Botnet Analysis and Detection

Shaikh, A. (2010). Botnet Analysis and Detection (Hons CSF Dissertation). Edinburgh Napier University (Macfarlane, R., Buchanan, W.).



Computers have become very useful tools for work, study and play. Computers can also be used in a more sinister manner; criminals can use computers to extract money and information out of businesses and computer users. They can use software known as Botnets to accomplish these goals. A Botnet is a collection of bots typically controlled by a bot master. A bot is a piece of software that conceals itself on a computer system acting on instructions received or programmed by the bot master(s). Botnets are becoming more elaborate and efficient over time and thus the use of Botnets is growing at an exponential rate, threatening the average user and businesses alike.

The aim of this thesis was to understand, design and implement a Botnet detection tool. In order to perform this task a thesis was produced which provides a detailed analysis and taxonomy of the current botnet threat. This includes botnet operations, their behaviour and how they infect computer systems. Ethical considerations were encountered in this thesis chiefly in relation to securing the virtual environment required for testing, evaluation and analysis of a real botnet. In response to this three Botnets were studied with the intention of creating a 'synthetic bot'. The Botnets studied were Zeus, Stuxnet and, in particular, the KOOBFACE botnet on which the synthetic bot was mainly based; this bot would then be used to evaluate the detection software.

The next stage was to investigate botnet detection techniques and some existing detection tools which were available. A prototype botnet detection software, called 'Bot Shaiker', was designed and implemented. This is in the form of an agent-based application capable of detecting specific botnet activity using network traffic and files located on the computer. Bot Shaiker is written in Microsoft C# .NET, it integrates Snort, an open source IDS, to look for botnet activity on the network and checks Windows firewall and computers registry for traces of botnets. These functions are implemented in an easy to use GUI application or can be a service running on a user's computer.

Using a sandboxed virtual network to evaluate Bot Shaiker and DARPA traffic, the results of the evaluation showed that the network signatures of Snort proved effective and efficient; however, the performance related heavily to the traffic volume. When receiving traffic greater than 80Mbps the performance of Snort decreases significantly which means packets can be ignored. As the application is primarily designed for an end user with access to an average Internet speed which typically falls well below this figure, this prototype would work well in most computer systems. The conclusions suggest that the prototype Bot Shaiker application is able to detect botnet activities from the network and host based techniques.
[Read More]


Areas of Expertise

Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.

Associated Projects