A Collaborative Botnets Suppression System Based on Overlay Network Fuye Han*, and Zhen Chen+ HongFeng Xu*, Haopei Wang# and Yong Liang* *Department of Computer Science and Technologies +
Research Institute of Information Technology (RIIT)
#
Department of Automation
Tsinghua National Laboratory for Information Science and Technology (TNList) Tsinghua University, Beijing, China Email:
[email protected] Abstract: Botnets are extremely versatile and are used in many network attacks, like sending huge volumes of spam or launching Distributed Denial-of-Service (DDoS) attacks. Botnets can switch their command and control server automatically, so completely suppressing botnets is a big challenge. In this paper, we present a collaborative botnets suppression system based on overlay network, which has one control center node and several suppression nodes. The suppression nodes can automatically collect network traffic and deploy suppression rules, the control center node can gather all collected data, and process these traffic data by using botnet detection algorithm. Once botnets are detected, the control center node will generate and distribute suppression rules. In order to prevent the excessive growth of the rule set, the system can automatically identify and remove invalid rules according to effective feedback. Keywords:botnet; network security; collaboration; forensics; Biographical notes: Fuye Han, Beijing, China. Birthdate: July, 1986. Graduated from PLA information Engineering University, HeNan Province, China, in 2008. Major in Information Engineering. His research interests on the network security and distributed system. He is currently working toward the Master degree at Department of Computer Science and Technology, Tsinghua University, Beijing, China. Zhen Chen,ZheJiang, Province, China. Birthdate: November, 1976. Graduated from Xidian University, Xi‘an, China, in 1998. Major in Communication and Information System. And research interests on the next generation computer network architecture. He is currently an assistant professor at Research Institute of Information Technology, Tsinghua University, Beijing, China.
Haopei Wang, Anhui Province, China. Birthdate: February, 1990. Major in Automation. And research interests on the next generation computer network architecture and network security. He is currently working toward the Bachelor degree at the Department of Automation, Tsinghua University, Beijing, China. Hongfeng Xu, GuangDong Province, China. Birthdate: January, 1987. Graduated from Beihang University, Beijing, China, in 2010. Major in Computer and Science. And research interests on the next generation computer network architecture. He is currently working toward the Master degree at the Department of Computer Science and Technology, Tsinghua University, Beijing, China. Yong Liang, AnHui Province, China. Birthdate: July, 1983. Major in Network Engineering B.E., graduated from Dept. Computer Science and Technology, PLA University of Science and Technology, Nanjing, China, in 2005. And research interests on the next generation computer network architecture, network and information security. He is currently working toward the Master degree at the Dept. Computer Science and Technology, Tsinghua University, Beijing, China.
Sun Tzu said in the Art of War, know yourself and your
1
Introduction
enemies then you will never be defeated. First of all, let’s know more about botnet.
The term 'botnet' denotes a collection of infected
There are three different types of botnets architecture,
computers connected to the Internet (also known as 'bots').
which could be centralized, distributed and hybrid. The
When a computer has been infected by Trojans or malware,
centralized botnets have one or several C&C servers, each
it becomes a member of a botnet, and will receive
bot can receive command messages from the C&C server
commands from manager of this botnet named Botmaster.
immediately, and this type is widely used in early botnets
Most of the Botmasters don’t use PC to control botnet,
because of speedy and consistent reason. However, with the
because that would be very unsafe. Instead, they find a
detection technology being increasingly accurate, the
public server to transfer commands to every bot. This server
centralized botnets encounter a deadly problem: when the
is called command and control server (C&C).
