SlideShare a Scribd company logo

Seminar on Botnet Detection

D
Dr. Manmeet Singh

The document discusses botnets, detailing their definition, history, lifecycle, architecture, and detection techniques. It provides a comprehensive overview of various botnets, their statistics over the years, and literature review of detection methods. The future work highlighted the need for improved detection techniques, particularly anomaly-based systems to address evolving threats.

Engineering
1 of 19
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Botnet Detection Manmeet Singh 951503006 CSED Thapar University Patiala, Punjab manmeetsingh@thapar.edu 14/07/2016
Agenda • Introduction • History • Life Cycle • Architecture • Current Statistics • Literature Survey • Future Work • References
Introduction : Botnet • Network of Compromised Hosts • Remotely controlled by Botmaster • Communication via Command and Control (C&C) Server • Platform to launch various nefarious activities • DDoS • Click Fraud • Ad Fraud • Spam • Ransomware • Spywares • Identity Theft
Overview
History Year Name Number of bots Type 1993 Eggdrop - Centralized / IRC 1998 GTBot - Centralized / IRC Agobot - Centralized / IRC SpyBot - Centralized,P2P Rustock 150 000 Centralized / IRC 2007 Zeus/Zbot 3 600 000 Centralized / HTTP Storm 160 000 P2P Asprox 15 000 Centralized / HTTP Bobax 100 000 Centralized / HTTP Kraken 400 000 Centralized Torpig 180 000 Centralized 2008 Conflicker 10 500 000 HTTP/P2P 2009 Donbot 125 000 HTTP BredoLab 30 000 000 HTTP/SMTP 2010 Kelihos 300 000 P2P TDL-4 4 500 000 IRC 2011 Flashback 600 000 P2P 2012 Chameleon 120 000 HTTP 2013 Boatnet 500 - 2014 Windigo 25 000 - Wapomi - - Neutrino Bot - -
Life Cycle Infrastructure Setup Basic Infection Bot Infection Rallying Command Execution Maintenance & Upgradation
Architecture • Centralized • HTTP • IRC • Decentralized • P2P • Hybrid • Both Centralized and P2P
Centralized Architecture Botmaster C&C Server Bot 1 Bot 2 Bot 3 ... Bot nProtocols Used : HTTP / IRC
Decentralized Architecture Bot Bot Bot Bot Bot Bot Bot Bot Botmaster Distributed C&C Server using P2P Protocol
Current Statistics McAfee Labs, 2016
Top 7 Worst Botnet Countries Spamhaus (XBL) database
Detection Techniques
Literature Survey • Anirudh et al [2005] : DNS based black hole list (DNSBL) counter intelligence for detecting botnet membership • Strayer et al [2006]:detection technique based on the traffic flow characteristics like bandwidth, duration and packet timing • Gu et al [2007],Bothunter: A correlation engine for malware infection detection • Villamarin-Salomon et al [2008] :DNS traffic based anomaly detection technique for botnet detection • Perdisci et al [2009] : novel approach for passive analysis of Domain Flux service Networks.
Contd. • Jiang et al [2010]: DNS failure graph resulting in identification of suspicious activities. • Choi et al [2012]: Framework for Botnet detection using group analysis i.e. BotGAD (Botnet Group Analysis detector) • Yadav et al [2012]: botnet detection based on the analysis of the various failed DNS queries i.e. Non Existent Domain NXDOMAIN • Dinh Tu et al [2015]: Detection technique for Bot infected machines using the comparable sporadic DNS queries • Reza et al [2015]: botnet detection technique based on the distinction between the domain names generated algorithmically or randomly and between legitimate ones.
