SURVEY ON BOTNET: ITS ARCHITECTURE, DETECTION, PREVENTION AND MITIGATION Ihsan Ullah, Naveed Khan, Hatim A. Aboalsamh Department of Computer Science, College of Computer & Information Science Kind Saud University Riyadh, Saudi Arabia {ihsanullah, naveed, hatim}@ksu.edu.sa NetBus and BackOrifice2000 programs. This generated the idea of an Internet Relay chat (IRC) user attach, which remotely controlled computers by infecting other computers with a Virus, Malware or any other malicious code, without the knowledge of normal user. This led to the start of a centralized command and control center (C&C) attack of BOTNET [6].
Abstract—Robot Network or BOTNET is the biggest network security threats faced by home users, organizations, and governments. Botnet is created by intelligent and up to date hackers, which challenges IT Community in detection, prevention and mitigation from Botnet attacks. This paper discuss about life cycle, topologies, detection and future prospects required to be safe from Botnet attacks. Keywords— Network
Botnet,
Intrusion,
Network
Security,
Although Botnets are mostly used for negative purposes, however; potentially Botnets could be used for positive purposes as well. Researchers have proposed several techniques for BOTNET attack detection. But it still needs a lot of work for its earliest stage of detection, prevention and capturing the mastermind. These techniques include data mining, fuzzy logic based on some statistical data, anomaly based, structure based etc. Moreover up to date hackers challenges IT Community in detection, prevention and mitigation of day to day levon BOTNET attacks [7].
Robot
I. INTRODUCTION One of the most significant current issues in computer network security is BOTNET. It is an active focus in the research community and industry due to sharp rise of attacks on individual and organizational computers. BOTNET is a large network of compromised computers used to attack other computer systems for malicious intent [1]. The end computers and networks (zombie computers and networks) could be of an individual home users, organizations, school, and college laboratories, etc. Some of these computers may be willingly participating under the supervision of Supervisor-Bot during actual attack and some are hijacked by a Trojan or Malware [2, 3]. BOTNET appeared two decade ago, but even now the threat caused by it is under estimated due to its robustness and dynamic nature, which results in user blockage by ISP or stop the normal usage of certain applications (e.g. Distributed Denial of Service attack (DDoS) ) [4].
Emergence of cloud computing provide an ultimate platform for supervisor bot to deploy, activate/deactivate and removing of C&C server to attack anonymously and easily. In order to run successfully, cloud services providers have to play a vital role in detection, mitigation, and prevention of Botnet. Not only cloud based services are vulnerable to Distributed Denial of Service attacks, similarly the websites and services which earn by the number of visitors, such services are also being exploited by such attacks. These attackers search and work as fraud-lent resource consumption by consuming bandwidth of web-based services that in-turns suffers financially the cloud consumer [89].
In last ten years researchers have shown increased interest in BOTNET due to the high rate of malicious activities done by Supervisor Bots [4]. However due to the complexity and dynamic nature, it is hard to detect and prevent such attacks. These attacks are highly dynamic, stealth, and fast.
The comprehensive testbed environment is an acute building block for botnet study and to highlight the botnet threat. Such environment should focus on following requirements: 1) The ability to test with a variability of bot types (both known and unknown) deploy on variety of standard operating system. 2) To be capable of conducting experiments in a secure mode such as one that poses no threat to the greater internet) 3) To be able to form a flexible and realistic botnet technologies and configuration. 4) To perform and conduct experiments at scale and under realistic conditions.
The BOTNET life cycle has several steps from infecting the computer till commanding it for malicious activities. First it transfers malicious code and then automatically executes when computer connects to internet. Supervisor-bot can infected then command and control the zombie computers (infected machines). Botnet program contains server/client code to communicate with the server applications [5]. The idea initiated at the end of 90’s with new technology being used by Trojans, which created a backdoor notorious
978-1-4673-5200-0/13/$31.00 ©2013 IEEE
660
We analyze and suggest that a testbed gratify these requirements would enable a range of experimental study. The aim of these experiments on new method and tools is to characterize, compare, identify and prevent botnets. The most common testbed are Botnet Evaluation Environment (BEE) and Emulab- enabled environments including DETER [10]. BEE is a set of operating system or bot images and support tool configuration in a secure way while Emulab is most commonly used emulation testbed that supports customized operating system and dedicated PC’s in order to prevent botnet threats [11].
