Towards Situational Awareness of Large-Scale BotnetProbing EventsABSTRACT:Botnets dominate today’s attack landscape. In th...
• A variety of detection tools exist such as Intrusion Detection systems (IDS) andfirewalls, but the main problem is that ...
HARDWARE SPECIFICATIONThe required hardware interfaces are LAN and a standard PC.Processor Type : Pentium -IVSpeed : 2.4 G...
3. MonitoringKey generationCommand AuthenticationCompared with a C&C botnet, because bots in the proposed botnet do not re...
This individualized encryption guarantees that if defenders capture one bot, theyonly obtain keys used by M servent bots i...
Zhichun Li, Anup Goyal, Yan Chen, and Vern Paxson, “Towards Situational Awarenessof Large-Scale Botnet Probing Events”, IE...
Zhichun Li, Anup Goyal, Yan Chen, and Vern Paxson, “Towards Situational Awarenessof Large-Scale Botnet Probing Events”, IE...
Upcoming SlideShare
Loading in …5
×

Towards situational awareness of large scale botnet probing events

0 views
280 views

Published on

For more projects visit @ www.nanocdac.com

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
0
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Towards situational awareness of large scale botnet probing events

  1. 1. Towards Situational Awareness of Large-Scale BotnetProbing EventsABSTRACT:Botnets dominate today’s attack landscape. In this work, we investigate ways to analyzecollections of malicious probing traffic in order to understand the significance of large-scale “botnet probes.” In such events, an entire collection of remote hosts together probesthe address space monitored by a sensor in some sort of coordinated fashion. Our goal isto develop methodologies by which sites receiving such probes can infer—using purelylocal observation—information about the probing activity: What scanning strategies doesthe probing employ? Is this an attack that specifically targets the site, or is the site onlyincidentally probed as part of a larger, indiscriminant attack? Our analysis draws uponextensive honeynet data to explore the prevalence of different types of scanning,including properties, such as trend, uniformity, coordination, and darknet avoidance. Inaddition, we design schemes to extrapolate the global properties of scanning events (e.g.,total population and target scope) as inferred from the limited local view of a honeynet.Cross-validating with data from DShield shows that our inferences exhibit promisingaccuracy.EXISTING SYSTEM:• Traditionally, information security has been purely defensive. Firewalls, IntrusionDetection Systems, encryption; all of these mechanisms are used defensively toprotect ones resources.www.nanocdac.com www.nsrcnano.com branches: hyderabad nagpur
  2. 2. • A variety of detection tools exist such as Intrusion Detection systems (IDS) andfirewalls, but the main problem is that they only react on reconfigured andtherefore known attacks.• In an existing system that will produce only the simulation result.• There is no secured architecture for data sharing.• Existing system can only run on single system.PROPOSED SYSTEM:• In order to deal with these challenging and complex ideas on information sharing,we must consider one of the premier drivers that provide the infrastructure toachieve this notion of Core to Edge security to enable information sharing.• Proposed system can note the IP address of Hackers and can identify what type offile they want to access and what password and key was given by hackers toaccess the file.• This system can produce the real time result.• We can run it on more than one system without changing, and can run in singlesystem too.• The primary purpose of a Honey net is to gather information about threats thatexist. In the proposed system we does not use a real time Honey net, But uses aoffline type of honey pot. Which just view the old collected data.www.nanocdac.com www.nsrcnano.com branches: hyderabad nagpur
  3. 3. HARDWARE SPECIFICATIONThe required hardware interfaces are LAN and a standard PC.Processor Type : Pentium -IVSpeed : 2.4 GHZRam : 128 MB RAMHard disk : 20 GB HDSOFTWARE SPECIFICATIONA tool is used for capturing packets from network.Operating system : Windows - XPTools : EclipseSDK : JDK.1.5.0Database : MS-AccessMODULES1. Key generation2. Construct botnet (Proposed Secured System for Data Sharing)www.nanocdac.com www.nsrcnano.com branches: hyderabad nagpur
  4. 4. 3. MonitoringKey generationCommand AuthenticationCompared with a C&C botnet, because bots in the proposed botnet do not receivecommands from predefined places, it is especially important to implement a strongcommand authentication. A standard public-key authentication would be sufficient. Abotmaster generates a pair of public/private keys, hKþ;K_i, and hard codes the public keyKþ into the bot program before releasing and building the botnet. There is no need forkey distribution because the public key is hard-coded in bot program. Later, thecommand messages sent from the botmaster could be digitally signed by the private keyK_ to ensure their authentication and integrity. This public-key-based authenticationcould also be readily deployed by current C&C botnets. So botnet hijacking is not amajor issue.Implementation of Individualized encryption key and service portIn the proposed botnet, each servent bot i randomly generates its symmetricencryption key Ki. Suppose the peer list on bot A is denoted by LA. It will not onlycontain the IP addresses of M servent bots, but also the symmetric keys used by theseservent bots.Thus, the peer list on bot A is:LA = { (IPi1, Ki1), (IPi2, Ki2), ¼(IPiM, KiM)}Where (IPij, Kij) are the IP address and symmetric key used by servent bot ij.With such a peer list design, each servent bot uses its own symmetric key for incomingconnections from any other bot. This is applicable because if bot B connects to a serventbot A, bot B must have (IPA, KA) in its peer list.www.nanocdac.com www.nsrcnano.com branches: hyderabad nagpur
  5. 5. This individualized encryption guarantees that if defenders capture one bot, theyonly obtain keys used by M servent bots in the captured bots peer list. Thus theencryption among the remaining botnet will not be compromised.DATA ENCRYPTION / DECRYPTION:The Blow fish involves replacing each letter of the alphabet with the letterstanding k places further down the alphabet.Encryption:Blowfish is a Feistel network consisting of 16 rounds (see Figure 1). The input is a 64-bit data element, x.Divide x into two 32-bit halves: xL, xRFor i = 1 to 16:xL = xL XOR PixR = F(xL) XOR xRSwap xL and xRSwap xL and xR (Undo the last swap.)xR = xR XOR P17xL = xL XOR P18Recombine xL and xRFunction F (see Figure 2):Divide xL into four eight-bit quarters: a, b, c, and dF(xL) = ((S1,a + S2,b mod 232) XOR S3,c) + S4,d mod 232DecryptionIt is exactly the same as encryption, except that P1, P2,..., P18 are used in the reverse order.This algorithm used to encrypt the all the data before going to send to the user.Using the private key k it is decrypted on the end user side. The user who knows theprivate key can only decrypt the data.REFERENCE:www.nanocdac.com www.nsrcnano.com branches: hyderabad nagpur
  6. 6. Zhichun Li, Anup Goyal, Yan Chen, and Vern Paxson, “Towards Situational Awarenessof Large-Scale Botnet Probing Events”, IEEE Transactions on Information Forensicsand Security, Vol. 6, No.1, March 2011.www.nanocdac.com www.nsrcnano.com branches: hyderabad nagpur
  7. 7. Zhichun Li, Anup Goyal, Yan Chen, and Vern Paxson, “Towards Situational Awarenessof Large-Scale Botnet Probing Events”, IEEE Transactions on Information Forensicsand Security, Vol. 6, No.1, March 2011.www.nanocdac.com www.nsrcnano.com branches: hyderabad nagpur

×