SwRI IRD 2007--Investigation into Botnet Detection and Mitigation Methods, 10-R9649

Investigation into Botnet Detection and Mitigation Methods, 10-R9649

Principal Investigators
Rachel Smith
Sandra G. Dykes

Inclusive Dates: 08/07/06 – 12/07/06

Background - A rising problem in cyber security is the use of botnets for automating large-scale attacks on computer systems. A botnet is a large number of compromised computers ("bots") that are controlled by an attacker and used for denial of service attacks, sending spam, and other nefarious purposes. Bots receive commands by connecting to an Internet server such as an IRC chat room or a web server. To avoid detection, an attacker sends the commands in advance and then is silent during the attack. Recent and anticipated solicitations from the Department of Homeland Security and the Army Research Office ask for methods to detect and mitigate botnets. One promising approach lies in detecting botnet command and control (C&C) traffic.

Approach - The objective of this project was two-fold:

Perform an initial analysis of captured C&C traffic to look for characteristic patterns in message content and timing, and make a preliminary determination if correlations between messages can be effectively detected.
Define metrics for evaluating the effectiveness of botnet detection and mitigation solutions. These metrics are needed to estimate cost and performance trade-offs, and to compare different solutions.

Accomplishments - The project team detected a few important botnet characteristics. In particular:

Botnet traces exhibit a characteristic sequence of message types.
A bot sends bursts of messages, often taking less than a millisecond to generate each message. These times are far faster than the corresponding time for humans to type in the three- or four-letter command.
Bots send probes periodically, typically at one-minute intervals.
Relative message delay times for various message types are characteristic for a particular botnet.
C&C commands are typically embedded in places within the message where they would normally be nonsensical. For example, the topic of an IRC channel is set to an HTTP or FTP download command.

To our knowledge, this is the first study that examines message delay times of botnet C&C traffic and proposes using them for botnet detection.

2007 Program Home