B. BOTNET ARCHITECTURES BOTNET uses four types of architectures to control network and to be invisible from detection i.e. Centralized Botnet Architecture, Peer to Peer Botnet Architecture (P2P), Hybrid, and Combination of Hyper Text Transfer Protocol with Peer to Peer (HttP2P). The first architecture is not very secure but easy to implement while the second architecture is hard to detect as well as hard to manage, whereas Hybrid and HttP2P are combination of first and two for bypassing firewalls and intrusion detection mechanism. 2) Centralized Botnet Architecture The oldest and easiest to manage and control architecture used by the supervisor-bot is centralized. All the zombie computers or zombie army is being supervised from a center point, which makes them visible to be detected and stopped. It uses Internet Relay Chat (IRC) or HTTP protocol for its C&C [5]. Examples of centralized models are AgoBot, SDBot, SpyBot, GTBot, and Zotob [20] [31]. Figure 1 shows simple C&C Botnet server and its bots.
In the next section we discussed Botnet life cycle. Then in section III we discussed in detail Botnet Architecture. Section IV discusses Botnet. Section V discusses Botnet Prevention and Mitigation techniques proposed by different authors. While in Section VI we gave Future Prospects for Botnet Research. And in the end conclusion is given in Section VII. II. BACKGROUND BOTNET aroused from the last two decade, but even now the threat caused by it is under estimated due to unawareness, which caused the user to be blocked by Internet Service Provider (ISP) or stopping normal usage of certain applications or website [4]. Its technique of infection and spreading is same as malware and Trojan horse that hire and exploit software vulnerabilities along with social engineering techniques. The IRC user usually creates a group on MIRC messenger and invites users of some specific interest. Administrator of the group first provides them the facilities what users wants, and then by social engineering convince them of accepting the malicious code with or without the knowledge of the user. Whenever the user connects to internet the code triggers and send request to the supervisor bot. Then when all the soldier bots are connected they are used by the Supervisor-bot accordingly to attack a specific application, organization or website. A. BOTNET LIFE CYCLE BOTNET has five steps from infecting the computer till using it for malicious activities.
Fig 1: Centralized Architecture
3) Peer to Peer (P2P) Botnet Architecture To remove the draw backs of centralized architecture, the hacker’s focused on the peer to peer model characteristics for Botnet, which is actually hard to manage for the SupervisorBot but also hard to detect, monitored and blocked by security managers. Supervisor-bot transfer command to an infected zombie peer who transfers it to other peers, acting both as Supervisorbot and zombie army soldier. Similarly it can transfer commands from any zombie, which lead to a slow but effective undetectable communication between zombie army [12]. Examples of bots using P2P are Phatbot and Peacomm [5]. P2P uses several controllers for hiding and not to be seized and closed along with encrypted keys for misuse of the technology other than the supervisor-bot. It works in various phases and periods without using bandwidth significantly at same time. Data mining technique gave some promising results in detecting P2P attacks [40].
1) In start it primarily infects other computer. 2) Then injects small code using File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Peer to Peer (P2P), and combination of HTTP and P2P (HTTP2P) etc. a. When user connects to internet code is executed automatically to establish a connection in which it connects to Command & Control (C&C) server. b. Supervisor-bot wickedly command and control the zombie computers through C & C server c. The last job of supervisor-bot is to remain transparent and active by using Dynamic Domain Name Server (DNS) and keeping zombie updated and in existence to maintain and use them accordingly.
