A Cognitive Approach for Botnet Detection Using ...

A Cognitive Approach for Botnet Detection Using Artificial Immune System in the Cloud Victor .R. Kebande Information and Computer Security Architecture(ICSA) Research Group, Department of Computer Science, University of Pretoria, Lynwood Road, Private Bag X20, Hatfield 0028, Pretoria, South Africa. [email protected] Abstract— The advent of cloud computing has given a provision for both good and malicious opportunities. Virtualization itself as a component of Cloud computing, has provided users with an immediate way of accessing limitless resource infrastructures. Botnets have evolved to be the most dangerous group of remoteoperated zombie computers given the open cloud environment. They happen to be the dark side of computing due to the ability to run illegal activities through remote installations, attacks and propagations through exploiting vulnerabilities. The problem that this paper addresses is that botnet technology is advancing each day and detection in the cloud is becoming hard. In this paper, therefore, the authors’ presents an approach for detecting an infection of a robot network in the cloud environment. The authors proposed a detection mechanism using Artificial Immune System (AIS). The results show that this research is significant. Keywords—Botnet; Artificial immune system; Cloud; Detection; Negative selection.

I.

INTRODUCTION

Development and advancement of immuno-computing and bio-computing research has inspired novelty and detailed computational techniques. This has been realized through the process of categorizing agents using their behaviour. An example of this has been the negative selection through which unwanted agents are detected and gets isolated.

Hein.S.Venter Information and Computer Security Architecture (ICSA) Research Group, Department of Computer Science University of Pretoria, Lynwood Road, Private Bag X20, Hatfield 0028, Pretoria, South Africa. [email protected] from the changing technologies of remote operated botnets. A botnet is able to communicate through Internet Relay Chat (IRC). IRC is a protocol that enables bots to connect to a server to wait for instructions from a botmaster. It then attacks through Distributed Denial of Service (DDos), spam and propagates vulnerabilities through infecting virtual instances of computers in the cloud environment, thereby putting the cloud consumers in danger. Due to this despicable botnet attacks, the authors have proposed botnet detection methods in the cloud environment using Artificial Immune System (AIS). Through this process, the authors can detect the probability of botnet infection based on the process of independent Poisson process and detection based on negative selection. The rest of the article is structured as follows: Section II discusses the background, after this section III discusses about botnet infection and detection process using AIS then section IV discusses the related work. Thereafter, section V gives the critical evaluation of the study while section VI concludes the paper by giving the future work. The next section discusses about the background. II.

BACKGROUND

Botnets have become the most dangerous species in terms of navigation and obfuscation within the cloud environment. This is because of the technological changes that botnets are undergoing every day. Due to this, the root to the next generation botnet detection is to learn how botnets camouflage themselves inside networks.

This section presents an overview of botnets, artificial immune system, cloud computing and the relationship between them. The choice of these parameters was motivated by the intuition that the whole process happens in the cloud environment. Nevertheless, botnets have a stealth behavior that allows them to captures information illegally.

According to Sophos security threat report [1], “in the past 12 months botnets have grown in size, become more widespread, resilient and camouflaged”. This shows that cloud users are becoming less resistant as there is an advanced persistent of threats and attacks in the cloud environment. Flexible, scalable cloud computing architectures and the presence of decentralized data in the cloud faces a big danger

A. Artificial Immune System The Artificial immune system is a computation intelligence technique inspired by immunology. Generally, it is inspired by the Human immune system (HIS) which is a biological system that provides defence of organisms against pathogens. Researchers Aickelin, Dasgupta and Gu [12]

