Article Preview
Top1. Introduction
Botnet is a sophisticated piece of malware that poses serious security risks to computing resources. It is actually a network of compromised computers that are remotely controlled by an attacker known as a botmaster through a command-and-control (C&C) server. The C&C server is the main backbone of the network because the botmaster instructs or communicates with the compromised computers, also known as bots, via this C&C server. The botmaster uses a network of these bots to carry out various malicious activities, causing mainly financial losses to several organisations around the world. WannaCry (Shinan et al., 2021) is a ransomware attack that was launched using a botnet in 150 countries in 2017 and resulted a loss of £6 billion worldwide. This attack affected 200,000 computers around the world. ZeuS was another well-known botnet (Atluri & Tran, 2017; Balaban, 2022), which spanned 196 countries and infected over 13 million computers. It is a member of the credentials-stealing trojan family and has caused a loss of more than $120 million. An earlier version of ZeuS was a centralised IRC botnet. Later, an improved P2P variant known as Gameover ZeuS was introduced.
Based on the C&C communication, there are two types of architecture (Miller & Busby-Earle, 2016) of botnets:
Centralised botnets have a designated C&C server. The botmaster uses this C&C server as a central hub to communicate to all bots under its control. One of the main advantages of this architecture is that it provides reliable control and coordination between the botmaster and bots; and also makes monitoring easy for the botmaster. However, it has a vulnerability of a single point of failure. Once the C&C server is detected, it can be blocked. The botmaster will not be able to communicate to other bots as the C&C server is blocked and the entire botnet will collapse. There are two types of botnets that follow centralised architecture. These are:
- •
IRC-based botnets
- •
HTTP-based botnets
Some examples of IRC-based botnets are: Spybot, Agobot, GT bot, etc. Some examples of HTTP-based botnets are: Bobax, ClickBot, Rustock, Blackenergy, etc.
To avoid single point failure vulnerability, decentralised botnets are more frequently used by the botmaster. Botnets that follow decentralised architecture are known as P2P botnets.
A decentralised P2P botnet does not have a designated C&C server. The botmaster can choose any node of the network to act as a C&C server for any moment of time. Thus, bots can behave as a server as well as a client. As C&C is distributed, decentralised botnets are very hard to detect. This category of botnet uses P2P protocol for its communications; hence it is difficult to distinguish normal traffic from bot traffic. P2P botnets are very resilient and robust. Some examples of P2P botnets are: Gameover ZeuS, Mirai, Nsis, FritzFrog, etc.
Recently, many researchers have proposed various methodologies to mitigate the detection and identification of botnets. According to Obeidat (2016), botnet detection techniques can be categorised as follows:
- •
Anomaly-based detection
- •
Signature-based detection
- •
Honeypot-based detection
- •
Node-based detection
- •
Community-based detection
- •
Structure or protocol-based detection
- •
Machine learning algorithm-based detection
- •
Data mining algorithm-based detection