661
contact dynamically to Supervisor-Bot or other soldier-bots rather it waits for a call from its supervisor. III. DETECTION OF BOTNET ATTACK Botnet attack is done in a group for cybercrimes; they are extremely dangerous and can crash any network, server, organization, or internet as a whole [20]. As C&C traffic appears as legitimate traffic among normal. Therefore hard work has to be done to save organizations network, data and economic losses by designing such algorithms and techniques, which can detect Botnet in advance [5]. Data mining techniques used to extract, analyze, recognize and discover normal patterns and abnormalities in huge data. For this correlation, classification, clustering, statistical analysis and aggregation techniques can be used [23] [34]. Data mining technique gave a little bit of promising results in detecting P2P attacks [40]. Honeynet project took the first step in this regard for the recognition of Botnet characteristic [17], while after that many used HONEYNET in different forms to detect and know the behavior of Botnet. As security includes fuzziness recently in 2010 BotDigger was introduced which uses fuzzy logic because of its ability to view quantitative features and variables. This is more appropriate than others in detecting Botnet [42]. Other than its characteristic recent work done based on its signature, Domain Name Service (DNS), Anomaly based, and attack behavior, which is divided into two main categories discussed below. A. Structured Based Detection These techniques are not very successful as result of the polymorphic characteristic used by cyber criminals. Structured based detection techniques are categorized in the following sub parts [32].
Figure 2: P2P Architecture
4) Hybrid Botnet Architecture Hybrid is similar to P2P where Supervisor-Bot maintain a P2P communication between supervisors behaving like server community. But a Supervisor-Bot breed, keep information, and prevent a robust BOTNET able to maintain control of its remaining bots from significant exposure or making it harder through their communication traffic patterns of the network topology of its soldier zombie community. Each Supervisor- Bot has its own list of peer and does not share it with others bots for security purposes [13-14]. Ping Wang et al. designed and proposed a hybrid P2P Botnet attack which is difficult to observe and even much difficult to seal. Which have robustness in connectivity, individualized encryption and organize traffic dispersal, small degree of exposure and ease of monitoring and healing for Supervisor-bot [38].
1) Signature Based Detection The first and most widely but not very successful used is signature based detection. It is only successful for already known Botnets. Some authors used the list of IRC nicknames and applied n-gram analysis for detecting chat whether it is from an infected bot or not [35]. Other researchers collected IP addresses for their examination of whether they were really malicious or not. Systems like Honeynet, Honeypots, and Snort can be used for monitoring the intrusion. These are successful detection and analysis techniques at good cost and without false positives [32,36-37]. These check every intruder based on their signature [17]. However, signature based are not successful for unknown BOTNETs, therefore, some use techniques such as metamorphic and polymorphic [18]. 2) DNS Based Detection DNS queries are performed by bots to reach command and conquer (C&C) server, which is hosted by Dynamic DNS provider (DDNS). So by examining the DNS traffic we can detect DNS traffic anomalies [19]. In 2004-05 ideas were given to detect domain names by unusually high or temporary intense DDNS queries. But both of these can be evaded either by false DNS query or false positive of such domains which use DNS of Short Time to
Figure 3: Hybrid Architecture
5) Hypertext Transfer Protocol Peer to Peer (HTTP2P) Botnet Architecture Due to drawback of centralized architecture of being detected easily, P2P is used. But P2P has threat of Sybil attacks [15]. So they combined HTTP and P2P to become harder to be detected by to bypass firewall and client server architecture [13]. In HTTP2P Supervisor-Bot cipher the message, continuously search for Soldier-Bot, and when found deliver message to it. While the Soldier-Bot does not
662
Live (TTL) [20]. In following year, abnormally recurring NXDOMAIN reply rates approach was proposed. They pointed out that DDNS responses indicating name error (NXDOMAIN) sometime point to BOTNET C&C server blocked by Cyber security defenders. Such bots have vulnerability to start similar infection once again, by the help of which we can suspect and capture many domains names with less false positive [21]. Another promising technique came up with passive analysis of DNS based Black-hole list (DNSBL) lookup traffic, which helped in counter intelligence of inspection activity due to Supervisor-Bot ability to use DNSBL lookup before attack. However this has two problems; first having high false positive and second it cannot detect distributed inspection [22]. In 2007 Hyunsang Choi et al. monitored group activities in DNS traffic generating group queries by distributed bots, which make same feature distinguished from normal legitimate DNS queries. This approach can detect even encrypted channels along with C&C server migration as well [19]. More processing time required for monitoring, which is a problem with this approach. Peter et al presented a system in 2009 which aim to detect Bot-infected machines, independent of any prior information about the C&C channels or propagation vectors, and without requiring multiple infections for correlation [23].