Contd. • Hands et al [2015]:analyzed the malicious use of DNS by the cybercriminals and potential hints to detect such misuse. • Nguyen et al [2015] : method for detecting botnet employing Domain Generation Algorithm using collaborative filtering and Density based clustering
Future Work • Botnet prevalence strongly suggest the need for better detection techniques • Anomaly based detection must to combat new threats • DNS Protocol used by all the bots to communicate with C&C server • DNS anomaly based detection system
References [1] S. S. C. Silva, R. M. P. Silva, R. C. G. Pinto, and R. M. Salles, “Botnets: A survey,” Comput. Networks, vol. 57, no. 2, pp. 378–403, 2013. [2] A. Karim, R. Salleh, M. Shiraz, S. Shah, I. Awan, and N. Anuar, “Botnet detection techniques: review, future trends, and issues,” Comput. Electron., vol. 15, no. 11, pp. 943– 983, 2014. [3] C. Gañán, O. Cetin, and M. van Eeten, “An Empirical Analysis of ZeuS C&C Lifetime,” Proc. 10th ACM Symp. Information, Comput. Commun. Secur. - ASIA CCS ’15, pp. 97– 108, 2015. [4] McAfee Labs, “McAfee Labs Threats Report,” no. November, 2015. [5] A. Ramachandran, N. Feamster, and D. Dagon, “Revealing Botnet Membership Using DNSBL Counter-Intelligence,” 2005. [6] W. T. Strayer, R. Walsh, C. Livadas, and D. Lapsley, “Detecting botnets with tight command and control,” Proc. - Conf. Local Comput. Networks, LCN, pp. 195–202, 2006. [7] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “BotHunter: detecting malware infection through IDS-driven dialog correlation,” USENIX Secur. ’07 Proc. 16th USENIX Secur. Symp., p. 12, 2007. [8] R. Villamarín-Salomón and J. C. Brustoloni, “Identifying botnets using anomaly detection techniques applied to DNS traffic,” 2008 5th IEEE Consum. Commun. Netw. Conf. CCNC 2008, no. 1, pp. 476–481, 2008. [9] R. Perdisci, I. Corona, D. Dagon, and W. Lee, “Detecting malicious flux service networks through passive analysis of recursive DNS traces,” Proc. - Annu. Comput. Secur. Appl. Conf. ACSAC, pp. 311–320, 2009.
Contd. [10] N. Jiang, J. Cao, Y. Jin, L. E. Li, and Z. L. Zhang, “Identifying suspicious activities through DNS failure graph analysis,” Proc. - Int. Conf. Netw. Protoc. ICNP, pp. 144–153, 2010. [11] P. Wang, S. Sparks, and C. C. Zou, “An advanced hybrid peer-to-peer botnet,” IEEE Trans. Dependable Secur. Comput., vol. 7, no. 2, pp. 113–127, 2010. [12] H. Choi and H. Lee, “Identifying botnets by capturing group activities in DNS traffic,” Comput. Networks, vol. 56, no. 1, pp. 20– 33, 2012. [13] S. Yadav and A. L. N. Reddy, “Winning with DNS failures: Strategies for faster botnet detection,” Lect. Notes Inst. Comput. Sci. Soc. Telecommun. Eng., vol. 96 LNICST, pp. 446–459, 2012. [14] S. Garc??a, M. Grill, J. Stiborek, and A. Zunino, “An empirical comparison of botnet detection methods,” Comput. Secur., vol. 45, pp. 100–123, 2014. [15] T. D. Tu, C. Guang, and L. Y. Xin, “Detecting Bot - Infected Machines Based On Analyzing The Similar Periodic DNS Queries,” pp. 35–40, 2015. [16] Q. Yan, Y. Zheng, T. Jiang, W. Lou, and Y. T. Hou, “PeerClean: Unveiling peer- to-peer botnets through dynamic group behavior analysis,” Comput. Commun. (INFOCOM), 2015 IEEE Conf., pp. 316–324, 2015. [17] R. Sharifnya and M. Abadi, “DFBotKiller : Domain- fl ux botnet detection based on the history of group activities and failures in DNS traffi c,” Digit. Investig., vol. 12, pp. 15–26, 2015. [18] “The Spamhaus Project”, [Online]. Available: https://www.spamhaus.org/statistics/botnet-cc/, [Accessed 19 5 2016].
Thanks

