Cyber Crime and Cyber Terrorism

Download 5,67 Mb.

Pdf ko'rish

bet	254/283
Sana	19.05.2022
Hajmi	5,67 Mb.
	#604880

1 ... 250 251 252 253 254 255 256 257 ... 283

Bog'liq
Cyber crime and cyber terrorism investigators handbook by Babak

251

Countermeasures for fighting botnets or mitigating botnets effects
can be considered the weakest link of a centralized botnet. That is, if we can take
down an active C&C or simply interrupt the communication to the C&C, the botmas-
ter will not be able to control the botnet. Moreover, the detection of the C&C channel
will reveal both the C&C servers and the bots in a monitored network. Therefore,
understanding and detecting the C&Cs has great value in the battle against central-
ized botnets.
Botnet C&C traffic is difficult to detect because: it follows normal protocol usage
and is similar to normal traffic; the traffic volume is low; there may be very few bots
in the monitored network and may contain encrypted communication. However, the
bots of a centralized botnet demonstrate spatial-temporal correlation and similarities
due to the nature of their pre-programmed response activities to control commands.
For instance, at a similar time, all the bots within the same botnet will execute the
same command and report to the C&C server with the progress/result of the task (and
these reports are likely to be similar in structure and content).
Regular network activities are unlikely to show such a synchronized and corre-
lated behavior and, although the traffic is encrypted, might be useful to investigate
on traffic generated by groups of clients that have the same (IP, TCP port) destination
pair (
Gu et al., 2008
).
When botnets switch to a peer-to-peer (P2P) structure and utilize multiple proto-
cols for C&C, the above assumptions no longer hold. Consequently, the detection of
P2P botnets is more difficult.
One possible approach is to design a particular kind of a “Network Traffic Data
Warehouse.” Capturing enough network traffic data (training data), the proposed ap-
proach can profile (cluster) the behavior of normal application/users activities from
other ones. In fact the action sequence differs greatly between the normal user and
the botnet. Since the botnet is dynamic: peers in the botnet can be dynamically shut
down or removed from the botnet at any time, a bot may first generate traffic to find
the online peers on certain ports from its peer list, and then send a command to all the
available peers. On the other hand, it is very unlikely that a normal user (or a majority
of normal users) generates the normal behavior in this way. Although normal users
are capable of choosing arbitrary destinations, they usually associate themselves on
a small range of destinations of different popularity. On the other hand, the peers
chosen in P2P botnets are random regardless of the destination popularity.
In this way we could be able to compute some statistical measures (e.g., Behavior
Proportion based Test or Behavior Mean Distance based Test) in order to identify
new samples of network traffic data (
Chang and Daniels, 2009
).
If the C&C server cannot be taken down, another option is to redirect malicious
traffic to sinkholes, a strategy that found its way into recent mitigation techniques,
either locally or globally. The sinkholes record malicious traffic, analyze it and drop
it afterwards such that it cannot reach the original target it is meant for. One example
of sinkholing is DDoS null-routing. In the case where traffic belongs to an ongo-
ing DDoS attempt it is dropped and sometimes counted for later analysis. DDoS
null-routing at border-routers is a promising approach to mitigate DDoS attacks but
comes with the challenges of reliable identification of attack-related traffic and clean

Download 5,67 Mb.

Do'stlaringiz bilan baham:

1 ... 250 251 252 253 254 255 256 257 ... 283