anomaly to identify Botnet C&C channels in a local area network. It observes the high synchronization between bots of same Botnet. It uses few more algorithms for detection in correlation network flow with low false positive [25]. Basheer Al-Duwairi and Lina Al-Ebbini used fuzzy logic which does not work on a specific pattern. Proposed system, called BotDigger utilizes fuzzy logic which derives logical rules based on defined Botnet characteristics. It depends on the nature of the problem and does not follow a fixed pattern. First regions are defined, then rules for each situation and its response, based on ranks, which determine mapping based on those rules. Centroid defuzification is applied for least value in all points where membership function has membership value equal to one. It is one of the most reliable and flexible approach compared to other techniques [42]. 2) Communication Pattern of Botnet In general network flow defines both attack and attack mechanism, but BOTNET mechanism is always different for future attacks. When an attack is done then you can trace and examine their mechanism and root. Data mining is used for detection of unusual patterns, intrusion, and malicious code detection without examining the content of traffic. Beside data mining visualization is used for retrieving information, which is easy to understand and monitor traffic flow for human. It is accessed through multi layers of data mining techniques [33]. Cyber security defenders checks the communication characteristics between a Supervisor-Bot and a Soldier-Bot on transport layer such as for TCP or UDP. Defenders check its source and destination IP, Port and Protocol Identifier. Furthermore we can divide it in static and dynamic characteristics. Former is constant while second changes during life time. Static is derived from inside of packet (header) i.e. start, stop and duration while dynamic derived from external of packet such as arrival, departure, throughput, and burst time of payload information of packet [39]. By selecting precise set of characteristic and defining unique flow as object and then comparing with other objects provide more information, which help in monitoring. In high security, low information gave rise to false positive. Traffic content, however, is now encrypted with the evolution of Botnet, and as a result leading to a fail of content based detection approaches. So data mining techniques are applied on that limited data to overcome the problem [26]. In 2010 Hossein Rouhani Zeidanloo et al. presented a technique of detecting Botnet by using traffic analysis. These are done in four steps: Filtering, Application Classifier, Traffic Monitoring, Malicious Activity Detector. Filtering process filters irrelevant traffic flows which results in making faster the application classifier by separating IRC and HTTP traffic. Similar behavior and communication pattern is being monitored in Traffic monitoring stage, while Malicious Activity detector is analyzing the traffic for unwanted traffic from some internal hosts. This does not require any prior
B. Behavior Based Detection This one is more successful than structured based techniques and methods [30] Botnet can be detected by its attack behavior such as by sending huge amount of spam in less time using Simple Mail Transfer Protocol (SMTP), spam server traffic properties, spam payload to make spam signature generation framework, recruiting new supervisor and soldier hosts, DDoS attack using Synchronize (SYN), Internet Control Message Protocol (ICMP), HTTP flood, Phishing using changing Bot to DNS server, Stealing sensitive data using SDbot software [27]. 1) Anomaly Based Detection As discussed earlier anomaly-based detection techniques are introduced to overcome drawback in Binkley et al. [24] and Karasaridis et al. works [5]. But even then anomaly based detection has high false positive rate due to complication involved in determining, the features to be brought under considerations. These techniques get signals of presence of bots by the characteristics like high network latency, high volumes of traffic, traffic on unusual ports, and unusual system behavior in the network. Karasaridis et al. proposed algorithm for detection and characterization of BOTNETs using passive analysis based on encrypted flow data in transport layer without joining the Botnet [5]. Anomaly based cannot detect a BOTNET in sleeping mode unless it is being awaked and start using. But Binkley and Singh solved it by combining TCP based anomaly with IRC tokenization and IRC message statistics to create a system which can detect client and server BOTNETs if IRC commands are not encrypted [24]. Gu et al. have proposed Botsniffer, which works on network-based
663