ISBN: 978-1-4799-3905-3 ©2014 IEEE

52

argues that AIS has an Immune System (IS), immune network theory, negative selection mechanism and clonal selection principle which gives a description of the basic features of the immune response. Interactions in the IS forms a chemical bonding when cells mingle with receptors, this interaction consists of a multitude of cells and molecules and has ways to detect and expunge the infectious pathogens [13]. B. Human Immune System Extensive research paper by Aickelin, Dasgupta and Gu [12] describes the HIS as being distributed without any central controller, rather they are managed by interactions in between antigens and immune cells. This process has T-cells which are white blood cells and B-cells that create antibodies. The T – cells matures in the thymus before they begin to circulate to lymphatic vessels. This is usually a combination of lymphocytes of B-cells and T-cells with a simple pattern that matches a mechanism between B-cell and T-lymphocytes (T-cells) [18]. The T –cells helps in the activation of the B-cells. The task of B-cells in the body is production and secretion of antibodies. Detectors are able to distinguish which element comes from the same organism with elements acting like foreign invaders [14]. These detectors help to protect the human body from invaders. C. Botnet Botnet or robot network is a generic term that describes a set of scripts written to perform systematic predefined functions. These functions are written in form of scripts. Bot itself is derived from “ro-bot”. In this perspective, bot represents the commands. The collection of bot clients works under the command of a botmaster. Ledger [4] describes a botnet as an alliance of interconnected computers infected with malicious software. The botmaster operates the bot clients from a remote location, where he commands a chain of zombie computers. Botnets have always been attributed to crime ware syndicates, they are considered as the dark side of computing. They are also able to perform illegal activities ranging from information theft, spamming to Distributed Denial of service (DDos) [5]. They perform these activities by searching for a vulnerable computer for initial infection, after this the bot is distributed to other clients (target). Finally they can connect to the botmaster for more instructions as shown in Figure 1. D. Life Cycle of a Botnet The botnet life cycle in figure 1 moves through three different stages. First is communication through IRC, next it attacks through DDos, spam and lastly it propagates through vulnerabilities.

Fig 1.Botnet life cycle. Source (news.softpedia.com/DDoS-Botnet)

The botmaster in Figure 1 infects a bot either 1,2,3,4,5 or 6 client in the initial infection phase over the internet. The bot client communicates back to the master through z who then uses the Command and Control(C&C) 1,2,3,or 4 as an update center to avoid surveillance. Through the internet the botmaster gets clients 1,2,3,4,5,6 infected while he targets X. Client 1,2,3,4,5,6 becomes zombie computers that are being controlled by the botmaster. The botmaster operates from a remote location. In Figure 1, client 1 and 2 lies in a different geographical location with 3,4,5,6 which shows that a botnet can be controlled from any part of the world. E. Cloud Computing Cloud computing is a scalable and distributed environment that allows users to use applications and files over the internet in a virtualized environment. National Institute of Standards and Technology, NIST, [3] defines cloud computing as “A model for enabling ubiquitous, convenient and on-demand network access to a pool of shared and configurable resources ( e.g., networks, servers, storage, applications, and services)”.These resources can be rapidly provisioned and released with minimal management effort or service provider interaction. The cloud model is composed of three service models and four deployment models [3]. The three service models as shown in figure 2 includes; software as a service (SaaS), platform as a service (PaaS) and Infrastructure as a service (IaaS). SaaS supports application level services. Example of services provided by SaaS include Application Programming Interface (API), Graphical User Interface (GUI), operating system, Virtual machine (VM), solution stack, hypervisors, computer and storage etc. PaaS supports services like solution stack, VM, hypervisor, network and storage while IaaS supports hypervisor, computers, storage and network. The cloud models can be deployed in

This Work is based on Research supported by the National Research Foundation of South Africa(Grant specific unique reference number (UID 85794).The Grant holder acknowledges that opinions, findings and conclusion or recommendations expressed in any publication generated by NRF supported research are that of the Author(s) and the NRF accepts no liability whatsoever in this regard.