C&C server is detected and suppressed, the whole botnet
Botnets are extremely versatile and can be used in many
will be collapsed. The distributed architecture is a better
attacks, like sending huge volumes of spam or launching
choice, because it doesn’t have C&C server, every node act s
Distributed Denial-of-Service (DDoS) attacks. Especially in
as both bots and C&C server, for example, the Peer-to-Peer
China, according to the report of the CECERT/CC, about
botnet is a typical distributed botnet, which brings resiliency
47,000 IP addresses were involved as C&C server in
to botnet, and also can make researchers confused on the
controlling Chinese host and 890 million Chinese IP
really size of botnet(Evan Cooke et al. 2005). The hybrid
addresses were infected as bot in 2011. More seriously, in
architecture is widely used in advanced botnet, and has some
the same year, the DDoS attack occurs about 365 times daily,
good features, for example, the Botmaster can easily
and attacks which had less than 1Gb traffic are not counted.
monitor the entire botnet and can reorganize the entire
So we have to design a powerful and effective botnet
botnet for robust connectivity. The hybrid architecture is
suppression system.
hard to deploy and implement. In the area of communication protocol of botnet, although there are many protocols that can be used for
communication of botnet, there are two protocols be
In this paper, we present a collaborative botnets
extensively used, one is the Internet Relay Chat (IRC)
suppression system based on overlay network, which
protocol, and another is Hypertext Transport Protocol
contains a control center and a lot of suppression nodes. We
(HTTP). IRC is widely used as botnets protocol, because
use overlay technology to connect each suppression node
IRC servers are extremely popular, the Botmaster can easily
and the control center, the suppression node originally is a
find a public IRC server and use it as C&C server (Evan
Unified Threat Management (UTM) device (Ying Zhang et
Cooke et al. 2005). However, the disadvantage of IRC is
al. 2010), and we develop them to make them work together,
also obvious, once the botnet is detected, the IRC server can
and to implement collaborative botnet suppression system.
be easily found and taken down, in addition, the port of the
The control center and the suppression nodes can share
IRC protocol always run on 6667/TCP and nearby port
resource and exchange information. The suppression nodes
numbers, for example TCP ports 6660-6669, more important,
can filter packet base on rule set, and collect suspect traffic
the firewall is always very concerned with this port range. A
sending to the control center. The control center can process
better option for the Botmaster is to use HTTP for botnet
these traffic data by using botnet detection algorithm, and
protocol, because the port of HTTP is always permitted by
can also analyze rule effectiveness according to feedback.
most firewalls. A normal web server has huge HTTP traffic,
The contribution of our work has three major points.
which means that finding illegal traffic in this large data is
Firstly, we implement a botnet suppression system based on
very difficult. A typical instance that using HTTP for
overly network, which can be deployed easily and be able to
communication is ZeuS crime ware toolkit, which is a tool
simultaneously
for the construction of binaries and a graphical user interface
Secondly, we design a botnet detection algorithm which
situated on the C&C server. This allows the botnet to be
depends on network behaviors, the system is able to detect
managed with a low amount of technical skill.
botnet no matter it is in silence period or has encrypted
protect
multiple
subnets
effectively.
Some botnets detecting systems, like BotMiner, BotGrep
channel. Thirdly, we design a rule set optimization strategy
and BotMagnifier, own availability and effectiveness.
based on rule effectiveness, the control center can
However, we think detecting botnets is not enough, after the
comprehensive collect feedback to analyze and find out the
botnets have already broken out. We consider a better choice
invalid rule, it can reduce the processing pressure of
is to implement a botnet suppression system, which should
suppression nodes.
have following features.
The rest of this paper is organized as follows: related
1. The System can detect botnets, especially botnets in
work is described in Section II; Section III describes the
their silence period and botnets using encrypted channel,
architecture and workflow of the suppression system. We
which means detection algorithm must depend on botnet
describe botnet detection algorithm in Section IV.
behaviors and can infer to identify botnet.
Evaluation of system is presented in Section V. Finally, we
2. The System not only can control a local network, but
present our conclusions and future work in Section VI.
also can monitor overall network to implement collaborative defend and control. 3. The System should have flexible suppression strategy, and can both block communication channel and record suspect traffic.
2
Related Work Prior work indicates that detecting and suppressing
botnets is the key and difficult problem. There are many new
4. The System can adapt to botnet flexibly and
methods and systems implemented for the detection and
short-lived feature, and clean up rule set of system
suppression of botnets. These methods can be categorized
automatically to ensure good performance.
into two classes.
