2. What is a Bot?
• A malware instance that runs autonomously
and automatically on a compromised
computer (zombie) without owner’s consent
• Profit-driven, professionally written, widely
propagated
• You might have seen them before in chat
rooms, online games, etc.
3. What is a Botnet
• Botnet (Bot Army): network of bots controlled
by criminals
• Definition: “A coordinated group of malware
instances that are controlled by a botmaster
via some C&C channel”
– Coordinated: do coordinated actions
– Group: yes, it’s a group of bots!
– Botmaster: meet the cybercriminal
– C&C channel: command and control channel
3
8. Breadth
• Numerous variations of botnets
– According to a study in 2013 by Incapsula, more
than 61 percent of all Web traffic is now
generated by bots
– 25% of Internet PCs are part of a botnet!” ( - Vint
Cerf)
• It’s a real threat!
8
9. What is the Command and Control
(C&C) Channel?
• The Command and
Control (C&C) channel is
needed so bots can
receive their commands
and coordinate
fraudulent activities
• The C&C channel is the
means by which
individual bots form a
botnet
11. What are they used for?
• Distributed Denial-of-Service Attacks
• Spam
• Phishing
• Information Theft
• Distributing other malware
12. Botnet Detection is Hard!
• One out of four PC infected
• Bots are stealthy on infected machines
• Botnets are dynamically evolving and becoming
more flexible
– Static and signature-based approached less effective
• Come in many variations
– Centralized/distributed, different channels, etc.
– There’s no one-size-fits-all solution
13. Existing Techniques not Effective
• AntiVirus tools are evaded
– need to update frequently
– Bots use rootkit
– …
• Intrusion detection systems
– Do not have a big picture
• Past research aims are too specific
– Some apply to specific type of botnet (e.g., IRC-based
only, or centralized only)
– Some apply to specific instances of botnet
13
14. BotMiner
• Observation:
– Bots part of a botnet have similar communications
– Bots part of a botnet take similar actions
– Bots stay there for long term
• Approach: Let’s find machines that have
correlated (similar) communication and
actions over time
14
15. BotMiner
• Analysis is done over two planes:
C-plane (Communication plane): “who is
talking to whom, and how”
A-plane (Activity plane): “who is doing what”
15