An Investigation and Implementation of Botnet
Detection Schemes
Speaker:Chiang Hong-Ren
Outline
•Abstract
•Introduction
•Botnet Environment
•Data analysis
•Traffic analysis
•Threshold Random Walk
•Evaluation
•Conclusion
2016/7/15
2
Abstract
• The nature of a Botnet is not specific malware, but instead the metheod, that
possibly comprised of thousands or millions hosts controlled by hackers.
• The tool uses integrated system information to help users to identify
unexpected network connections.
• Since a bot is a program running on a host, its behavior and response time is
supra-human and we use the TRW algorithm for online detection.
2016/7/15
3
Introduction
• To resolve the problem, we analyze about botnet characteristics and propose a
botnet emulation toolkit and a detection scheme.
• How big is the problem?
 Vint Cerf presume about one quarter of all computers part of a botnet.
• Botnet features
Host Control
Command and control
Exploits and attack
• Assumptions
Observations-Most bots parasited on personal computer that unlike other
internet incidents.
Bot herders control bots whole the uptime
2016/7/15
4
Botnet environment(1/2)
• Support Software
Cygwin- Cygwin is a Linuxlike environment for Windows.
SSH- SSH is a network
protocol that allows data to be
exchanged using a secure
channel between two
computers.
IRC Server- Hybrid IRC
daemon is a daemon for
serving and controlling an
IRC network.
Fig. 1. Environment topology
2016/7/15
5
Botnet environment(2/2)
• Experiment process
Parameter Setting
Environment Setup
Launch Bots
2016/7/15
6
Data analysis(1/2)
• Response time - The response time means it start from a sender send a message
to a receiver then the receiver get the message and end from the receiver
answer the response.
• Data source
The botnet traffic is monitored in testbed used the emulation toolkit.
we acquired a number of SDbots traces in the herder and bots side.
The herder using a common unix irc client, irssi.
We also collected three kinds of client traffic in difference protocols, such
as IRC, HTTP and ssh.
• Similarity examinations
Temporal similarity - Bots reply the messages at the close time.
All bots receive the same command, the should do the same activity such
as connect to the same host.
Even the messages are encrypted, the sizes are still the same.
2016/7/15
7
Data analysis(2/2)
• Supra-human behaviors
• Service-like response
• Quick request
2016/7/15
8
Traffic analysis
2016/7/15
9
Threshold Random Walk
(Y ) 
Pr[Y | H 1] Pr[Y 1,...., Yn | H 1]

Pr[Y | H 0] Pr[Y 1,...., Yn | H 0]
Accept hypothesis H1
(Y )   1

Accept hypothesis H0
(Y )   0
 0  (Y )   1 Need more observations

2016/7/15
10
Evaluation
2016/7/15
11
Conclusion
• The goal of this study is to find a host is a bot or not.
• We had three implementation that purpose to achieve the goal.
• Our emulation toolkit combined several script for Emulab that is useful for
researchers who are interesting IRC botnet behavior.
• One basically is a tool integrated several system utilities
• the other one is a dectection module of IDS bro that based on network analysis.
2016/7/15
12