chances to be caught, and almost no capital punishment even if caught than do traditional crimes in the physical world. So there are no legal liabilities against them. Cyber defenders have to think in advance about the expected steps a Supervisor-bot or cybercriminal can take. What other technology they can use and what steps to be taken for its prevention and mitigation. Some of the steps to be taken to study the mind of supervisorbot are as follow: 1) Make data warehouse of known bots for future use in data mining, and to make an algorithm to use that data as mitigation for attacks. 2) Honeypots based defense is so popular and used mostly; it is predicted and possible that one day supervisorbots will have a defense mechanism for detection of honeypots in their bots. 3) To make anti-bot application software which can work against Botnet attack as antivirus does against viruses etc. 4) New Testbeds are required to be developed which allow testing in large-scale network either open or closed environments. 5) Getting of Botnet sample code is required for analyzing but criminals don’t want to examine their malware as well as cyber defender also feels hesitation with un-trusted ones. To get visibility, analysis and understanding in Botnet operations, is very difficult as well as impossible to reproduce Botnet action. Therefore huge environment required which can provide Testbeds for a variety of scenarios and attacks. Two famous Testbeds mostly used are PlanetLab [31] and Deter [5]. Researchers have to work a lot in field of prevention and mitigation. VI. CONCLUSION
information of Botnets and their signatures [39]. Model-KCFM is presented by Jian Kang, Yuan-Zhang Song in 2010 which uses discrete Kalman filter for detecting the abnormal net flow uniqueness properties along with Multichart CUSUM for clarity of the irregularity. By analyzing the UDP packets which increase up to 20 times as the communication starts between bots. Along with that ICMP packets start activating at tremendous rate from 100 to 1000. This shows that the model is quite enough sensitive for the detection of bots in the network [41]. IV. PREVENTION & MITIGATION OF BOTNET Unfortunately less work has been done in this category which needs real hard work. There are different types of attacks done such as spamming, DDoS, phishing, and identity theft etc. That’s why it is a big threat for all. Researchers are working hard in university circles and industry to find its prevention and mitigation techniques from simple to most complicated. Cyber defender can ask for cooperation from a home user or college lab administrator to kill the process. Which is a hard job because there are millions of Soldiers-Bots in the world either willingly working or by force. Therefore some automated task force should be prepared which can stop the Bot, destroy the C&C server, and to control Supervisor-Bot. In 2007 Collins et al. work to detect future botnet address by the help of unclean network which use spatial (compromised hosts to cluster) and temporal (tendency to contain compromised hosts for extended period) un cleanliness[28]. In same year, Alex Brodsky et al. proposed a distributed content independent spam classification system to defend from Botnet generated Spam’s. But till now it does not have such good results [30]. In 2008 Carlton et al. uses Sybil attacks as a mitigation strategy against storm Botnet which uses P2P networks in order to disseminate commands to the bots [29]. Whereas, recently Ping Wang et al. proposed a hybrid p2p Botnet attack. To prevent and mitigate from such advance attack honeypots can take part in important character. We have to deploy honeypots more professionally and to kill the communication channel without any info and exposure to Supervisor-bots. Cyber Defenders has to look for static global IP addresses and to stop them from being compromised [38].
With the steep rise in computer network attacks mostly due to Botnets, has significantly highlighted the issue to work on effective and efficient remedy for Botnet. That is why one has to work in advance then the hackers not only on its after effect but before the attacks are done. In this survey we analyzed the protocols being used by the Supervisor-bots and how they evolved with the passage of time. How cyber defenders proposed and work for the detection of a cyberattack from known and unknown BOTNETs and given ideas and techniques for its prevention and mitigation. But unfortunately for prevention and mitigation till now no sufficient work has been done.
Trend Micro provided Botnet Identification services with high rate per bot. The company provides customers the real- time Botnet C&C bot-master address list via BGP peering between Trend Micro Botnet Identification Service (BIS) router and the customers’ Border Gateway Protocol (BGP) border router. But this is very expensive for normal user [16].
