ISECURE_Volume 10_Issue 1_Pages 55-61.pdf

ISECURE_Volume 10_Issue 1_Pages 55-61.pdf - The ISC Int'l...

This preview shows page 1 - 2 out of 7 pages.

IS e C ure The ISC Int'l Journal of Information Security January 2018, Volume 10, Number 1 (pp. 55–61) BotRevealer: Behavioral Detection of Botnets based on Botnet Life-cycle Ehsan Khoshhalpour 1 , and Hamid Reza Shahriari 1 , * 1 Department of Computer Engineering and Information Technology, Amirkabir University of Technology, Tehran, Iran A R T I C L E I N F O. Article history: Received: 7 April 2017 First Revised: 23 July 2017 Last Revised: 8 October 2017 Accepted: 2 August 2017 Published Online: 5 August 2017 Keywords: Botnet Detection, Botnet Life-cycle, Host-based Intrusion Detection, Heuristic Algorithm. Abstract Nowadays, botnets are considered as essential tools for planning serious cyber attacks. Botnets are used to perform various malicious activities such as DDoS attacks and sending spam emails. Different approaches are presented to detect botnets; however most of them may be ineffective when there are only a few infected hosts in monitored network, as they rely on similarity in bots activities to detect the botnet. In this paper, we present a host-based method that can detect individual bot-infected hosts. This approach is based on botnet life-cycle, which includes common symptoms of almost all types of botnet despite their differences. We analyze network activities of each process running on the host and propose some heuristics to distinguish behavioral patterns of bot process from legitimate ones based on statistical features of packet sequences and evaluating an overall security risk for it. To show the effectiveness of the approach, a tool named BotRevealer has been implemented and evaluated using real botnets and several popular applications. The results show that in spite of diversity of botnets, BotRevealer can effectively detect the bot process among other active processes. c 2018 ISC. All rights reserved. 1 Introduction T he majority of attacks and malicious activities in the Internet are made by malware. Botnet is a network of malware-infected computers, which is con- sidered as a basic tool to conduct cyber attacks. In fact, botnet is a network of coordinated compromised computers (bots) which are controlled remotely by an attacker (botmaster) through a command and control channel without the knowledge of their owners. Bot- nets are used to perform various malicious activities such as distributed denial of service attacks, spam, click fraud, scams and hosting phishing sites. That is * Corresponding author. Email address: [email protected] (H. R. Shahriari) ISSN: 2008-2045 c 2018 ISC. All rights reserved. why today botnets are identified as one of the largest threats to Internet security [ 1 ]. Since botmasters use popular protocols such as IRC, HTTP and P2P as their C&C channel, botnet traffic is usually permitted by firewalls. On the other hand, there is a text-based traffic between botmaster and their bots, and it is sometimes encrypted to evade detection. Furthermore, a bot often remains silent until receiving a command from its botmaster to do malicious activities.
Image of page 1

Subscribe to view the full document.

Image of page 2
  • Summer '17
  • Denial-of-service attack, Botnet, Internet bot, BotRevealer

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern