بررسی تحلیلی شبکه های بات و روش تشخیص آن ها

نویسندگان

1 امام حسین (غ)

2 جامع امام حسین(ع)

چکیده

بات‌نت‌ها امروزه به یکی از تهدیدهای جدی و خطرناک برای امنیت صدها میلیون رایانه در معرض خطر و آلوده در فضای سایبر شناخته ‌شده‌اند. آن‌ها شامل شبکه‌ای از میزبان‌های در معرض خطر هستند که تحت کنترل یک نفوذگر قرار دارند و ریشه اولیه بسیاری از حملات و فعالیت‌های جعلی در اینترنت نظیر حملات منع سرویس توزیع‌شده، فیشینگ، ارسال هرزنامه، دزدی اطلاعات و امثال آن هستند. مطالعه‌های انجام‌شده نشان می‌دهند که بین 16 تا 25 درصد رایانه‌های متصل به اینترنت به بات‌ها آلوده بوده و توسط هکرها، تحت کنترل هستند. مقاله حاضر، در خصوص بات‌نت‌ها و تحقیقات و مطالعات مرتبط با آن‌ها بحث می‌کند، به‌گونه‌ای که سیر مراحل تکامل این بدافزارها را نشان بدهد. مفاهیمی مثل چرخه عمر، مدل‌های فرمان و کنترل، پروتکل‌های ارتباطی، پروتکل‌های بات‌نت، روش‌های تشخیص بات‌نت‌ها و ابزارهای تشخیص در این تحقیق بیان ‌شده‌اند. همچنین حمله‌های متصور توسط بات‌نت‌ها و نیز آماری از حمله‌های انجام شده تاکنون توسط آن‌ها به‌صورت یک تاریخچه آورده شده است. در ادامه در خصوص چالش‌های موجود در خصوص بات‌نت‌ها بحث شده است. کارهای توسعه‌ای آینده که قابل ادامه دادن توسط محققین است مانند استفاده از روش‌های پنهان نگاری و کانال‌های پنهان در تشخیص و یا قدرتمند سازی سرویس‌دهنده‌های شبکه بات در انتهای این تحقیق نیز بررسی شده است.

کلیدواژه‌ها


SANS Institute Info Sec Reading Room provided a
description on “Bot & Botnet: An overview,” research on
topics in information security, 2003.
H. Rouhani Zeidanloo, A. Bt Manaf, P. Vahdani, F.
Tabatabaei, and M. Zamani, “Botnet Detection Based on
Traffic Monitoring,” IEEE transaction, 2010.
C. Li, W. Jiang, and X. Zou, “Botnet: Survey and Case
Study,” 4th International Conference on Innovative
Computing, Information and Control, 2009.
Botnet s cams are exploding.
http://www.contentagenda.com/articleXml/LN760999245.ht
ml?industryid=45177.
B. AsSadhan, J. Moura, D. Lapsley, C. Jones, and W.
Strayer, “Detecting botnets using command and control
traffic,” in: Eighth IEEE International Symposium on
Network Computing and Applications, pp. 156–162, 2009.
P. Bacher, T. Holz, M. Kotter, and G. Wicherski, “Know
Your Enemy: Tracking Botnets (using honeynets to learn
more about bots),” Technical Report, The Honeynet Project,
T. M. S. Labs, “M86 Security, Spam Statistics,” 2011.
.
Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts, and K. Han,
“Botnet research survey, in: 32nd Annual IEEE,
International Computer Software and Applications,”
COMPSAC’08, pp. 967–972, 2008.
M. Feily, A. Shahrestani, and S. Ramadass, “A survey of
botnet and botnet detection,” in: Emerging Security
Information, Systems and Technologies, SECURWARE ’09,
Third International Conference on, pp. 268–273, 2009.
Y. Shin and E. Im, “A survey of botnet: consequences,”
defenses and challenges basic knowledge of botnet,
Challenges, 2009.
Symantec, “Spybot worm,” 2003.