More Related Content

PDF
A Survey of Botnet Detection Techniques
ijsrd.com
 
PPTX
Botnet and its Detection Techniques
SafiUllah Saikat
 
PDF
Botnet detection using ensemble classifiers of network flow
IJECEIAES
 
PDF
A review botnet detection and suppression in clouds
Alexander Decker
 
PPTX
Synopsis viva presentation
kirubavenkat
 
PDF
Botnet detection by Imitation method
Acad
 
PDF
Tracing Back The Botmaster
IJERA Editor
 
PPT
Botnet Detection Techniques
Team Firefly
 
A Survey of Botnet Detection Techniques
ijsrd.com
 
Botnet and its Detection Techniques
SafiUllah Saikat
 
Botnet detection using ensemble classifiers of network flow
IJECEIAES
 
A review botnet detection and suppression in clouds
Alexander Decker
 
Synopsis viva presentation
kirubavenkat
 
Botnet detection by Imitation method
Acad
 
Tracing Back The Botmaster
IJERA Editor
 
Botnet Detection Techniques
Team Firefly
 

Similar to Seminar on Botnet Detection (20)

PPTX
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
EC-Council
 
PDF
A Taxonomy of Botnet Detection Approaches
Fabrizio Farinacci
 
PPTX
2 dc meet new
kirubavenkat
 
PDF
Literature survey on peer to peer botnets
Acad
 
PDF
Paper(edited)
killswitch4
 
PDF
Botnets - Detection and Mitigation
Ajit Skanda Kumaraswamy
 
PPTX
Botnet
PriyanKa Harjai
 
PPTX
nullcon 2011 - Botnet Detection approach by DNS behavior and clustering analysis
n|u - The Open Security Community
 
PDF
A Survey of HTTP Botnet Detection
IRJET Journal
 
PDF
Bot net detection by using ssl encryption
Acad
 
PDF
Guarding Against Large-Scale Scrabble In Social Network
Editor IJCATR
 
PPTX
Botnet.pptx
Chetanmalviya8
 
PDF
Towards botnet detection through features using network traffic classification
IJERA Editor
 
PDF
A Dynamic Botnet Detection Model based on Behavior Analysis
idescitation
 
PDF
about botnets
Alain Bindele
 
PPTX
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
Eric Vanderburg
 
PPTX
Botnets
Kavisha Miyan
 
PDF
DETECTION OF PEER-TO-PEER BOTNETS USING GRAPH MINING
IJCNCJournal
 
PDF
Detection of Peer-to-Peer Botnets using Graph Mining
IJCNCJournal
 
PDF
A Brief Incursion into Botnet Detection
Anant Narayanan
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
EC-Council
 
A Taxonomy of Botnet Detection Approaches
Fabrizio Farinacci
 
2 dc meet new
kirubavenkat
 
Literature survey on peer to peer botnets
Acad
 
Paper(edited)
killswitch4
 
Botnets - Detection and Mitigation
Ajit Skanda Kumaraswamy
 
Botnet
PriyanKa Harjai
 
nullcon 2011 - Botnet Detection approach by DNS behavior and clustering analysis
n|u - The Open Security Community
 
A Survey of HTTP Botnet Detection
IRJET Journal
 
Bot net detection by using ssl encryption
Acad
 
Guarding Against Large-Scale Scrabble In Social Network
Editor IJCATR
 
Botnet.pptx
Chetanmalviya8
 
Towards botnet detection through features using network traffic classification
IJERA Editor
 
A Dynamic Botnet Detection Model based on Behavior Analysis
idescitation
 
about botnets
Alain Bindele
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
Eric Vanderburg
 
Botnets
Kavisha Miyan
 
DETECTION OF PEER-TO-PEER BOTNETS USING GRAPH MINING
IJCNCJournal
 
Detection of Peer-to-Peer Botnets using Graph Mining
IJCNCJournal
 
A Brief Incursion into Botnet Detection
Anant Narayanan
 
Ad

Recently uploaded (20)

