The document discusses botnet detection techniques. It provides an introduction to botnets, describing their terminology and lifecycle. It then covers how botnets pose a threat to network security and how they are used for distributed denial of service attacks, spamming, phishing and more. The document outlines two main approaches to botnet detection: setting up honeynets to monitor infected machines and passive traffic monitoring using signature-based, anomaly-based and DNS-based techniques. It also discusses preventing botnet infections and concludes that botnets are a significant cybersecurity threat and detecting them is important.

1. BotNet Detection Techniques
By
Team Firefly
Technical Support For System Errors
And Security Issues
Cyber Security Awareness Program
On Friday, October 18, 2013

2. Outline
 Introduction to Botnet
 Botnet Life-cycle
 Botnet in Network Security
 Botnet Uses
 Botnet Detection
 Preventing Botnet Infection
 Botnet Research
 Conclusion
 References
Page  2

3. Introduction to Botnet
A Botnet is a network of compromised
computers under the control of a remote attacker.
 Botnet Terminology
 Bot Herder (Bot Master)
 Bot
 Bot Client
 IRC Server
 Command and Control Channel (C&C)
Page  3

4. Introduction to Botnet (Terminology)
IRC Server
IRC Channel
Code Server
Bot Master
IRC Channel
C&C Traffic
Updates
Attack
Victim
Page  4
Bots

5. Botnet Life-cycle
Page  5

6. Botnet Life-cycle
Page  6

7. Botnet Life-cycle
Page  7

8. Botnet Life-cycle
Page  8

9. Botnet In Network Security
 Internet users are getting infected by bots
 Many times corporate and end users are trapped in botnet attacks
 Today 16-25% of the computers connected to the internet are
members of a botnet
 In this network bots are located in various locations
 It will become difficult to track illegal activities
 This behavior makes botnet an attractive tool for intruders and
increase threat against network security
Page  9

10. Botnet is Used For
Page  10
Bot Master

11. How Botnet is Used?
 Distributed Denial of Service (DDoS) attacks
 Sending Spams
 Phishing (fake websites)
 Addware (Trojan horse)
 Spyware (keylogging, information harvesting)
 Click Fraud
So It is really Important to Detect this attack
Page  11

12. Botnet Detection
Two approaches for botnet detection based on
 Setting up honeynets
 Passive traffic monitoring
 Signature based
 Anomaly based
 DNS based
 Mining based
Page  12

13. Botnet Detection: Setting up Honeynets
Windows Honeypot
 Honeywall Responsibilities:
DNS/IP-address of IRC server and port number
(optional) password to connect to IRC-server
Nickname of bot
Channel to join and (optional) channel-password
Page  13

14. Botnet Detection: Setting up Honeynets
Bot
Sensor
1. Malicious Traffic
3. Authorize
Page  14
2. Inform bot’s IP
Bot Master

15. Botnet Detection: Traffic Monitoring
 Signature based: Detection of known botnets
 Anomaly based: Detect botnet using following
anomalies
• High network latency
• High volume of traffic
• Traffic on unusual port
• Unusual system behaviour
 DNS based: Analysis of DNS traffic generated by
botnets
Page  15

16. Botnet Detection: Traffic Monitoring
 Mining based:
• Botnet C&C traffic is difficult to detect
• Anomaly based techniques are not useful
• Data Mining techniques – Classification, Clustering
Page  16

17. Botnet Detection
 Determining the source of a botnet-based attack is challenging:
 Traditional approach:
 Every zombie host is an attacker
 Botnets can exist in a benign state for an arbitrary amount of
time before they are used for a specific attack
 New trend:
 P2P networks
Page  17

18. Preventing Botnet Infections
 Use a Firewall
 Patch regularly and promptly
 Use Antivirus (AV) software
 Deploy an Intrusion Prevention System (IPS)
 Implement application-level content filtering
 Define a Security Policy and
 Share Policies with your users systematically
Page  18

19. Botnet Research
 Logging onto herder IRC server to get info
 Passive monitoring
Either listening between infected machine and
herder or spoofing infected PC
 Active monitoring: Poking around in the IRC server
 Sniffing traffic between bot & control channel
Page  19

20. Botnet Research: Monitoring Attacker
Infected
Hi!
IRC
Researcher
Page  20
Herder

21. Conclusion
 Botnets pose a significant and growing threat against cyber
security
 It provides key platform for many cyber crimes (DDOS)
 As network security has become integral part of our life and
botnets have become the most serious threat to it
 It is very important to detect botnet attack and find the solution
for it
Page  21

22. References
B. Saha and A, Gairola, “Botnet: An overview,” CERT-In White PaperCIWP-2005-05, 2005
 Peer to Peer Botnet detection for cyber-security: A data mining approach - ACM Portal
Mohammad M. Masud, Jing Gao, Latifur Khan, Jiawei Han, Bhavani Thuraisingham
 A Survey of Botnet and Botnet Detection Feily, M.; Shahrestani, A.; Ramadass, S.;
Emerging Security Information, Systems and Technologies, 2009. SECURWARE '09. Third
International Conference on Digital Object Publication Year: 2009 , Page(s): 268 – 273 IEEE
CONFERENCES
 Honeynet-based Botnet Scan Traffic Analysis Zhichun Li, Anup Goyal, and Yan Chen
Northwestern University, Evanston, IL 60208
 Detecting Botnets Using Command and Control Traffic AsSadhan, B.; Moura, J.M.F.;
Lapsley, D.; Jones, C.; Strayer, W.T.; Network Computing and Applications, 2009. NCA
2009. Eighth IEEE International Symposium. Publication Year: 2009 , Page(s): 156 – 162
IEEE CONFERENCES
 Spamming botnets: signatures and characteristics Yinglian Xie, Fang Yu
Page  22

23. Page  23

24. Page  24