J. Liu, Y. Xiao, K. Ghaboosi, H. Deng, and J. Zhang,
“Botnet: classification, attacks, detection, tracing, and
preventive measures,” EURASIP Journal of Wireless
Communication Networks, pp. 91–911, 2009.
D. Plohmann, E. Gerhards-Padilla, and F. Leder, “Botnets:
Detection, Measurement, Disinfection & Defence, Technical
Report,” The European Network and Information Security
Agency (ENISA), 2011.
B. AsSadhan, J. Moura, D. Lapsley, C. Jones, and W.
Strayer, “Detecting botnets using command and control
traffic, in: Eighth IEEE International Symposium on
Network Computing and Applications,” NCA, pp. 156–162,
S. S. Garasia, D. P. Rana, and R. G. Mehta, “Http Botnet
Detection Using Frequent Patterset Mining,” IJESAT, vol. 2,
Issue-3, pp. 619 – 624, May – Jun 2012.
M. M. Masud, J. Gao, L. Khan, J. Han, and B.
Thuraisingham, “Mining Concept-Drifting Data Stream to
Detect Peer to Peer Botnet Traffic,” ACM, 2012.
S. S. C. Silva, R. M. P. Silva, R. C. G. Pinto, and R. M.
Salles, “A Survey computer networks,” Elsevier, 2012.
EggHeads, “EggHeads.org-eggdrop development,” 1993.
.
T. Micro, “Worm AgoBot,” 2004.
trendmicro.com/ArchiveMalware.aspx?language=us
&name=WORMAGOBOT.XE>.
T. Micro, “Worm SDBot,” 2003.
trendmicro.
com/ArchiveMalware.aspx?language=us&name=WORMSD
BOT. AZ>.
J. B. Grizzard, V. Sharma, C. Nunnery, B. B Kang, and D.
Dagon, “Peer-to-peer botnets: overview and case study, in:
Proceedings of the First Conference on First Workshop on
Hot Topics in Understanding Botnets,” USENIX
Association, Berkeley, CA, USA, p. 1, 2007.
S. S. C. Silva, R. M. P. Silva, R. C. G. Pinto, R. M. Salles,
“A Survey computer networks,” Elsevier, 2012.
M. Fossi, G. Y. Egan, K. Haley, E. Johnson, T. Mack, T.
Adams, J. Blackbird, M. K. Low, D. Mazurek, D.
McKinney, and P. Wood, “Symantec Internet Security
Threat Report – Trends for 2010,” Technical Report Volume
, Symantec, 2011.
Freiling, C. Felix, T. Holz, and G. Wicherski, “Botnet
tracking: Exploring a root-cause methodology to prevent
distributed denial-of-service attacks,” European Symposium
on Research in Computer Security, Springer Berlin
Heidelberg, 2005.
H. Choi, H. Lee, and H. Kim, “BotGAD: detecting botnets
by capturing group activities in network traffic,” In:
Proceedings of the Fourth International ICST Conference on
communication System software and middleware,
COMSWARE ’09, ACM, NewYork, NY, USA, pp. 21–28,
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, “A
multifaceted approach to understanding the botnet
phenomenon,” In: Proceedings of the 6th ACM SIGCOMM
Conference on Internet Measurement, IMC’06, ACM, New
York, NY, USA, pp. 41–52, 2006.
R. Puri, Bots & Botnet: An Overview, SANS Institute
InfoSec Reading Room, 2003.
C. Schiller and J. Binkley, “Botnets: The Killer Web
Applications,” Syngress Publishing, 2007.
L. Liu, S. Chen, G. Yan, and Z. Zhang, “BotTracer:
Execution-Based Bot- Like Malware Detection,” In: T. Wu,
C. Lei, V. Rijmen, D. Lee (Eds.), Information Security,
Lecture Notes in Computer Science, vol. 5222, Springer,
Berlin/Heidelberg, pp. 97–113, 2008.
T. Micro, “Taxonomy of Botnet Threats,” Technical Report,
Trend Micro White Paper, 2006.