One is Honeynet-based method, and the other is based
Log based detection techniques are also effective
on passive traffic monitoring. The former, as its name
alternative. This technique focuses on log information, such
suggests, generally has many vulnerable hosts, and it is
as system log of Client, DNS query log of DNS server,
trying to attract botnet infection, and collect traffic data to
registration and operation log of mail server. Yao Zhao et al.
analyze. For example, Paule Baecher et al. present the
designed and implemented the BotGraph system (2009). The
nepenthes platform (2006). The nepenthes platform is a new
BotGraph system is based on log analysis technology, and it
kind of honeypot-based system, which is able to collect
collects account registration log and sending log from mail
large-scale
present
server. It has two main detection bases. The first is that if
HoneyBow (2007) which is based on the nepenthes platform.
one IP address has many registration behaviors, and it must
The
be bot. The second is that if one mail account login in many
malware.
HoneyBow
uses
Jianwei
Zhuge
high-interaction
et
al.
honeypots
to
implement automatic malware collection.
IP address, and it must be a SPAM account. Experiments
The latter approach is using powerful gateways to
show the BotGraph system has good accuracy and
monitor the traffic for detecting botnet. These detection
performance. However, this system needs to load into server,
methods can be further classified as signature based,
so it is relatively hard to deploy.
abnormal behavior based and log based.
In addition, there are also many heuristic works about
Signature based detection techniques need to understand
botnets suppression. Chris Kanich et al. use purchase pair
and analyze a certain botnet deeply, and then figure out its
technique to estimate SPAM revenue and demand (2010).
signature. Jan Goebel et al. designed and implemented the
This literature explains to us that why the SPAM is so
Rishi system (2007), the detection technique of Rishi system
rampant, because it can bring huge profits. Suppressing
is signature based method. Rishi can monitor IRC traffic and
botnet is hard to achieve just using technical power, it also
extract certain information, such as timestamp, source IP
need law to help. The BotMagnifier system (Gianluca
address, destination IP address and nickname. The Rishi
Stringhini et al. 2011) has a novel technique to support to
system compares that information and finds out which
identify and track botnet, they use an initial set of IP
traffic is botnet traffic. The most important problem of this
addresses that are known to be associated with bots, and use
method is the detection must be after signature generation.
these data to train sample of bots, and then this system will
Abnormal network behavior based detection techniques
find out botnet which is similar to sample. The GQ system
are widely used because they can detect unknown botnets in
(Christian Kreibich et al. 2011) is a malware execution farm,
advance. Abnormal network behavior means some special
which can analyze botnet in a safely, iteratively and
network behavior, which occurs rarely in normal network
naturally environmental. More surprising is that Brett
environment, such as port scanning, DDoS attack and so on.
Stone-Gross et al. hijack C&C server and then take over a
Guofei Gu et al. designed the BotMiner system (2008),
real botnet (2009).
which is based on their prior work the BotHunter (Guofei
The above mentioned works are very excellent and
Gu et al. 2007) system and BotSniffer (Guofei Gu et al.
valuable so that many points of our work are inspired by
2008). The BotMiner system uses two layers to process
them.
network traffic. One layer is used to monitor some abnormal behavior by processing activity log, such as port scanning, SPAM, binary downloading and exploitation. Another layer
3
System Design and Implementation
is to record traffic. Finally, the BotMiner system will
The architecture of our system is distributed and consists
process these data comprehensively. Experiments show that
of one central control node and several suppression nodes, as
the system is able to detect unknown botnet effectively,
illustrated in Figure 1.
including the IRC-based and HTTP-based botnet.