PPTX
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
PDF
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PPTX
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
PDF
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PDF
composite construction of structures.pdf
AinieButt1
 
PDF
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
Sustainable Sites - Green Building Construction
mhdumerali
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
composite construction of structures.pdf
AinieButt1
 
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
Ad

Seminar on Botnet Detection

  • 1. Botnet Detection Manmeet Singh 951503006 CSED Thapar University Patiala, Punjab manmeetsingh@thapar.edu 14/07/2016
  • 2. Agenda • Introduction • History • Life Cycle • Architecture • Current Statistics • Literature Survey • Future Work • References
  • 3. Introduction : Botnet • Network of Compromised Hosts • Remotely controlled by Botmaster • Communication via Command and Control (C&C) Server • Platform to launch various nefarious activities • DDoS • Click Fraud • Ad Fraud • Spam • Ransomware • Spywares • Identity Theft
  • 5. History Year Name Number of bots Type 1993 Eggdrop - Centralized / IRC 1998 GTBot - Centralized / IRC Agobot - Centralized / IRC SpyBot - Centralized,P2P Rustock 150 000 Centralized / IRC 2007 Zeus/Zbot 3 600 000 Centralized / HTTP Storm 160 000 P2P Asprox 15 000 Centralized / HTTP Bobax 100 000 Centralized / HTTP Kraken 400 000 Centralized Torpig 180 000 Centralized 2008 Conflicker 10 500 000 HTTP/P2P 2009 Donbot 125 000 HTTP BredoLab 30 000 000 HTTP/SMTP 2010 Kelihos 300 000 P2P TDL-4 4 500 000 IRC 2011 Flashback 600 000 P2P 2012 Chameleon 120 000 HTTP 2013 Boatnet 500 - 2014 Windigo 25 000 - Wapomi - - Neutrino Bot - -
  • 6. Life Cycle Infrastructure Setup Basic Infection Bot Infection Rallying Command Execution Maintenance & Upgradation
  • 7. Architecture • Centralized • HTTP • IRC • Decentralized • P2P • Hybrid • Both Centralized and P2P
  • 8. Centralized Architecture Botmaster C&C Server Bot 1 Bot 2 Bot 3 ... Bot nProtocols Used : HTTP / IRC
  • 11. Top 7 Worst Botnet Countries Spamhaus (XBL) database
  • 13. Literature Survey • Anirudh et al [2005] : DNS based black hole list (DNSBL) counter intelligence for detecting botnet membership • Strayer et al [2006]:detection technique based on the traffic flow characteristics like bandwidth, duration and packet timing • Gu et al [2007],Bothunter: A correlation engine for malware infection detection • Villamarin-Salomon et al [2008] :DNS traffic based anomaly detection technique for botnet detection • Perdisci et al [2009] : novel approach for passive analysis of Domain Flux service Networks.
  • 14. Contd. • Jiang et al [2010]: DNS failure graph resulting in identification of suspicious activities. • Choi et al [2012]: Framework for Botnet detection using group analysis i.e. BotGAD (Botnet Group Analysis detector) • Yadav et al [2012]: botnet detection based on the analysis of the various failed DNS queries i.e. Non Existent Domain NXDOMAIN • Dinh Tu et al [2015]: Detection technique for Bot infected machines using the comparable sporadic DNS queries • Reza et al [2015]: botnet detection technique based on the distinction between the domain names generated algorithmically or randomly and between legitimate ones.