REFERENCES [1] B. Saha and A, Gairola, “Botnet: An overview,” CERT-In White PaperCIWP-2005- 05, 2005 [2] M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, “A multifaceted approach to understanding the botnet phenomenon,” in Proc. 6th ACM SIGCOMM Conference on Internet Measurement (IMC’06), 2006, pp. 41–52 [3] Gu-Hsin Lai1, Chia-Mei Chen1, and Ray-Yu Tzeng2, Chi-Sung Laih2, Christos Faloutsos3 “Botnet Detection by Abnormal IRC Traffic Analysis” Acknowledgement: This work was supported in part by TWISC@NCKU and iCAST, National Science Council under the Grants NSC 97-2219-E006-009 and NSC97- 2745-P-001-001
V. FUTURE PROSPECTS Botnet is an emerging serious threat for cyber security. In the last ten to fifteen year’s malware evolved in great speed than security technology which gave advantage to cybercriminals. They have less barriers, mysterious, safe, less
664
[4] http://www.kaspersky.com/reading_room?chapter=207716701 [5] Maryam Feily,Alireza Shahrestani “A Survey of Botnet and Botnet Detection” Third International Conference on Emerging Security Information Systems and Technologies, IEEE 2009. [6] David Dittrich, Sven Dietrich, “ P2P as botnet command and control: a deeper insight”, David Dittrich. Applied Physics Laboratory. University of Washington
[email protected], IEEE2008 [7] Wang Hailong, Gong Zhenghu, “Heterogeneous Multi-sensor Information Fusion Model for Botnet Detection”, International Conference on Intelligent Computation Technology and Automation, Intelligent Computation Technology and Automation (ICICTA), IEEE 2010 DOI 10.1109/ICICTA.2010.575, 2010 [8] Jerome Francois, Shaonan Wang, Walter Bronzi, Radu State, and Thomas Engel, “BotCloud: Detecting Botnets Using MapReduce”, in IEEE International Workshop on Information Forensics and Security, pp:1-6, Nov 29- Dec 2, 2011 [9] Wenjie Lin and David Lee, “Traceback Attacks in Cloud—Pebbletrace Botnet”, in 32nd International Conference on Distributed Computing Systems, pp: 417-426, June 18-21, 2012 [10] ISI, “The Deterlab Network Security Testbed based on Emulab,” http://www.deterlab.net, 2007. [11] Paul Barford , Mike Blodgett, Toward botnet mesocosms, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.6-6, April 10, 2007, Cambridge, MA [12] Brandon Shirely, Chad D.Mano “Sub-Botnet Coordination Using Tokens in a Switched Network”, 978-1-4244-2324-8/08/ 2008 IEEE. [13] Dae-il, Minsoo Kim, Hyun-chul Jung, Bong-Nam Noh“Analysis of HTTPP2P Botnet: case study waledac”, 978-1-4244-5532-4/09 /2009 IEEE. [14] Ping Wang, Sherri Sparks, and Cliff C. Zou, Member, IEEE “An Advanced Hybrid Peer-to-Peer Botnet ”IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 7, NO. 2, APRIL-JUNE 2010. [15] Carlton R.Davis, Jose M Fernandez, Stephen Neville, john Mchugh, ”Sybil attacks as a mitigation strategy against the storm botnet”, 978-1- 42443289-9/08/ 2008 IEEE [16] Taxonomy of Botnet Threats A Trend Micro White Paper,http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securit ylibrary/botnettaxonomywhitepapernovember2006.pdf, November 2006 [17] Honeynet Project and Research Alliance “Know your enemy: Tracking Botnets, March 2005”. http://www.honeynet.org/papers/bots/ [18] Yong Tang, Shigang Chen “Defending Against Internet Worms: A Signature-Based Approach”, 0-7803-896&9/051 2005 IEEE. [19] Hyunsang Choi, Hanwoo Lee, Heejo Lee, Hyogon Kim “Botnet Detection by Monitoring Group Activities in DNS Traffic”, IEEE DOI 10.1109/CIT.2007.90 [20] Chao Li, Wei Jiang, Xin Zou “Botnet: Survey and Case Study”, 978-07695-3873-0/09 IEEE [21] Antoine Schonewille, Dirk-Jan van Helmond “The Domain Name Service as an IDS How DNS can be used for detecting and monitoring badware in a network”, Research Project for the Master System- and Network Engineering at the University of Amsterdam February 5, 2006 [22] N. F. A. Ramachandran and D. Dagon, “Revealing botnet membership using dnsbl counter-intelligence,” in Proc. 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI ’06) 2006. [23] Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda, “Automatically Generating Models for Botnet Detection”, ESORICS 2009 [24] J.R. Binkley and S.Singh, “An algorithm for anomaly-based botnet detection,” in Proc. USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI’06), 2006, pp 43–48