The control center module is the brain of this system,
Suppression node 1
Suppression node 2
Suppression node 3
Suppression node 4
Security module
and it has three functional modules, the feedback module,
Recording module
the detection module and the communication module. The
Conmmunication module
communication module of the control center is different
Suppression node 4
from the suppression nodes, it can collect traffic from all suppression nodes and distribute rules to all the suppression nodes. The detection module is used for processing traffic, we develop a botnet detection algorithm based on network
Feedback module
Detection module
Communication module
Control center Figure 1. The system architecture
behavior, and we will describe this algorithm in section IV. When a botnet is detected, the detection module will generate rules to suppress this botnet, and the rule is based on IP address and communication port. The feedback module can monitor rule set of system, and find out invalid
In Figure 1, we can see our system has a control center,
rules to remove them. Because botnets are not available all
which has three modules. The control center connects with
the time, they also have their life time (Jianwei Zhuge et al.
four suppression nodes. The suppression node is based on
2007). The suppression system will accumulate super
the UTM system (Ying Zhang et al. 2010), which can cover
abundant rules and some of them are invalid in fact, the
many bases, for example, anti-virus, anti-spyware, intrusion
feedback module can resolve this problem. It collects rule
prevention, content filtering, application blocking and so on,
effectiveness feedback from all suppression nodes, and uses
we call these function modules security modules. As a
these feedbacks to find out invalid rules.
suppression node, it has two new functional modules which is the recording module and the communication module, and they are developed based on some high quality open source
Control center node
3
applications, for example, TIFA (Jun Li et al. 2011) and
2
Internet
JXTA (Daniel Brookshier, et al. 2002). The security module
4
is use to filter and block network traffic, most of them are based on rule set, for example, firewall and protocol filter. The control center will generate and distribute new rules,
5 Suppression Nod 1
SN 4
SN 2
SN 3
1
and the security module will execute them. The recording module is used to record traffic and forwards them to the control center. It can be configured to record all of the traffic or partial traffic of each session, this module uses
Internal Network 1
Internal network 2
Internal network 3
Internal network 4
Figure 2. The workflow of botnet suppression system.
technology of TIFA (Jun Li et al. 2011). TIFA is a real-time
Figure 2 is the workflow of botnet suppression system.
querying and storage of massive stream data system, which
There are four major steps in workflow. The step 1 indicates
is implemented by integrating the Time Machine application
the suppression node sending traffic data to control center
and the FastBit database (Jun Li et al. 2011). The
node. This step has a very serious problem, which is when
communication module makes suppression node exchange
the suppression node continuously sends data to the control
information and update with each other, the most important
center, and it will affect the quality of service (QoS) of the
function is that it makes suppression node send traffic to the
entire network. By observing the real network, we found that
control center.
the traffic load of real network has certain regularity, which is shown in Figure 3.
Field Name
Example
TrafficBlocker
1 or 0
Protocol
TCP UDP or any
SrcAddress
192.168.1.2/192.168.*.* or any
DstAddress
22.11.33.44 22.11.33.1-254
Figure 3. The traffic load of real network
SrcPort
80 or any
The Figure 3 shows an office network traffic load
DstPort
6667 or any
Description
This is a bot
situation, we can see the traffic load always be heavy from 8:00 until 18:00, and it will turn to light in the middle night.
The format of rules has seven fields, TrafficBlocker field
We set our system to send traffic data in the middle night,
means that the rule is used to block and records the matched
and the QoS will not be impacted. The traffic recording
traffic or only records it. Protocol field can classify the
module has two record modes can be set by manual, and it
traffic into three kinds: TCP, UDP or any. The following
depends on the network load situation. When the traffic load
four fields specify the details of the packets, the source and
is light, the recording module can be set to record all the
destination addresses, the source port and destination port.
traffic; when the load of network is heavy, it can be set to
The final field is used to mark the rules, this description will
just record the first 10-20 KB of each connection. However,
facilitate administer to read them.
this header should contain the essential information (Gregor Maier et al. 2008).