E. Cooke, F. Jahanian, and D. McPherson, “The zombie
roundup: understanding, detecting, and disrupting botnets,”
In: Proceedings of the Steps to Reducing Unwanted Traffic
on the Internet on Steps to Reducing Unwanted Traffic on
the Internet Workshop, USENIX Association, Berkeley, CA,
USA, p. 6, 2005.
M. Jelasity and V. Bilicki, “Towards automated detection of
peer-to-peer botnets: on the limits of local approaches,” In:
USENIX Workshop on Large-Scale Exploits and Emergent
Threats (LEET’09), USENIX Association, Boston, MA,
P. Maymounkov and D. Mazi‘eres, “Kademlia: a peer-topeer
information system based on the xor metric,” In:
Revised Papers from the First International Workshop on
Peer-to-Peer Systems, IPTPS’01, Springer-Verlag, London,
UK, pp. 53–65, 2002.
P. Wang, L. Wu, B. Aslam, C. Zou, “A systematic study on
Peer-to-Peer botnets,” In: Proceedings of 18th International
Conference on Computer Communications and Networks,
ICCCN 2009, pp. 1–8, 2009.
P. Wang, S. Sparks, and C. Zou, “An advanced hybrid peerto-
peer botnet,” In First Workshop on Hot Topics in
Understanding Botnets, 2007.
J. B Grizzard, V. Sharma, C. Nunnery, B. B Kang, and D.
Dagon, “Peer-to-peer botnets: overview and case study,” In:
Proceedings of the First Conference on First Workshop on
Hot Topics in Understanding Botnets, USENIX Association,
Berkeley, CA, USA, p. 1, 2007.
E. W. Middelesch, “Anonymous and hidden communication
channels: a perspective on future developments,” 2015.
H. R. Zeidanloo, M. J. Shooshtari, P. V. Amoli, M. Safari,
and M. Zamani, “A taxonomy of botnet detection
techniques, 3rd IEEE International Conference on Computer
Science and Information Technology (ICCSIT),” vol. 2, pp.
–162, 2010.
F. C. Freiling, T. Holz, and G. Wicherski, “Botnet tracking:
exploring a rootcause methodology to prevent distributed
denial-of-service attacks,” Lecture Notes in Computer
Science, vol. 3679, Springer, Berlin/Heidelberg, pp. 319–
, 2005.
P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, and
E. Kirda, “Automatically generating models for botnet
detection,” Lecture Notes in Computer Science, vol. 5789,
Springer, Berlin/Heidelberg, pp. 232–249, 2009.
J. Goebel and T. Holz, “Rishi: identify bot contaminated
hosts by IRC nickname evaluation,” Proceedings of the first
conference on First Workshop on Hot Topics in
Understanding Botnets, USENIX Association, Berkeley,
CA, USA, p. 8, 2007.
Y. Kugisaki, Y. Kasahara, Y. Hori, and K. Sakurai, “Bot
detection based ontraffic analysis,” The 2007 International
Conference on Intelligent Pervasive Computing, IPC, pp.
–306, 2007.
J. R. Binkley and S. Singh, “An algorithm for anomalybased
botnet detection,” Proceedings of the 2nd Conference
on Steps to Reducing Unwanted Traffic on the Internet, vol.
, USENIX Association, Berkeley, CA, USA, p. 7, 2006.
G. Gu, V. Yegneswaran, P. Porras, J. Stoll, and W. Lee,
“Active botnet probing to identify obscure command and
control channels,” In: Computer Security Applications
Conference, ACSAC’09, Annual, pp. 241–253, 2009.
G. Gu, R. Perdisci, J. Zhang, and W. Lee, “BotMiner:
clustering analysis of network traffic for protocol-and
structure-independent botnet detection,” Proceedings of the
th Conference on Security Symposium, USENIX
Association, Berkeley, CA, USA, pp. 139– 154, 2008.
A. Nappa, A. Fattori, M. Balduzzi, M. Dell’Amico, and L.
Cavallaro, “Take a deep breath: a stealthy, resilient and costeffective
botnet using skype,” Proceedings of the 7th
International Conference on Detection of Intrusions and
Malware, and Vulnerability Assessment, DIMVA’10,
Springer-Verlag, Berlin, Heidelberg, pp. 81–100, 2010.