[25] G. Gu, J. Zhang, and W. Lee, “Botsniffer: Detecting botnet command and control channels in network traffic,” in Proc. 15th Annual Network and distributed System Security Symposium (NDSS’08), 2008. [26] G. Schaffrath and B. Stiller,” Conceptual Integration of Flow-Based and Packet-Based Network Intrusion Detection” LNCS, Springer, 2008, PP. 190–194 [27] Reinier Schoof & Ralph Koning “Detecting peer-to-peer botnets”, 2007 System and Network Engineering University of Amsterdam, http://www.delaat.net/~cees/sne-2006-2007/p17/report.pdf [28] M. Patrick Collins, Timothy J. Shimeall, Sidney Faber, Jeff Janies, Rhiannon Weaver, Markus De Shon “Using uncleanliness to predict future botnet addresses”, Copyright ACM, Aug,2007 [29] Carlton R.Davis, Jose M Fernandez, Stephen Neville, john Mchugh, ”Sybil attacks as a mitigation strategy against the storm botnet”, IEEE2008 [30] A. Brodsky and D.Brodsky “A distributed content independent method for spam detection”, In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007). 2007 [31] Vrizlynn L. L. Thing, Morris Sloman, and Naranker Dulay “A Survey of Bots Used for Distributed Denial of Service Attacks”, 22nd IFIP International Information Security Conference (SEC), Sandton, Gauteng, South Africa, May 2007 [32] Gu G, Porras P, Yegneswaran V, Fong M, Lee W. “BotHunter:Detecting malware infection through IDS-driven dialog correlation,” In: Proc. of the 16th USENIX Security Symp. (Security 2007). 2007. [33] Mohammad M.Masud, Tahseen Al-Khateeb, Latifur Khan, Bhavani Thuraisingham, Kevin W.Hamlen “Flow Based Identification of Botnet Traffic by Minning Multiple Log Files”, 978-1-4244-2313-2/08/2 008 IEEE [34] Wen-Hwa Liao, Chia-Ching Chang “Peer to Peer Botnet Detection Using Data Mining Scheme”, 978-1-4244-5143-2/10/ 2010 IEEE [35] Jan Goebel, Thorsten Holz “Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation”, HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, ACM [36] H. Project and R. Alliance, Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots/, 2005. [37] Chinese Honeynet Project. http://www.honeynet. org.cn/ [38] Ping Wang, Sherri Sparks, and Cliff C. Zou,” An Advanced Hybrid Peer-toPeer Botnet” IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 7, NO. 2, APRIL-JUNE 2010 [39] Hossein Rouhani Zeidanloo, Azizah Bt Manaf, Payam Vahdani, Farzaneh Tabatabaei, Mazdak Zamani “Botnet Detection Based on Traffic Monitoring ” International Conference on Networking and Information Technology 978-1-4244-7578-0/ 2010 IEEE [40] Wen-Hwa Liao, Chia-Ching Chang “Peer to Peer Botnet Detection Using Data Mining Scheme” 978-1-4244-5143-2/10/2010 IEEE [41] Jian Kang, Yuan-Zhang Song “Detecting New Decentralized Botnet Based on Kalman Filter and Multi-chart CUSUM Amplification”, 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing, 978-0-7695-4011-5/10 IEEE DOI 10.1109/NSWCTC.2010.10 [42] Basheer Al-Duwairi, Lina Al-Ebbini “BotDigger: A Fuzzy Inference System for Botnet Detection”, 978-0-7695-4023-8/10 IEEE DOI 10.1109/ICIMP.2010.11 [43] Su Chang, Thomas E. Daniels “P2P Botnet Detection using Behavior Clustering & Statistical Tests”, AISec’09, November 9, 2009, Chicago, Illinois, USA. Copyright 2009 ACM 978-1-60558-781-3/09/11.
665