The fourth step is collecting feedback, and it is about the effectiveness of rules. According to these feedbacks we load
The step 2 means the control center is processing data.
a property to every rule of the rule set, which is lifetime. If
There are two modules can process data, one module is used
one rule takes effect and system will refresh its lifetime,
for botnet detecting and another is used for filtering out
contrary if one rule does not take effect, its lifetime will
invalid rules. The algorithm of botnet detection will be
decreasing. When lifetime of one rule is expired, it will be
described in section IV. The part of filtering out invalid rules
regarded as invalid rules by system, and then it will be
is very innovative, and we will explain it combined with the
removed. The purpose of this way is to reduce the number of
step 4 in the next. When botnet detection module finds out
rule set and makes suppression node achieve good
botnet, it will generate a suppression rule. In addition, we
performance. The feedback is a series of messages about
have known that traffic data must be huge (Chris Kanich et
suppression rule in action, as illustrated in Table 2.
al. 2008), and it is very challenging to process the data in real time. We resolve this problem using our previous work which is LARX (Tianyang Li et al. 2010). LARX is a cloud computing platform that can process multiple tasks in parallel. Based on LARX platform, our system is able to process huge data. The step 3 is distributing suppression rules. When the control center detects the existence of a botnet, it will produce a rule to suppress it. The suppression rule is formatted by the JavaScript Object Notation (JSON), as illustrated in Table 1. TABLE 1. THE FORMAT OF THE RULES
TABLE 2. A FEEDBACK MESSAGE OF A SUPPRESSION RULE Field Name
Example
Timestamp
2012-02-01 22:10:12:456
Protocol
TCP or UDP
SrcAddress
192.168.1.2
DstAddress
59.77.172.20
SrcPort
80 or any
DstPort
6667 or any
Description
Describe of rule
LogID
Name of rule
Type
Firewall/protocol filter
The feedback is constructed like the format of a
Figure 4 show the suppression node A wants to establish
suppression rule, except for time stamp field. The feedback
connection with the suppression node B, node A sends
can show which rule has indeed taken effect. The system can
request to node B, this request contains certificate of node A,
analyze these information, expect for invalid rules, this
and then node B asks control center to identify this
information can help us to understand botnet.
certificate, after identification succeeds node A will establish
At the fifth step, the suppression nodes update data with
connection with node B.
each other using P2P technology. In general, the UTM devices have many data need to update, such as virus database of anti-virus, the feature database of intrusion
4
The Botnet Detection Algorithm
prevention. Using traditional mode, which is one server
Our botnet detection algorithm is based on the feature
distributes to all nodes, will causes serious transmission
of botnet behavior. Generally, botnet's behavior can be
delay. We choose using P2P technology so that all
divided into three types, which contain propagation
suppression nodes served as both data distributor and data
behavior, control behavior and aggressive behavior.
subscriber. The implementation is each suppression node
Propagation behavior has an obvious feature, early botnet
broadcasts updating request regularly. The updating request
spread bot mainly by host vulnerability scanning described
contains a rule set version, when some node received older
by literature (Jan Goebel et al. 2007). This behavior can be
version request, it will request to establish connection with
very accurately detected through detecting scanning
this older version owner. In this way, system can update a
behavior. The latest botnet has become more advanced
new version rule set quickly.
means of propagation, such as using e-mail attachment with
In order to ensure the safety and reliability of
malicious software, or using social engineering techniques to
transmission channel we design a secure transport protocol
push out malicious web site and malicious mails, this mode
for our system based on collaborative network security
of propagation is hard to be detected. Aggressive behavior
management system (Beipeng Mu et al. 2011) and
mostly have more significant feature, and it will cause
UTM-CM system (Ying Zhang et al. 2010). The protocol is
network load suddenly change, such as DDOS attack and
based on certificate. When administrator deploys a new
SPAM, most of network security systems can alarm such
suppression node, this suppression node will send public key
behavior accurately.
as registration request to control center node firstly, the
Control behavior is relatively covert, because this
control center node responses a certificate. Establishing
behavior needn’t execute repeatedly, and it will not cause
transmission channel need authentication, which is shown in
network load. When the botnet is in silence period, it only
Figure 4.
has control behavior, and almost no aggressive behavior and propagation behavior. Traditional detection algorithms Control Center
based on behavior mostly focus on obvious feature, which
sy
Suppression Node A
4、connection established 1、request
y tif en te id fica 2、 erti c
、
fo in n a- tio et a m oniz 3 、 ch r n sy
3 n c me hr ta o n -i iza nfo tio n
contains aggressive behavior and propagation behavior. We think traditional detection algorithm will miss some botnets, which are in silence period. In this paper, we present a new botnet detection Suppression Node B
algorithm based on network behavior. This algorithm is able to effectively detect botnets, and especially botnets are in silence period. First of all, we explain control behavior in
Figure 4. The authentication process
Figure 5.
