Botnets analysis and detection methods based on network behavior
Date
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Botnets, or a network of compromised machines, are considered one of the biggest threats to the security and privacy on users of networked systems. These structures offer anonymous, distributed, and automatic means for cybercrime, such as spamming, denial of service, and identity theft. Recently, the most prevalent type of attack has been information stealing, in which sensitive information with high financial value is the target, such as online banking credentials, credit card numbers, cryptographic certificates, and corporate proprietary information.
This dissertation uncovers subtle network behaviors of bots infecting hosts inside an enterprise network, and proposes methods to prevent bots from successfully launching attacks, in particular, spamming and information stealing. These detection methods add to and strengthen network defense-in-depth systems.
Different aspects of bots network behavior are considered depending on the objective of a botnet. For spamming botnets, we discuss spam transmission methods and propose preventative measures to be applied at network routers and email servers. Then, we uncover an array of anomalous DNS behaviors of bots and provide a proof-of-concept classification and clustering methods as an evidence for the viability of these behaviors in detecting bots. For data stealing botnets, we present an analysis of an infamous data stealing botnet, called Zeus, which became a platform for other botnets that appeared later. Next, we propose a classification algorithm to detect bots data stealing attempts through the web, and present an evaluation of the proposed classifier's performance.