ISBN: 978-1-4799-3905-3 ©2014 IEEE

53

four different clouds: Private clouds, Hybrid clouds, public cloud and community clouds. Sharing resources over this network has led to the rise of cloud vulnerabilities like infrastructure failures, denial of service attacks, botnet malicious attacks and other nefarious uses of the cloud. Also lack of proper monitoring of events by Cloud service providers (CSPs) has led to a lot of cloud insecurity like information theft and remote controlled attacks. The next section discusses about botnet infection and detection using AIS.

Fig 3. Directed graph network with nodes.

The movement of a bot in the directed graph entirely depends on the hyperlink of elements as shown in figure 3, which gives a need of defining the degree of distribution, where the probability that a botnet will infect a given number of computers and get detected does not occur simultaneously. Botnet infection is a continuous process, but infection and detection is independent of Poisson processes as discussed in the next section.

Fig 2. Cloud computing Models.

III.

BOTNET INFECTION AND DETECTION PROCESS USING ARTIFICIAL IMMUNE SYSTEM

This section proposes a contribution on how botnets forms a malicious network. Thereafter, the authors discuss the probability of a botnet infecting and getting detected on particular network using independent Poisson process. Finally, the authors give a discussion about botnet detection based on AIS with respect to negative selection algorithm in a cloud environment. A. Sreading of Botnet Malicious Pattern Bots infects client computers which forms a malicious pattern in form of a network of connected elements. The network infrastructure allows two or more computers to communicate with each other as shown in figure 5. Botnets move like a pattern in a directed graph with vertices and edges. The vertex of a directed graph in figure 3 represents a node in a network while the edge represents the network traffic flow of a malicious code as shown in figure 3. This forms an alliance of connected computers p, q, r, s, t, u, v, w which gets instructions from the botmaster as shown in figure 3. In figure 3, nodes which are not connected (null points) m and n represents nodes which have not been infected by bots. Once a bot infects a node it creates a new platform for receiving instructions to connect to another node and this process is always continuous. The in-degree x represents the incoming attack of a malicious code to the node q from node p while the out-degree y represents the dispatch of a malicious code from a node p to node t.

ISBN: 978-1-4799-3905-3 ©2014 IEEE

B. Probability of Botnet Infection This section presents the process that shows the probability of two occurrences i.e. infection and detection. Botnet infection and detection processes do not happen simultaneously. Since infection is a continuous process [16] they (occurances) depend on the independent Poisson processes given by N = N1 + N 2 [7] (1) with a probability of λ1 / λ1 + λ 2 . This has been illustrated by the Poisson orderliness for counting as;

lim Δt → 0 P( N (t + Δt ) − N (t ) > 1 | N (t + Δt ) − N (t ) ≥ 1) = 0 (2) This signifies that the occurrences for infection and detection do not happen simultaneously. The Poisson independent process is represented as;

lim Δt → 0 P( N1(t + Δt ) − N1(t ) ≥ 1 | N (t + Δt ) − N (t ) ≥ 1) = 0

(3) since the occurrences (infection and detection) are given by N = N1 + N 2 from equation (1). Suppose i and j are used for botnet infection and detection respectively over the network, where i = 1 showing the network can be infected and j = 0 showing bot can be detected, the possibility that there will be more infections is given by i = n + 1 than j = 0 . These are given by the probability of two Poisson processes [6] which are independent of infections. If x represents the occurrences i and j, the processes are given by Ni ( x) = n + 1 and Nj ( x) = 0 (4).

n + 1 shows there can be a possibility of more infections. In a Poisson process they are represented as N ( x) = Ni + Nj ( x) . (5) Considering the waiting time of the bot, it is distributed exponentially with

54

the equations

λ1 / λ1 + λ 2

and

λ 2 / λ1 + λ 2

[6] Example: If a bot is dispatched over a known network (Directed Graph G) as shown in figure 2 and it’s given a value i = 1 for possibility of infection and value i = 2 for the bot to be detected with xi occurrences, the probability of infection before detection is given by the consideration of exponential distribution degree of the waiting time of the bot. Let xi represent the occurrences and xi = i = 1,2 be independent random variables. The Probability Density Functions (PDF) of the Poisson process is given by the following.