Time
Bot
Botmaster
T Bot Target
C&C Server A
T+W
Bot
C&C Server B
Bot Figure 5. The control behavior
Figure 5 shows us a botnet sample, and there are four Bots and two C&C servers. The Botmaster transmits message to bots through C&C server. Generally, C&C
Figure 7. The sliding window model
server sends command or control message to all bots
Figure 7 shows the sliding window model, which it is
simultaneously, and all bots will also reply to C&C server
used to define the concept of simultaneity. All packets are
simultaneously. Our botnet detection algorithm focuses on
sorted as timeline firstly. Then the system sets a sliding
this communication model, which is one host communicates
window. The sliding window begins at the time T and
to multiple local hosts simultaneously and these local hosts
finishes at the time T + W. The time interval W is the width
will reply simultaneously. We regard this communication
of the window. The sliding window can slide according to
model as suspect object.
the fixed length by the end of timeline. In the same window,
The flow chart of our botnet detection algorithm is showed in Figure 6.
the system can find the suspect object. The detecting of the suspect object is shown in Figure 8. SRC_IP
DES_IP
SRC_IP
DES_IP
undecided Traffic one
Suspect compare benign
Remove Suspect Object
Suspect Object Queue Traffic two
Preprocessing
A
1
A
1
B
2
B
2
C
3
C
3
D
4
D
4
E
5
E
5
botnets
Generate rules
Traffic three
Detect Suspect Object
Figure 6. The flow chart of botnet detection algorithm
Figure 6 shows the flow chart of botnet detection
Figure 8. The sample of suspect object
algorithm, which is based on network behavior. There are
Figure 8 has two columns. The left column shows a
three major steps. The first step is data preprocessing, which
remote address sending packets to several local addresses,
is used to merge traffic data into the same timeline. In
and the right column shows several local addresses sending
addition, since this suppression system is a distribution
packets to the remote address. Because all of these packets
system, we design a clock synchronization mechanism for
are belong to the same window, we can observe some
this system. We load this clock server to the control center to
suspect objects from this behavior. Our botnet detection
ensure that each node in the system has the same clock.
algorithm extracts out all suspect objects from data, and
The second step is suspect object detecting. In this step
saves them into a suspect object queue. If a new suspect
a sliding window model is used to process data. The sliding
object is similar to an existing suspect object in the queue,
window model is illustrated as shown in Figure 7.
our algorithm will merge the two suspect objects into one
and save it into the queue. It is a purpose to ensure that all
inevitably leads some users to communicate with the server
suspect objects in the queue are completely different. Figure
at a same time. However this communication seems not so
9 provides four samples of similar suspect objects.
regular.
1
1 A
A
2
Similar to
2
A
A
2
or
3
3
1
1
2
Similar 2 to 3
A B
A
2
Similar to
2
A or
4
3
which are botnet, benign and undecided object. If the network behavior of a suspect object is regular enough, our algorithm will affirm this suspect object as a botnet. If the behavior is random enough, it will be affirmed as a benign.
1
1
B
2
3
or
3
Similar to
or
B
A
The result of suspect comparing has three categories,
1
1
B
4
If it is an undecided object, it means our algorithm needs more data for its judgment. And the suspect object will be remained in the suspect queue and waited for further processing.