H. Choi, H. Lee, and H. Kim, “BotGAD: detecting botnets
by capturing group activities in network traffic,” Proceedings
of the Fourth International ICST Conference on
COMmunication System software and middlewaRE,
COMSWARE ’09, ACM, New York, NY, USA, pp. 21–28,
D. Dagon, C. Changchun Zou, and W. Lee. “Modeling
Botnet Propagation Using Time Zones,” NDSS. vol. 6, 2006.
A. Madhukar and C. Williamson, “A longitudinal study of
p2p traffic classification,” 14th IEEE International
Symposium on Modeling Analysis and Simulation, pp. 179-
, 2006.
J. Erman, A. Mahanti, M. Arlitt, and C. Williamson,
“Identifying and discriminating between web and peer-topeer
traffic in the network core,” Proceedings of the 16th
International Conference on World Wide Web, WWW’07,
ACM, New York, NY, USA, pp. 883–892, 2007.
C. Livadas, R. Walsh, D. Lapsley, and W. Strayer, “Using
Machine Learning Techniques to Identify Botnet Traffic,” In
Proceedings of the 31st Annual IEEE Conference on Local
Computer Networks, FL, USA, November 2006.
J. Goebel and T. Holz, “Rishi: Identify Bot Contaminated
Hosts by IRC Nickname Evaluation,” In Proceedings of the
st Workshop on Hot Topics in Understanding Botnets,
Cambridge, MA, USA, April 2007.
W. Wang, B. Fang, Z. Zhang, and C. Li, “A novel approach
to detect irc-based botnets,” In Proceedings of the
International Conference on Networks Security, Wireless
Communications and Trusted Computing, Wuhan, Hubei,
China, April 2009.
G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee,
“BotHunter: detecting malware infection through IDS-driven
dialog correlation,” In: Proceedings of 16th USENIX
Security Symposium on USENIX Security Symposium,
USENIX Association, Berkeley, CA, USA, pp. 12:1–12:16,
G. Gu, J. Zhang, and W. Lee, “BotSniffer – detecting botnet
command and control channels in network traffic,” In: 15th
Annual Network & Distributed System Security Symposium,
The Internet Society (ISOC), San Diego, 2008.
P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, and
E. Kirda, “Automatically generating models for botnet
detection”, in Proceedings of the 14th European Symposium
on Research in Computer Security, Saint Malo, France,
September 2009.
I. Castle and E. Buckley, “The automatic Discovery,
Identification and Measurement of Botnets,” In Proceedings
of the 2nd International Conference on Emerging Security
Information, Systems and Technologies, Cap Esterel, France,
August 2008.
Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, and E.
Gillum, “BotGraph: Large Scale Spamming Botnet
Detection”, in Proceedings of the 6th USENIX Symposium
on Networked Systems Design and Implementation, Boston,
MA, USA, April 2009.
S. Nagaraja, P. Mittal, C.-Y. Hong, M. Caesar, and N.
Borisov, “Botgrep: finding p2p bots with structured graph
analysis,” In: Proceedings of the 19th USENIX Conference
on Security, USENIX Security’10, USENIX Association,
Berkeley, CA.USA, p. 7, 2010.
B. Shirley and C. D. Mano, “A Model for Covert Botnet
Communication in a Private Subnet,” Networking 2008, pp.
-632, 2008.
A. Nappa, A. Fattori, M. Balduzzi, M. Dell’Amico, and L.
Cavallaro, “Take a deep breath: a stealthy, resilient and costeffective
botnet using skype,” In: Proceedings of the 7th
International Conference on Detection of Intrusions and
Malware, and Vulnerability Assessment, DIMVA’10,
Springer-Verlag, Berlin, Heidelberg, pp. 81–100, 2010.
T. Micro, “Taxonomy of Botnet Threats,” Technical Report,
Trend Micro White Paper, 2006.