P( x; λ ) =

e^- λ λ ^ x for x=0,1… x!

detection does not occur simultaneously hence, the detector will observe the malicious pattern and use it to categorize the botnet as reactive. This has been illustrated using the negative selection algorithm for matching as shown in Table 1 and Table 2. TABLE 1 Negative Selection Algorithm Input: Self Output: Repeat Repeat While (stop) DetectorRepeat While (stop) Detector: Generates Random D If Detector Matches Self Botnet #Discriminate# Repeat End& Return

D. Botnet Detection at the Cloud Environment When virtual instances of computers at the cloud environment are attacked by bots, AIS is trained to detect a malicious activity pattern. It observes the behavior and movement based on the network traffic movement. In figure 5, the communication and behavioral aspects of the client computers and the flow of network traffic determines how the botnet behaves. This is because the bots that originate from a particular botnet will exhibit similar characteristics and movement pattern. Through the negative selection algorithm the botnet patterns are detected as non-self elements if they happen to fire during matching process.

With Δt → 0 the probability P = λ1 /(λ1 + λ 2) which is the probability P for botnet infection [7]. C. Botnet Detection Based on Negative Selection This section introduces the reader to the method through which a botnet can be detected using the negative selection algorithm. Botnet detection based on negative selection is based on the HIS principles of discrimination. This is entirely the process of self and non-self reaction. This selection is based on the adaptive human behavior of the HIS. Through this process potentially harmful devices are detected and removed. Within a cloud environment a botnet is treated as an external element. The botnet is dispatched with the aim of infecting virtual instances of computers, but random detectors are generated to detect the behavior of the botnet based on malicious pattern. From section III, the authors discussed that infection and

ISBN: 978-1-4799-3905-3 ©2014 IEEE

Fig 4. Botnet detection based on negative selection

Figure 4 represents the flow of the negative selection algorithm shown in Table 1 in the process of discriminating agents that reacts to self using artificial lymphocytes. The

55

artificial lymphocytes T-cells (Random Detectors) are trained to distinguish between self and non-self pattern. They will henceforth detect an element with a non-self pattern (Botnet). Using the algorithm the botnet undergoes matching as shown in figure 2 to see if it reacts to self. If the botnet reacts or fires with itself during matching process, the artificial lymphocytes will detect that the botnet has a non-self pattern. The botnet will be detected as non-self and discriminated as unwanted.

Fig 5. Detecting botnet at cloud using AIS using malicious zombie pattern

Figure 5 shows the zombie pattern attack that moves to virtual instances in the cloud environment. The generated detectors are given a learning technique with build malicious code patterns inside the virtualized environment. If an unusual malicious activity pattern is detected it will be filtered then reported as non-self. The c represents malicious code movement at the nodes pattern in botnet spread as shown in figure 2. IV.

RELATED WORK

This section discusses about the work that has been done relevant to the authors work. From the set of works that has been done by researchers, artificial immune system has not been used for botnet detection in the cloud environment, but work by different researchers has rounded off to different detection techniques. Research work by Vilamarin and Brustolini showed that to identify botnets using anomaly techniques, the outlier anomalous objects needed to be detected due to scattered nature of data points. Further, this work used Chebyshev’s inequality as an outlier detection method. This was suitable because Chebyshev allowed the distribution of unknown data when no assumptions were to be made [11]. Work by European Network and Information Security (ENISA)[15], highlights that there are two ways to detect botnets; passive techniques and active techniques. The passive technique consists of gathering data solely through observation, monitoring and tracking activities. The active techniques include approaches that involved interaction with information sources being monitored, this involves sinkholing process. Sinkholing is a technical countermeasure for cutting off a malicious control source from rest of botnet. The next