Figure 9. The similar suspect objects By continuously collecting and processing the traffic data, the data of suspect objects will become more and more. Our algorithm will execute the last step, which is suspect
5
Evaluation In this section, we evaluate the performance of our
comparing. Actually, as long as a new data is saved into the
collaborative
suspect queue, the comparison module will execute. The
environment is built by using five physical machines which
suspect comparing is a series behavior comparing. We mean
have Intel Core 2 Quad Processor (CPU 3GHz, 2MB cache,
the comparing will check all of the hosts of suspect objects,
1.333GHz FSB), double channel 4GB DDR3, Intel G41 and
and calculate the similarity of the behavior of those hosts.
ICH7R chipset, and Intel 82574L NIC. One machine is used
For
communication
as the control center. Two machines are used as the
frequency and content relevancy. We call this similarity as
suppression node to execute orders. The rest are used as the
suspiciousness. Actually, most of the internet applications
ESX servers. On these ESX servers, we install four virtual
have the similar features of network behavior, but some
machines, which have the operation system as Windows XP
features of them are a little different, as shown in Figure 10.
sp2 and install many malware to act as bots. A Botmaster
example,
the
behavior
consists
malicious
botnets
suppression
system.
Our
test
controls these bots. The diagram of test bed is shown in Figure 11.
benign
users Central control node
Terminal node ESX server Group one Router users
Figure 10. The comparision of malicous and benign Terminal node
Figure 10 shows two suspect objects, the malicious one has considerably behavior similarity, and the benign one seems a little random. This is because some well-known internet applications always have a large number of users. It
ESX server Group two
Figure 11. The test bed for botnet detection
Internet
As shown above, there are two groups in our
our test bed network, we install 20 different bots on the
experiment. Each of them is composed of three components:
virtual machines of ESX server. The system is set to upload
ESX server, user and the suppression node. It is proposed to
data in every 5 minutes. Firstly, we use one ESX server, this
not only simulate a real network environment but also bring
server is in one group, and the system detects 20 bots in
the real bots into our test bed. Our test starts at 8:00 AM and
about 45 minutes. For comparison, we use two ESX servers
ends at 10:00 PM, the recording module of all suppression
and two groups in another test, each group has one ESX
nodes is set to record the entire traffic. The results are shown
server, and the system detects 20 bots in just about 30
in Table 3.
minutes. This means that with more collection of data, we can detect botnets more quickly. The detail of test is shown TABLE 3. THE RESULT OF PROCESS
in Figure 5.
Group
Data Size
Process time
Result
Group A
6845MB
124s
46
Group B
2908MB
98s
14
Group A + B
9753MB
164s
54
The results in the Table 3 shows that A group gets 46 different rules and B group gets 14 different rules. By comprehensive comparison of the results in A and B, we obtain only 54 different rules. These rules are distributed to the two suppression nodes. We continue to gather feedback Figure 13. The result of Comparing
of one day, Figure 12 shows the results of the feedback.
In Figure 5, we can see the sharing of information is very important. In other words, this means with more collection of data, our system can detect botnets faster. 6.
Conclusion and Future Work Suppressing botnets is a big challenge as the botnet
rapidly evolves into new variants, and the detection of botnet is quite difficult from the botnet conceals its behavior adaptively. In this paper we design and implement a collaborative botnets suppression system. This system is Figure 12. The feedback in one day
based on an overlay network, and it enables every security
The feedback means the effectiveness of rule. As long
node of system to share information, and provides more
as a rule takes effect, the number of feedbacks will increases
comprehensive evidence to identify botnets. Our system can
by 1. As we can see in Figure 4, for each group, the actual
use feedback mechanism to improve performance, which is
number of rules in effect is more than the number of rules
a very important advantage of our system. In addition, we
obtained above, which means that within each group, a
design a novel botnet detection algorithm which is based on
number of existing bots are lost. Our system will solve the
the network behavior, and it is able to detect silence botnet
problem by analyzing the feedback. In other words, we have
because of the use of behavior comparison in this algorithm.
compensation for the difference. In addition, we found our
In the future work, we will further improve the
system has a good speed performance of bots detection. In
performance and accuracy of this system. We will use
feedback to build botnet communication model and reduce false positives of algorithm through model matching. In addition, we will attempt to implement multiple detection methods working in parallel, it will effectively reduce false negative of algorithm.
