Botnets’ diversity and dynamism challenge detection and classification algorithms depend heavily on static or protocol-dependant features. Several methods showing promising results were proposed using behavioral-based approaches. The authors conducted an analysis of botnets’ and bots’ most inherent characteristics such as synchronism and network load within specific time windows to detect them more efficiently. By not relying on any specific protocol, our proposed approach detects infected computers by clustering bots’ network behavioral characteristics using the Expectation-Maximization algorithm. An encouraging false positive error rate of 0.7% shows that bots’ traffic can be accurately separated by our approach by analyzing several bots and non-botnet network captures and applying a detailed analysis of error rates.
TopIntroduction
In the last decade botnets have evolved from being used as a personal activity platform to becoming a financially aimed structure controlled by malicious groups (Wilson, 2007). A botnet is a network of remotely controlled, compromised computers, used for malicious purposes. Hosts in a botnet are called ‘Bots’ and the owner of a botnet is called ‘Botmaster’. From small DDoS (Distributed Denial of Service attacks) to world wide spam campaigns, botnets have become the technological backbone of a growing community of malicious activities (Clinton, 2008) and remain as the most significant threat to the Internet today.
Technology to control malicious programs remotely first surfaced in late 1999 and since then their primary goal has been to obtain financial gain. This situation forced the development of several botnet detection technologies trying to cope with the attacks, but botnets resisted besiege security measures resting on their home based client attacks, circumventing security methods (Stone-Gross, Cova, Cavallaro, Gilbert, Szydlowski, Kemmerer, Kruegel & Vigna, 2009), encryption and anti-reverse engineering techniques. Although the IRC (Internet Chat Relay) protocol has been the most used means of communication among bots, in the last couple of years the trend towards decentralized networks, like P2P (Peer to Peer) (Yan, Eidenbenz & Nago, 2009) (Kang, Zhang, Li & Li, 2009) and Fast-Flux (Ssac, 2008), has made more difficult to shut botnets down.
Several botnet detection methods have been proposed to cope with this problem. A general classification schema includes signature-based methods, protocol-dependant feature analysis and some more recent techniques based on network behavior, but most of these approaches only detect a subset of botnets, limiting their applicability. Signature-based approaches (like looking for certain IRC messages or certain DNS names) only detect what they were configured to. Most of these approaches do not have a correct error rate analysis because they did not propose a testing environment that includes non-botnet data.
To detect every botnet, we find out what botnets and bots have in common. A thorough analysis was performed to learn their most inherent characteristics. Our proposal works under the assumption that botnets most typical characteristics are maliciousness (attacking and infecting, sending SPAM, DDoS, etc.), being remotely managed and synchronization. We also found that bots might synchronize differently when scanning new victims, downloading binary updates, attacking sites, asking for orders or receiving orders, among others situations.
This chapter proposes a new method for bots detection based on network behavioral patterns. We aim at detecting bots in a general practical manner regardless of its connection protocol.