Detecting Botnets with Timing-Based Covert Command and Control Channels

Document Type : Original Article

Authors

-

Abstract

Nowadays, botnets have become an inconsistency in the process of exchanging information and tampering network resources. Botnet detection methods have always faced challenges and have been investigated and promoted as subjects of research. The main characteristics of botnets is the command and control (C&C) channel through which a botmaster sends malicious commands to the victim's system. By detecting the C&C channel of a botnet, the botnet is not essentially able to communicate with the botmaster and loses its efficiency. For this reason, botmasters try to evade detection by using a variety of methods. Covert command and control channel is a concept that the new generation of botnets use to hide their communications. In this paper, a Botnet is proposed, in which botmaster’s commands are sent by using Inter Packet Delays (IPDs) and their sequences. The commands are sent via a timing-based covert command and control channel. In the following, a detection method is proposed by applying the concept of group activity of bots. A three-layer architecture is proposed whichconsists of traffic data collection and processing, pattern processing, and two-step detection methods. Using thetwo-step detection method including similarity matrix and entropy, hosts infected with the bot are detected. To evaluate the method, five covert timing channels are simulated and each of them is used to send botmaster commands. The results of the experiments showed the effectiveness of the detection method with the minimum number of two bots in the network.

Keywords


[1]     H. R. Zeidanloo, A. B. Manaf, P. Vahdani, F. Tabatabaei, and M. Zamani, “Botnet detection based on traffic monitoring,” In Proceedings of the 2010 International Conference on Networking and Information Technology, pp. 97-101, 2010.##
[2]     C. Li, W. Jiang, and X. Zou, “Botnet: Survey and Case Study,” In Proceedings of the 4th International Conference on Innovative Computing, Information and Control, 2009.##
[3]     P. Bacher, T. Holz, M. Kotter, and G. Wicherski, “Know Your Enemy: Tracking Botnets (using honeynets to learn more about bots),” Technical Report, The Honeynet Project, 2008.##
[4]      Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts, and K. Han, “Botnet research survey,” In Proceedings of the 32nd Annual IEEE International Computer Software and Applications Conference (COMPSAC’08), pp. 967–972, 2008.##
[5]     R. Jalaei and M. R. Hasani Ahangar, “An Analytical Survey on Botnet and Detection Methods,” Journal of Electronical & Cyber Defence, vol. 4, no. 4, 2017. (In Persian)##
[6]     B. W. Lampson, “A note on the confinement problem,” Communication of the ACM, vol. 16, no. 10, pp. 613–615, 1973.##
[7]     L. Qiu, Y. Zhang, F. Wang, M. Kyung, and H. R. Mahajan, “Trusted computer system evaluation criteria,” In Proceedings of the National Computer Security Center, 1985.##
[8]     C. Serdar, “Network covert channels: design, analysis, Detection and elimination,” Ph.D. dissertation, Purdue University, 2006.##
[9]     C. E. Shannon, “A note on the concept of entropy,” Bell system technical journal, vol. 27, pp. 379–423, 1948.##
[10]  A. Porta, G. Baselli, D. Liberati, N. Montano, C. Cogliati, T. Gnecchi-Ruscone, A. Malliani, and S. Cerutti, “Measuring regularity by means of a corrected conditional entropy in sympathetic outflow,” Biological Cybernetics, vol. 78, no. 1, pp. 71–78, 1998.##
[11]  R. Moddemeijer, “On estimation of entropy and mutual information of continuous distributions,” Signal Processing, vol. 16, no. 3, pp. 233–248, 1989.##
