cloth for Collecting and Analyzing Network-Centric AttacksThe paper proposes a network-centric framework based on an knowingness of risk to help detect attacks from a botnet and prevent these attacks. The authors state that the bots follow certain network traffic patterns and these patterns can be used to identify a bot. The proposed framework consists of three main components, namely bot detection, bot characteristics and bot risks. The first component, bot detection, is used to detect known and unknown bots that try to penetrate the system. A h oneypot based malware collection system component is used to attract bots to the honeypot and thus help detect bots.After the bots have been detected the characteristics of the bots are analyzed. The behavior of bots and their characteristics are identified by analyzing known malware, network traffic patterns and detecting the existence of any correlation coefficient between various instances of a malware. several(a) components are used to perform each of the tasks involved in bot characterization. To determine the risks posed by bots, the vulnerabilities present in the existing system are identified. The risk posed by a host with certain characteristics is calculate based on the vulnerabilities associated with the system. Thus the risk factor can be modified on demand.A combination of the identified characteristics and the associated risks is evaluated when a decision regarding the engine block of traffic is made. The authors present results that demonstrate the ability of the p roposed framework to detect distinguishable types of bots. The feasibility of the proposed framework has been demonstrated. Enhancing of the correlation system and integration of the risk certain system with the architecture are proposed as future work. Summary of Wide-Scale Botnet Detection and Characterization The paper proposes a methodology based on passive analysis of the traffic flow data to detect and characterize botnets.A climbable algorithm that gives information about controllers of botnets is proposed based on analysis of data from the transport layer. Four steps have been identified in the help of detecting botnet controllers. Suspicious behavior of hosts is identified and the conversations pertaining to this host are obscure for further evaluation. These are identified as suspected bots. Based on the records of suspected bots, the records that practical represent connections with a controller are isolated. This is referred to as candidate controller conversations in the paper.These candidate controller conversations are further analyzed to identify suspected controllers of botnets. The analysis is based on designing the following the number of unique suspected bots, distance between model traffic and the remote server ports, heuristics that gives a score for candidates that are possible bot controllers. The suspected controllers are validated in three possible ways correlation with other available data sources, coordination with a customer for organisation and validation of domain names associated with services (Karasaridis, Rexroad, & Hoeflin, 2007).The botnets are classified based on their characteristics using a similarity function. An algorithm is proposed for the same. The authors report the breakthrough of a large number of botnet controllers on using the proposed system. A bogus positive of less than 2% is reported based on correlation of the detected controllers with other sources. Also the proposed algorithm is reported to suc cessfully identify and malicious bots. The future work is identified as the need to have a fit the algorithm for other protocols and analysis of the evolution of botnets.References Akiyama, M. , Kawamoto, T. , Shimamura, M. , Yokoyama, T. , Kadobayashi Y. , & Yamaguchi, S. (2007). A proposal of metrics for botnet detection based on its cooperative behavior. legal proceeding of the 2007 worldwide Symposium on Applications and the Internet Workshops. 82-85. Castle, I. , & Buckley, E. (2008). The automatic discovery, identification and measurement of botnets. Proceedings of Second International host on Emerging Security Information, Systems and Technologies. 127-132. Karasaridis, A. , Rexroad, B., & Hoeflin, D. (2007). Wide-scale botnet detection and characterization. Proceedings of the scratch line Conference on First Workshop on Hot Topics in Understanding Botnets. 7-14. Mazzariello, C. (2008). IRC traffic analysis for botnet detection. Proceedings of Fourth International Confer ence on Information Assurance and Security. 318-323. Paxton, N. , Ahn, G-J. , Chu, B. (2007). Towards practical framework for collecting and analyzing network-centric attacks. Proceedings of IEEE International Conference on Information Reuse and Integration. 73-78.