| In the21st century when there is a rapid development in the information industry,the Internet is expanding and becoming popular at an unprecedented rate. However, aproblem which cannot be ignored is that we are faced with increasingly rampantcomputer viruses. All the time, many hosts on the Internet are subject to a variety ofattacks, most in which are caused by malicious software. Many enterprise andpersonal computers have taken various measures to keep away from these attacks,such as the deployment of antivirus software and firewall, but still cannot preventfrom being attacked by certain malicious actions, such as botnet attack. Indeed,botnets have become a major platform for attacking in the Internet.Botnet is a controllable one-to-one or one-to-many network between botnetcontroller and botnet injector(s), which is propagated by one or more means andspreads malicious programs in the network.. A botnet infector is a called bot host.With the development of botnets, attacker can infect and control a host in a variety ofways, and bot hosts accept the commands from the attacker through a C&C channel,which means the happening of malicious actions or new attacks.Bots in a botnet accept and execute commands from botnet owner or controllervia command and control channel. Bot program activated by commands conducts aseries of malicious behaviours on the host, and takes it as an agent to infect otherhosts on the Internet.In spite of the efforts and detection methods made and proposed by networksecurity researchers and workers to this issue, botnets are spreading all around in adramatically speed. Botnets has posed a serious threats to the fast developing andspreading Internet. Botnet is a platform which can launch effective attacks on the host or thenetwork. It can make a whole basic network or an important system down, launch aDistributed Denial of Service(DDoS) attack, spam, second attack, steal sensitiveinformation and abuse local and network sources.Botnet can cause great harm to both the local host and the whole network. Withits development, botnet continues to improve its technology and use varieties of newtypes of attack, which present a great threat to network security. Therefore, weintroduce a bot host detection method to react the harm caused by botnets.This presents a correlation-based detection of botnets, taped on which a passivenetwork monitoring system, BotFinder,is designed. The main contents are:Proposed a new system: Base on evidence trail for clues to identify thecommunication sequence when an infection exists, and then judge a botinfection. We call this infection dialog correlation strategy. In our dialogcorrelation model, bot infection process is defined as a loss orderedprocedure that is a communication traffic exchanged between an internal hostand external entities. We have abstracted network dialog sequence of everypast successful infection, and save them for future usage.Designed a new bot host detection system: Based on our new detectionmethod, we designed a new passive network monitoring system, which iscalled BotFinder. This system uses infection dialog correlation strategy. Wefurther designed two specific bot anomaly detection components:PayloadAnalysis(packet load detection engine) and TrafficAnalysis(trafficanomaly detection engine). BotFinder match the warnings produced by thesemodules with pre-saved bot infection dialog patterns to produce aconsolidated report which captures all relevant events and event participantsthat contributed to the infection dialog.Finally we examine the model by simulating bot infection process.The contribution of this paper is that it designed a new dialog correlator which execute in the current IDS and detect whether a host is infected by a bot in thenetwork perimeter. BotFinder consists of detection module and IDS dialog correlationengine. It can automatically derive a profile of the whole bot detection process,including bot host detection, the infection agent, the infection source and the C&Cserver. |
PDF Full Text Request