[12]  S. Gianvecchio and H. Wang, “An entropy-based approach to detecting covert timing Channels,” IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 6, pp.      785–797, 2011.##
[13]  S. S. C. Silva, R. M. P. Silva, R. C. G. Pinto, and R. M.Salles, “Botnets: A Survey,” Computer networks, Elsevier, vol. 57, no. 2, pp. 378-403, 2012.##
[14]  G. Gu, R. Perdisci, J. Zhang, and W. Lee, “BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection,” In Proceedings of the 17th Conference on Security Symposium, USENIX Association, pp. 139– 154, 2008.##
[15]  G. Gu, J. Zhang, and W. Lee, “BotSniffer: detecting botnet command and control channels in network traffic,” In Proceedings of the 15th Annual Network & Distributed System Security Symposium, The Internet Society (ISOC), 2008.##
[16]  E. Middelesch, “Anonymous and hidden communication channels: A perspective on future developments,” Master Thesis, University of Twente, 2015.##
[17]  “Channels: a perspective on future developments,” M.S. thesis, University of Twente, 2015.##
[18]  J. Nazario and T. Holz, “As the net churns: fast-flux botnet observations,” In Proceedings of the 3rd International Conference on Malicious and Unwanted Software (MALWARE), pp. 24–31, 2008.##
[19]  A. Caglayan, M. Toothaker, D. Drapaeau, D. Burke, and G. Eaton, “Behavioral analysis of fast flux service networks,” In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, CSIIRW’09, ACM, vol. 48, pp. 1-4, 2009.##
[20]  R. Sharifnya and M. Abadi, “A novel reputation system to detect DGA-based botnets,” In Proceedings of the ICCKE 2013, Mashhad, pp. 417-423, 2013. (In Persian)##
[21]  I. Ghafir, V. Prenosil, M. Hammoudeh, T. Baker, S. Jabbar, S. Khalid, and S. Jaf, “BotDet: A system for real time botnet command and control traffic detection,” IEEE Access, vol. 4, pp. 2169-3536, 2018.##
[22]  C. j. Dietrich, C. Rossow, F. C. Freiling, H. Bos, M. V. Steen, and N. Pohlmann, “On Botnets That Use DNS for Command and Control,” In Proceedings of the 7th European Conference on Computer Network Defense, pp. 9-16, IEEE Computer Society, 2011.##
[23]  J. Nazario, “Twitter-Based Botnet Command Channel,” 2009. [Online]. Availible: http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command channel.##
[24]  S. Nagaraja, A. Houmansadr, P. Piyawongwisal, V. Singh, P. Agarwal, and N. Borisov, “Stegobot: A covert social network botnet,” In Proceedings of the 13th International Conference on Information Hiding, pp. 299 –313, 2011.##
 [25]  A. Sanatinia and G. Noubir, “Onionbots: Subverting privacy infrastructure for cyber attacks,” in Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 69-80, 2015.##
[26]  T. J. Richer, “Entropy-based detection of botnet command and control,” In Proceedings of the ##Australasian Computer Science Week Multiconference, ACSW '17, ACM, p. 75, 2017.
[27]  S. Cabuk, C. E. Brodley, and C. Shields, “IP Covert Timing Channels : Design and Detection,” In ##Proceedings of the 11th ACM conference on Computer and communications security, pp. 178–187, 2004.
[28]  S. Cabuk, “Network covert channels: Design, analysis, detection, and elimination,” Ph.D dissertation, Purdue University, West Lafayette, USA, 2006.##
[29]  S. Gianvecchio, H. Wang, D. Wijesekera, and S. Jajodia, “Model-Based Covert Timing Channels: Automated Modeling and Evasion,” In Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, pp. 211–230, 2008.
[30]  K. Kothari and M. Wright, “Mimic: An active covert channel that evades regularity-based detection,” Computer Networks, vol. 57, no. 3, pp. 647–657, Feb. 2013.##
[31]  G. Shah, A. Molina, and M. Blaze, “Keyboards and covert channels,” In Proceedings of the 2006 USENIX Security Symposium, July–August 2006.##
[32]  DARPA, “Intrusion Detection Evaluation Data Set,” 1999. [Online]. Avalible: https://www.ll.mit.edu/ideval/data/1999data.html.##