Chad D. Mano scite author profile

Botnets have continuously evolved since their inception as a malicious entity. Attackers come up with new botnet designs that exploit the weaknesses in existing defense mechanisms and continue to evade detection. It is necessary to analyze the weaknesses of existing defense mechanisms to find out the lacunae in them. This research exposes a weakness found in an existing bot detection method (BDM) by implementing a specialized P2P botnet model and carrying out experiments on it. Weaknesses that are found and validated can be used to predict the development path of botnets, and as a result, detection and mitigation measures can be implemented in a proactive fashion. The main contribution of this work is to demonstrate the exploitation pattern of an inherent weakness in local-host alert correlation (LHAC) based methods and to assert that current LHAC implementations could allow pockets of cooperative bots to hide in an enterprise size network. This work suggests that additional monitoring capabilities must be added to current LHAC-based methods in order for them to remain a viable bot detection mechanism. This paper takes a forward-looking approach and presents a specific botnet development path based on a weakness evident in a successful BDM. This BDM will be defined as a local-host alert correlation (LHAC) based method. Further, this paper elaborates on the design and implementation of a different model for P2P botnet communication and describes the experiments conducted. The experiments demonstrate that the proposed botnet model can effectively hide from an LHAC-based BDM without having to rely on additional communication hiding tactics.It is often necessary to create a "proof-of-concept" that validates that a given vulnerability is exploitable. Therefore, this botnet model is tested against BotHunter [7]. BotHunter is a successful LHAC-based BDM. BotHunter is able to map a host's behavior to a malware infection life-cycle in order to flag compromised hosts as malware. The covert-botnet model tested in this work is able to circumvent BotHunter, and is implemented with this specific intent. The concept behind this model is extensible. Slight modifications to the covert-botnet framework would enable it to hide from any LHAC-based BDM that does not have the ability to account for all of a local host's network activity. Any botnet that is able to, somehow, circumvent the monitoring points employed by a BDM would be able to avoid detection in a similar manner.

show abstract

Ripps

Mano

Blaich

Liao

et al. 2008

ACM Trans. Inf. Syst. Secur.

View full text Add to dashboard Cite

Wireless network access has become an integral part of computing both at home and at the workplace. The convenience of wireless network access at work may be extremely beneficial to employees, but can be a burden to network security personnel. This burden is magnified by the threat of inexpensive wireless access points being installed in a network without the knowledge of network administrators. These devices, termed Rogue Wireless Access Points, may allow a malicious outsider to access valuable network resources, including confidential communication and other stored data. For this reason, wireless connectivity detection is an essential capability, but remains a difficult problem. We present a method of detecting wireless hosts using a local RTT metric and a novel packet payload slicing technique. The local RTT metric provides the means to identify physical transmission media while packet payload slicing conditions network traffic to enhance the accuracy of the detections. Most importantly, the packet payload slicing method is transparent to both clients and servers and does not require direct communication between the monitoring system and monitored hosts. . 2008. RIPPS: Rogue identifying packet payload slicer detecting unauthorized wireless hosts through network traffic conditioning.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Chad D. Mano

Effective in-class activities for middle school outreach programs

Syntax Exercises in CS1

A Case for Instilling Security as a Core Programming Skill

Bot detection evasion: a case study on local‐host alert correlation bot detection methods

Ripps

Contact Info

Product

Resources

About