Methods for detecting bot nets in computer systems

Main Article Content

Sergii Lysenko
https://orcid.org/0000-0001-7243-8747
Kira Bobrovnikova
https://orcid.org/0000-0002-1046-893X
Vyacheslav Kharchenko
https://orcid.org/0000-0001-5352-077X

Abstract

Object. The process of the botnets detection in the corporate area networks based on network traffic analysis and on the of computer systems software’s behavior. Subject. Methods for botnets detection in computer systems. Goal. Increasing of the botnet detection efficiency by developing new methods for its detection in the corporate networks. Results. A new approach for the botnet detection in the corporate area networks based on the analysis of the bots’ behavior is proposed. The detection of botnets is accomplished by applying the developed two methods: by means of network-level and host-level analysis. The first method allows you to analyze the behavior of the software on the host, which may indicate the possible presence of the bot directly on the host and the detection of malicious software, while the second method involves monitoring and analysis of DNS traffic, which also allows to make a conclusion about infection of network hosts with botnets. Based on the proposed methods, an effective tool for botnet detection - BotGRABBER - was developed. It is capable of detecting bots that use such evasion methods as IP mapping, fast flux, domain flux, and DNS tunneling. Conclusions. The usage of the developed system allows to detect the hosts infected with botnet and localize malware with high efficiency - up to 96%, and also shows low rate of false positives 3-5%. A feature of the proposed approach is that the detection of botnets is "invisible" to botnet owners.

Article Details

How to Cite
Lysenko, S., Bobrovnikova, K., & Kharchenko, V. (2019). Methods for detecting bot nets in computer systems. Advanced Information Systems, 3(4), 87–95. https://doi.org/10.20998/2522-9052.2019.4.13
Section
Methods of information systems protection
Author Biographies

Sergii Lysenko, Khmelnytskyi National University, Khmelnytskyi

PhD, Associate Professor of Computer Engineering & System Programming Department

Kira Bobrovnikova, Khmelnytskyi National University, Khmelnytskyi

PhD, Associate Professor of Computer Engineering & System Programming Department

Vyacheslav Kharchenko, National Aerospace University “Kharkiv Aviation Institute”, Kharkiv

Full Doctor, Full Professor, Head of Departments of Computer Systems, Networks and Cybersecurity

References

Komar, M., Kochan, V., Sachenko, A. and Ababii, V. (2016), “Improving of the security of intrusion detection system”, 2016 International Conference on Development and Application Systems (DAS), pp. 315–319.

Harsha, T., Asha, S. and Soniya, B. (2016), “Feature selection for effective botnet detection based on periodicity of traffic”, Information Systems Security: 12th International Conference, ICISS 2016, Jaipur, India, December 16-20, 2016, Proceedings, pp. 471–478, DOI: https://doi.org/10.1007/978-3-319-49806-5_26.

Zuzcak, M. and Sochor, T. (2017), “Behavioral analysis of bot activity in infected systems using honeypots”, Communications in Computer and Information Science, Springer, Cham, vol. 718, pp. 118-133.

Sochor, T. and Zuzcak, M. (2015), “Attractiveness Study of Honeypots and Honeynets in Internet Threat Detection”, 22nd Int. Conf. Computer Networks: Communications in Computer and Information Science, Springer International, Cham, 2015, pp. 69-81.

Wang, H., Jia, Q., Fleck, D., Powell, W., Li, F. and Stavrou, A. (2014), “A moving target DDoS defense mechanism”, Com-puter Communications, vol. 46, pp. 10-21.

Javadianasl, Y., Manaf, A. A. and Zamani, M. (2017), “A Practical Procedure for Collecting More Volatile Information in Live Investigation of Botnet Attack”, Multimedia Forensics and Security, Springer, pp. 381-414.

Khattak, S., Ramay, N. R., Khan, K. R., Syed, A. A. and Khayam, S. A. (2014), “A taxonomy of botnet behavior, detection, and defense”, IEEE communications surveys & tutorials, vol. 16, no. 2, pp. 898-924.

Wang, P., Wu, L., Aslam, B. and Zou, C. C. (2015), “Analysis of Peer-to-Peer botnet attacks and defenses”, Propagation phenomena in real world networks, Springer International Publishing, pp. 183-214.

Bhuyan, M. H., Bhattacharyya, D. K. and Kalita, J. K. (2015), “An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection”, Pattern Recognition Letters, vol. 51, pp. 1-7.