ISBN: 978-1-4799-3905-3 ©2014 IEEE

active method is infiltration where the executable bot and its traffic are monitored and the approaches for IRC-based measurement and detection. A work by Zhao on spamming botnet detection proposed a novel graph based approach to detect web-account abuse attack. The work was based on the observation that bot-users share IP addresses when they log-in and send mails. The botgraph could detect abnormal sharing of IP addresses among bot-users [8]. A Research paper on botnet detection by Binkley and Singh [9] presented an algorithm for anomaly-based botnet detection that could detect IRC-based botnet meshes. The algorithm could combine IRC detection with a TCP scan detection heuristic called the work weight. They further computed the work weight probing IP per source which was expressed as a percentage [9]. A research paper by Strayer [10] presented a system for aggregating monitored traffic by looking for botnets. This research was done by adoption of proactive approaches that identified hosts that were likely to be part of the botnet [10]. Francois’s [17] research paper on bot-clouds implemented work on botnet using MapReduce. This was a high-level abstraction computing that was based on Hadoop, which is an open source implementation of MapReduce. The work presented a scalable method for detecting peer to peer botnets in between hosts. The authors highly acknowledge the contribution made by the researchers and this has in turn added an insight to the authors on the techniques that has been used in detecting botnets in the cloud environment. The next section discusses about the critical evaluation of the study. V CRITICAL EVALUATION This section presents an elaboration and evaluation on the parameter selection for the proposed techniques for botnet detection at the cloud environment. Further, the authors give a critical analysis compared to other previous techniques. From the authors study, the choice of botnet detection in the cloud environment based on AIS is based on a complex functional system of HIS. Protecting a network from intruders is like protecting the human body against infections through immune cells. Botnet detection in the cloud environment using AIS is a new contribution that has not been explored by researchers, by the time of writing this paper. The important aspects to discuss are how botnets can spread in a network, infection and detection mechanism at the cloud environment. In Table 1 the negative selection algorithm shows that if a detector matches itself or if a detector fires it will be discriminated as non-self or a rejected element. Table 2 represents a botnet being matched in the algorithm with detectors in place as a non-self pattern i.e. malicious activity pattern. The artificial lymphocytes described in

56

section II discriminates the botnet and eliminate it from a given network.

[2]

L.N De Castro, & F.J Von Zuben, (1999).”Artificial immune systems: Part I–basic theory and applications. Universida de Estadual de Campinas, Dezembro de, Tech. Rep, 210.

Figure 2 shows that botnets can spread to form a network, like a directed graph with edges, vertices, in-degree and outdegree; this shows that every time a computer or a virtual instance in the cloud environment is infected by a bot a malicious pattern is formed. This is a malicious activity pattern, and for the botnet to be detected the AIS must learn the systems unusual patterns in order for it to detect it. Section III, highlights that the process of botnet infection and detection do not happen in a simultaneously, This indicates that the probability of the occurrences i.e. a bot infecting a given computer has been found using independent Poisson processes which is given by P = λ1 /(λ1 + λ 2) . This is with respect to the waiting time of the bot which is distributed exponentially.

[3]

P.Mell & T. Grance (2011). ”The NIST definition of cloud computing “(draft).NIST special publication, 800(145), 7.

[4]

F. Leder, T.Werner, & P. Martini (2009). “Proactive botnet countermeasures: an offensive approach”. The Virtual Battlefield: Perspectives on Cyber Warfare, 3, 211-225.

[5]

M.T Banday., Qadri, J. A., & Shah, N. A. (2009).”Study of Botnets and their threats to Internet Security”.

[6]

J. Bowers, (2008). “A Quick Way to See that the Poisson Distribution is the Appropriate Mathematical Formulation for a Counting Process with Constant Rate and Intensity”.

[7]

O.J.Boxma, & Yechiali, U. “Poisson processes, ordinary and compound”.

