Botnet Detection Techniques
Upcoming SlideShare
Loading in...5

Botnet Detection Techniques






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • {}

Botnet Detection Techniques Botnet Detection Techniques Presentation Transcript

  • BotNet Detection Techniques By Team Firefly Technical Support For System Errors And Security Issues Cyber Security Awareness Program On Friday, October 18, 2013
  • Outline  Introduction to Botnet  Botnet Life-cycle  Botnet in Network Security  Botnet Uses  Botnet Detection  Preventing Botnet Infection  Botnet Research  Conclusion  References Page  2
  • Introduction to Botnet A Botnet is a network of compromised computers under the control of a remote attacker.  Botnet Terminology  Bot Herder (Bot Master)  Bot  Bot Client  IRC Server  Command and Control Channel (C&C) Page  3
  • Introduction to Botnet (Terminology) IRC Server IRC Channel Code Server Bot Master IRC Channel C&C Traffic Updates Attack Victim Page  4 Bots
  • Botnet Life-cycle Page  5
  • Botnet Life-cycle Page  6
  • Botnet Life-cycle Page  7
  • Botnet Life-cycle Page  8
  • Botnet In Network Security  Internet users are getting infected by bots  Many times corporate and end users are trapped in botnet attacks  Today 16-25% of the computers connected to the internet are members of a botnet  In this network bots are located in various locations  It will become difficult to track illegal activities  This behavior makes botnet an attractive tool for intruders and increase threat against network security Page  9
  • Botnet is Used For Page  10 Bot Master
  • How Botnet is Used?  Distributed Denial of Service (DDoS) attacks  Sending Spams  Phishing (fake websites)  Addware (Trojan horse)  Spyware (keylogging, information harvesting)  Click Fraud So It is really Important to Detect this attack Page  11
  • Botnet Detection Two approaches for botnet detection based on  Setting up honeynets  Passive traffic monitoring  Signature based  Anomaly based  DNS based  Mining based Page  12
  • Botnet Detection: Setting up Honeynets Windows Honeypot  Honeywall Responsibilities: DNS/IP-address of IRC server and port number (optional) password to connect to IRC-server Nickname of bot Channel to join and (optional) channel-password Page  13
  • Botnet Detection: Setting up Honeynets Bot Sensor 1. Malicious Traffic 3. Authorize Page  14 2. Inform bot’s IP Bot Master
  • Botnet Detection: Traffic Monitoring  Signature based: Detection of known botnets  Anomaly based: Detect botnet using following anomalies • High network latency • High volume of traffic • Traffic on unusual port • Unusual system behaviour  DNS based: Analysis of DNS traffic generated by botnets Page  15
  • Botnet Detection: Traffic Monitoring  Mining based: • Botnet C&C traffic is difficult to detect • Anomaly based techniques are not useful • Data Mining techniques – Classification, Clustering Page  16
  • Botnet Detection  Determining the source of a botnet-based attack is challenging:  Traditional approach:  Every zombie host is an attacker  Botnets can exist in a benign state for an arbitrary amount of time before they are used for a specific attack  New trend:  P2P networks Page  17
  • Preventing Botnet Infections  Use a Firewall  Patch regularly and promptly  Use Antivirus (AV) software  Deploy an Intrusion Prevention System (IPS)  Implement application-level content filtering  Define a Security Policy and  Share Policies with your users systematically Page  18
  • Botnet Research  Logging onto herder IRC server to get info  Passive monitoring Either listening between infected machine and herder or spoofing infected PC  Active monitoring: Poking around in the IRC server  Sniffing traffic between bot & control channel Page  19
  • Botnet Research: Monitoring Attacker Infected Hi! IRC Researcher Page  20 Herder
  • Conclusion  Botnets pose a significant and growing threat against cyber security  It provides key platform for many cyber crimes (DDOS)  As network security has become integral part of our life and botnets have become the most serious threat to it  It is very important to detect botnet attack and find the solution for it Page  21
  • References B. Saha and A, Gairola, “Botnet: An overview,” CERT-In White PaperCIWP-2005-05, 2005  Peer to Peer Botnet detection for cyber-security: A data mining approach - ACM Portal Mohammad M. Masud, Jing Gao, Latifur Khan, Jiawei Han, Bhavani Thuraisingham  A Survey of Botnet and Botnet Detection Feily, M.; Shahrestani, A.; Ramadass, S.; Emerging Security Information, Systems and Technologies, 2009. SECURWARE '09. Third International Conference on Digital Object Publication Year: 2009 , Page(s): 268 – 273 IEEE CONFERENCES  Honeynet-based Botnet Scan Traffic Analysis Zhichun Li, Anup Goyal, and Yan Chen Northwestern University, Evanston, IL 60208  Detecting Botnets Using Command and Control Traffic AsSadhan, B.; Moura, J.M.F.; Lapsley, D.; Jones, C.; Strayer, W.T.; Network Computing and Applications, 2009. NCA 2009. Eighth IEEE International Symposium. Publication Year: 2009 , Page(s): 156 – 162 IEEE CONFERENCES  Spamming botnets: signatures and characteristics Yinglian Xie, Fang Yu Page  22
  • Page  23
  • Page  24