Hoque, N., Bhuyan, M. H., Baishya, R. C., Bhattacharyya, D. K. and Kalita, J. K. (2014), “Network attacks: Taxonomy, tools and systems”, Journal of Network and Computer Applications, vol. 40, pp. 307-324.

Wang, B., Zheng, Y., Lou, W. and Hou, Y. T. (2015), “DDoS attack protection in the era of cloud computing and software-defined networking”, Computer Networks, vol. 81, pp. 308-319.

Pathan, A. S. K. (2016), Security of self-organizing networks, MANET, WSN, WMN, VANET, CRC press, 638 p.

Branitskiy, A. and Kotenko, I. (2015), “Network Attack Detection Based on Combination of Neural, Immune and Neuro-Fuzzy Classifiers”, IEEE 18th International Conference on Computational Science and Engineering (CSE), pp. 152-159.

Komar, M., Sachenko, A., Bezobrazov, S. and Golovko, V. (2017), “Intelligent Cyber Defense System Using Artificial Neural Network and Immune System Techniques”, Ginige A. et al. (eds), Information and Communication Technologies in Education, Research, and Industrial Applications. ICTERI 2016, pp. 36-55.

Bezobrazov, S., Sachenko, A., Komar, M. and Rubanau, V. (2016), “The methods of artificial intelligence for malicious applica-tions detection in Android OS”, International Journal of Computing, vol. 15, no. 3, pp. 184-190.

Pomorova, O., Savenko, O., Lysenko, S., Kryshchuk, A. and Bobrovnikova, K. (2016), “Antievasion Technique for the Bot-nets Detection Based on the Passive DNS Monitoring and Active DNS Probing”, International Conference on Computer Net-works: Springer International Publishing, pp. 83-95.

Schiller, C., R. Binkley and J. Botnets (2017), The Killer Web Application, Syngress Publishing, 464 p.

Yadav, S. and Reddy, A.L.N. (2011), “Winning with DNS failures: Strategies for faster botnet detection”, Proc. of the 7th International ICST Conference on Security and Privacy in Communication Networks, pp. 446-459.

Salusky, W. and Danford, R. (2007), Know your enemy: Fast-flux service networks. The Honeynet Project, available at: http://www.honeynet.org/book/export/html/130.

Nazario, J. and Holz, T. (2008), “As the Net Churns: Fast-Flux Botnet Observations”, Conference on Malicious and Unwanted Software (Malware08), pp. 24-31.

DAMBALLA. Botnet Communication Topologies. Understanding the intricacies of botnet command-and-control (2019), avail-able at: https://www.damballa.com/downloads/r_pubs/ WP_Botnet_Communications_Primer.pdf.

Bilge, L., Kirda, E., Kruegel, C. and Balduzzi, M. (2011), “EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis”, NDSS, pp. 1-17.

Farnham, G. and Atlasis, A. (2013), Detecting DNS Tunneling. SANS Institute InfoSec Reading Room, pp. 1-32.

Dietrich, C.J., Rossow, C., Freiling, F. C., Bos, H., van Steen, M. and Pohlmann, N. (2011), “On Botnets that use DNS for Command and Control”, Proceedings of European Conference on Computer Network Defense, pp. 9-16.

Guy, J. (2009), A study of DNS, available at: http://armatum.com/blog/2009/ a-study-of-dns/.

Jorma, Tarhio and Esko, Ukkonen. (1993), “Approximate BoyerMoore String Matching”, SIAM Journal on Computing, vol. 22, no. 2, pp. 243-260.

Guy, J. (2009), Dns part ii: visualization, available at: http://armatum.com/ blog/2009/dns-part-ii/.

Pomorova, O., Savenko, O., Lysenko, S., Kryshchuk, A. and Bobrovnikova, K. (2015), “A technique for the botnet detection based on DNS-traffic analysis”, International Conference on Computer Networks, Springer Int. Publishing, pp. 127-138.

Dipankar, D. (2013), “Artificial immune systems”, Encyclopedia of Sciences and Religions, pp. 136–139 .

Zhang, F. and Qi, D. (2012), “A positive selection algorithm for classification”, J. Comput. Inf. Syst, pp. 207–215.

Goswami, M. and Bhattacharjee, A. (2014), “Detector generation algorithm for self-nonself detection in artificial immune system”, International Conference for Technology on Convergence of Technology (I2CT), pp. 1–6.