[8]

Y.Zhao, Y.Xie, F.Yu, Q.Ke, Y.Yu, Y. Chen, & E.Gillum, (2009, April). “BotGraph: Large Scale Spamming Botnet Detection”. In NSDI (Vol. 9, pp. 321-334).

[9]

J.R Binkley & S. Singh (2006, July). “An algorithm for anomalybased botnet detection”. In Proceedings of USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI) (pp. 43-48).

[10]

W.T. Strayer,R Walsh, Livadas, C., & Lapsley, D. (2006, November).” Detecting botnets with tight command and control”. In Local Computer Networks, Proceedings 2006 31st IEEE Conference on (pp. 195-202). IEEE.

[11]

R. Villamarín-Salomón, & Brustoloni, J. C. (2008, January). “Identifying botnets using anomaly detection techniques applied to DNS traffic”. In Consumer Communications and Networking Conference, 2008. CCNC 2008. 5th IEEE (pp. 476-481). IEEE.

[12]

U. Aickelin, D, Dasgupta, & Gu, F. (2014). “Artificial immune systems”. In Search Methodologies (pp. 187-211). Springer US.

[13]

S.A. Hofmeyr & Forrest, S. (1999). “Architecture for an artificial immune system”. Evolutionary Computation, 7(1), 45-68.

[14]

M. Ayara, J, Timmis, , de Lemos, R., de Castro, L. N., & Duncan, R. (2002, September). Negative selection: “How to generate detectors”. In Proceedings of the 1st International Conference on Artificial Immune Systems (ICARIS) (Vol. 1, pp. 89-98). Canterbury, UK:[sn].

[15]

European Network and Information Security Agency (ENISA), 2011 on Botnet Detection, Measurement, Disinfection & Defence” http://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/fors chungsbereiche/botnets-detection-measurement-disinfectiondefence.pdf”

[16]

P.Van Mieghem, Omic, J., & Kooij, R. (2009). “Virus spread in networks”. Networking, IEEE/ACM Transactions on, 17(1), 1-14.

[17

J. Francois, S.Wang, W. Bronzi, R. State, & T. Engel (2011, November). “BotCloud: detecting botnets using MapReduce”. In Information Forensics and Security (WIFS), 2011 IEEE International Workshop on (pp. 1-6). IEEE.

[18]

S.Singh (2002) “Anomaly detection using negative selection based on the r-contiguous matching rule In Proceedings of the 1st International Conference on Artificial Immune Systems” ({ICARIS}), pp. 99-106.

Figure 5 shows botnets and patterns at the cloud environment, the virtual instances of computers at the cloud are likely to be attacked by the bots and these can be detected based on their malicious patterns. An approach to detect this botnet has been discussed at section III where the AIS use detectors to eliminate the botnet by learning the malicious activity patterns. In general, the authors have seen that AIS is the best solution for detecting botnets at the cloud environment, since botnets have a malicious pattern. AIS can learn defence mechanism using the artificial lymphocytes in detecting elements that react. The work discussed above and previous has led the authors to conclude that the approach is very novel in detecting botnets at the cloud environment. The next section discusses the conclusion of the study and the future work. V CONCLUSION AND FUTURE WORK The authors have introduced a new mechanism for botnet detection at the cloud based on artificial immune system. The mechanism uses negative selection algorithm to match whether the botnet belongs to self or non-self pattern. This is done by training detectors on identifying malicious activity patterns in the cloud environment and isolating it as non-self. As part of the authors’ future work, we plan to create a genetic–based cloud application based on malicious botnet pattern movement that will run as a service at the cloud environment. This will enable detection as soon as the botnet behaviour is detected at the virtual instances in the cloud environment. REFERENCES [1]

Sophos,(2012).Botnets:”The dark side of cloud computing. http://www.sophos.com/medialibrary/Gated%20Assets/white%20p apers/sophosbotnetswpna.pdf.”

ISBN: 978-1-4799-3905-3 ©2014 IEEE

57