  • 15. Contd. • Hands et al [2015]:analyzed the malicious use of DNS by the cybercriminals and potential hints to detect such misuse. • Nguyen et al [2015] : method for detecting botnet employing Domain Generation Algorithm using collaborative filtering and Density based clustering
  • 16. Future Work • Botnet prevalence strongly suggest the need for better detection techniques • Anomaly based detection must to combat new threats • DNS Protocol used by all the bots to communicate with C&C server • DNS anomaly based detection system
  • 17. References [1] S. S. C. Silva, R. M. P. Silva, R. C. G. Pinto, and R. M. Salles, “Botnets: A survey,” Comput. Networks, vol. 57, no. 2, pp. 378–403, 2013. [2] A. Karim, R. Salleh, M. Shiraz, S. Shah, I. Awan, and N. Anuar, “Botnet detection techniques: review, future trends, and issues,” Comput. Electron., vol. 15, no. 11, pp. 943– 983, 2014. [3] C. Gañán, O. Cetin, and M. van Eeten, “An Empirical Analysis of ZeuS C&C Lifetime,” Proc. 10th ACM Symp. Information, Comput. Commun. Secur. - ASIA CCS ’15, pp. 97– 108, 2015. [4] McAfee Labs, “McAfee Labs Threats Report,” no. November, 2015. [5] A. Ramachandran, N. Feamster, and D. Dagon, “Revealing Botnet Membership Using DNSBL Counter-Intelligence,” 2005. [6] W. T. Strayer, R. Walsh, C. Livadas, and D. Lapsley, “Detecting botnets with tight command and control,” Proc. - Conf. Local Comput. Networks, LCN, pp. 195–202, 2006. [7] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “BotHunter: detecting malware infection through IDS-driven dialog correlation,” USENIX Secur. ’07 Proc. 16th USENIX Secur. Symp., p. 12, 2007. [8] R. Villamarín-Salomón and J. C. Brustoloni, “Identifying botnets using anomaly detection techniques applied to DNS traffic,” 2008 5th IEEE Consum. Commun. Netw. Conf. CCNC 2008, no. 1, pp. 476–481, 2008. [9] R. Perdisci, I. Corona, D. Dagon, and W. Lee, “Detecting malicious flux service networks through passive analysis of recursive DNS traces,” Proc. - Annu. Comput. Secur. Appl. Conf. ACSAC, pp. 311–320, 2009.
  • 18. Contd. [10] N. Jiang, J. Cao, Y. Jin, L. E. Li, and Z. L. Zhang, “Identifying suspicious activities through DNS failure graph analysis,” Proc. - Int. Conf. Netw. Protoc. ICNP, pp. 144–153, 2010. [11] P. Wang, S. Sparks, and C. C. Zou, “An advanced hybrid peer-to-peer botnet,” IEEE Trans. Dependable Secur. Comput., vol. 7, no. 2, pp. 113–127, 2010. [12] H. Choi and H. Lee, “Identifying botnets by capturing group activities in DNS traffic,” Comput. Networks, vol. 56, no. 1, pp. 20– 33, 2012. [13] S. Yadav and A. L. N. Reddy, “Winning with DNS failures: Strategies for faster botnet detection,” Lect. Notes Inst. Comput. Sci. Soc. Telecommun. Eng., vol. 96 LNICST, pp. 446–459, 2012. [14] S. Garc??a, M. Grill, J. Stiborek, and A. Zunino, “An empirical comparison of botnet detection methods,” Comput. Secur., vol. 45, pp. 100–123, 2014. [15] T. D. Tu, C. Guang, and L. Y. Xin, “Detecting Bot - Infected Machines Based On Analyzing The Similar Periodic DNS Queries,” pp. 35–40, 2015. [16] Q. Yan, Y. Zheng, T. Jiang, W. Lou, and Y. T. Hou, “PeerClean: Unveiling peer- to-peer botnets through dynamic group behavior analysis,” Comput. Commun. (INFOCOM), 2015 IEEE Conf., pp. 316–324, 2015. [17] R. Sharifnya and M. Abadi, “DFBotKiller : Domain- fl ux botnet detection based on the history of group activities and failures in DNS traffi c,” Digit. Investig., vol. 12, pp. 15–26, 2015. [18] “The Spamhaus Project”, [Online]. Available: https://www.spamhaus.org/statistics/botnet-cc/, [Accessed 19 5 2016].