Acknowledgment This work is supported by Ministry of Science and Technology of China under National 973 Basic Research Program
Grant
2012CB315801,
No.2011CB302805, and
China
NSFC
Grant A3
No.
Program
(No.61161140320).
References Evan Cooke, Farnam Jahanian, Danny McPherson, The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. ACM USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet SRUTI (2005), Volume 7, Pages: 39-44. Chris Kanich, Nicholas Weavery Damon McCoy, Tristan Halvorson, et al. Show Me the Money: Characterizing Spam-advertised Revenue. USENIX Association Security Symposium (2011). Gianluca Stringhini, Thorsten Holz, Brett Stone-Gross et al.. BotMagnifier: Locating Spambots on the Internet. USENIX Association Security Symposium (2011). Christian Kreibich, Nicholas Weaver, Chris Kanich, Wedong Cui, and Vern Paxson, Practical Containment for Measuring Modern Malware Systems, the Internet Measurement Conference 2011. Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna, Your Botnet is My Botnet: Analysis of a Botnet Takeover. The 16th ACM conference on Computer and communications security CCS 2009. Pages: 635-648. Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee, Menlo Park. Bothunter: Detecting malware infection through ids-driven dialog correlation. USENIX Association Security Symposium (2007). Guofei Gu, Junjie Zhang, Wenke Lee.BotSniffer: Detecting botnet command and control channels in network traffic.
16th Annual Network & Distributed System Security Symposium 2008, Pages: 1-24. Jan Goebel, Thorsten Holz. Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation. First Workshop on Hot Topics in Understanding Botnets 2007. Beipeng Mu, X Chen, Zhen Chen. A Collaborative Network Security Management System in Metropolitan Area Network. Communications and Mobile Computing 2011. Ying Zhang, Fachao Deng, Zhen Chen, Yibo Xue, Chuang Lin. UTM-CM: A Practical Control Mechanism Solution for UTM System. Communications and Mobile Computing 2010. Pages: 86-90. Jun. Li, Shuai Ding, Ming Xu, Fuye Han and Zhen Chen. TIFA: Enabling Real-Time Querying and Storage of Massive Stream Data. The second International Conference on Networking and Distributed Computing 2011. Gregor Maier, Robin Sommer, Holger Dreger, Vern Paxson.Enriching network security analysis with time travel. SIGCOMM 2008.Volume: 38, Issue: 4, Pages: 183-194. Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey M Voelker, Stefan Savage. The Heisenbot Uncertainty Problem: Challenges in Separating Bots from Chaff. USENIX Workshop on LEET 2008. Pages: 1-9. Tianyang Li, Fuye Han, Shuai Ding and Zhen Chen. LARX: Large-Scale Anti-Phishing by Retrospective Data-Exploring Based on a Cloud Computing Platform. The International Conference on Computer Communications and Networks 2011. Daniel Brookshier, Darren Govoni, Navaneeth Krishnan, Juan Carlos Soto, JXTA:Java P2P Programming, 2002. Jianwei Zhuge, Thorsten Holz, Xinhui Han, Chengyu Song, Wei Zou. Collecting Autonomous Spreading Malware Using High-Interaction Honeypots. Sixth International Conference on Information Communications and Signal Processing. Pages: 438-451. Paul Baecher, Markus Koetter, Thorsten Holz, Maximillian Dornseif. The nepenthes platform: An efficient approach to collect malware. Computer Science 2006.Pages: 165-184. Guofei Gu , Roberto Perdisci , Junjie Zhang , Wenke Lee, BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection, the 17th Conference on Security Symposium 2008, Pages: 139-154. Yao Zhao, Yinglian Xie, Fang Yu, Qifa Ke, Yuan Yu, Yan Chen, Eliot Gillum, BotGraph: large scale spamming botnet detection, the 6th USENIX symposium on Networked systems design and implementation 2009, Pages: 321-334.