E. Stinson and J. C. Mitchell, “Towards systematic
evaluation of the evadability of bot/botnet detection
methods, In: Proceedings of the 2nd Conference on USENIX
Workshop on Offensive Technologies, USENIX
Association, Berkeley, CA, USA, pp. 5:1–5:9, 2008.
D. Zhang, C. Zheng, H. Zhang, and H. Yu, “Identification
and analysis of skype peer-to-peer traffic,” In: Fifth
International Conference on Internet and Web Applications
and Services (ICIW), pp. 200– 206, 2010.
J. Nazario and T. Holz, “As the net churns: fast-flux botnet
observations,” In: 3rd International Conference on Malicious
and Unwanted Software, MALWARE 2008, pp. 24–31,
A. Caglayan, M. Toothaker, D. Drapaeau, D. Burke, and G.
Eaton, “Behavioral analysis of fast flux service networks,”
In: Proceedings of the 5th Annual Workshop on Cyber
Security and Information Intelligence Research: Cyber
Security and Information Intelligence Challenges and
Strategies, CSIIRW’09, ACM, New York, NY, USA, pp.
:1-48:4, 2009.
T. M. S. Labs, “Security Labs Report January – June 2011
Recap,” Technical Report, Security Labs, 2011.
T. Barabosch, A. Wichmann, F. Leder, and E. Gerhards-
Padilla, “Automatic Extraction of Domain Name Generation
Algorithms from Current Malware,” In Proceedings of the
NATO Symposium IST-111 on Information Assurance and
Cyber Defense, Koblenz, Germany, September 2012.
S. Yadav, A. K. Krishna Reddy, and A. L. Narasimha
Reddy, “Detecting Algorithmically Generated Domain-flux
Attacks with DNS Traffic Analysis,” IEEE/ACM
Transactions on Networking, vol. 20, no.5, pp. 1663–1677,
October 2012.
B. Stone-Gross, M. Cova, B. Gilbert, L. Cavallaro, C.
Kruegel, G. Vigna, and R. Kemmerer, “Your Botnet is My
Botnet: Analysis of a Botnet Takeover,” In Proceedings of
the 16th ACM Conference on Computer and
Communications Security, pp. 635–647, Chicago, IN, USA,
November 2009.
R. sharifnia and M. Abadi, “A Novel Reputation System to
DetectDGA-Based Botnets,” In proceeding of the 3th
ICCKE, Mashhad 2013.
S. Yadav and A. L. Narasimha Reddy, “Winning with DNS
Failures: Strategies for Faster Botnet Detection,” In
Proceedings of the 7th International ICST Conference on Seurity and Privacy in Communication Networks
(SecureComm 2011), London, UK, 2011.
H. Choi and H. Lee, “Identifying Botnets by Capturing
Group Activities in DNS Traffic,” Computer Networks, vol.
, no. 1, pp. 20–33, January 2012.
C.-Y. Huang, “Effective Bot Host Detection Based on
Network Failure Models,” Computer Networks, vol. 57, no.
, pp. 514–525, February 2013.
E. Kartaltepe, J. Morales, S. Xu, and R. Sandhu, “Social
Network-Based botnet Command-and-Control: emerging
threats and countermeasures,” In: J. Zhou, M. Yung (Eds.),
Applied Cryptography and Network Security, Lecture Notes
in Computer Science, vol. 6123, Springer,
Berlin/Heidelberg, pp. 511–528, 2010.
J. Baltazar, J. Costoya, and R. Flores, “The real face of
koobface,” The largest web 2.0 botnet explained, In: Trend
Micro Research, 2009.
S. Nagaraja, A. Houmansadr, P. Piyawongwisal, V. Singh, P.
Agarwal,and N. Borisov, “Stegobot: a covert social network
botnet,” In: Information Hiding Conf. (IH), 2011.
C. Serdar, C. E. Adviser-Brodley, and E. H. Adviser-
Spafford, “Network covert channels: design, analysis,
detection, and elimination,” 2006.
Z. Sebastian, G. J. Armitage, and P. Branch, “A survey of
covert channels and countermeasures in computer network
protocols,” IEEE Communications Surveys and Tutorials
1-4, 2007.