Research On Countermeasure Techniques For The Botnet

With the fast developing of Internet, computer and network becomes to be the in-dispensable element of daily life. However, Internet is facing a lot of security threats andbotnet is one of them. Botnet is a set of computers which are secretly controlled by theattacker. Botnet is not a certain attack but a platform, which can be used to launch attackswith broader coverage, higher intensity and more difficulty to prevent. Highly activityof the botnet causes multi attention of defenders. There are five areas to research botnet:detection, measurement, tracking, proactive defense and botnet architecture research. De-tection is the foundation of measurement, tracking and active defense. Architecture re-search is the precursor of defending future botnet. Although honeypot is not a researcharea of botnet, it can provide deeply support for detection, measurement and tracking. Soresearch on honeypot is important for botnet defense. This dissertation focuses on thecountermeasure techniques of botnet. The main contents are as follows:Definition, attribute, timeline and the main danger of botnets are proposed first.Then this dissertation gives a survey of the current research for five areas of botnets andmakes clear contents and aims of the dissertation.Research on the distributed honeypot deployment model for capturing bot samples.Capturing bot samples is the foundation of botnet research and analyzing bot samples canprovide a high support for researching botnet. There is few research works for honeypotdeployment. The model discussed in this dissertation expounds the relationship amongthe need of bot sample analyzing, spreading attributes of bot samples, detection time, de-tection probability and honeypot deployment parameters. Based on analysis of the model,honeypot deployment threshold and network distance are proposed. The two parametersgive the information of number and position for honeypot deployment. This can guidethe construction of distributed honeypot system and achieve the balance of economy andefficiency. This work fills gaps of honeypot deployment.Research on the detection of IRC-based botnet. There are two problems in currentalgorithms for IRC-based botnets detection. One is that detection algorithms require someprior knowledge of botnet to generate matching patterns. The other is that algorithmscan not perform detection online. To solve these problems, this dissertation proposes two IRC botnet detection algorithms based on host behavior. Three attributes, LCS rate,compositive distance and RN dice coefficient, are discussed to quantify the similarity ofnicknames from three aspects: content, composition and structure. To detect IRC botnetsonline, extended TRW algorithm based on the similarity of nicknames is proposed. Thisdissertation also proposes a detection algorithm based on the command sequence of IRCclients.Research on the architecture of recoverable botnet. Botnet architecture research isanother way to defense botnets. It can provide the guard for future botnets. The commandand control channel is the anchor point of a botnet which has the robustness as its designgoals. Most command and control structure of current botnets can reach second levelof robustness. This dissertation proposed a recoverable botnet which can reach thirdlevel of robustness. This botnet has two command and control channels. It uses Sniffermethod to obtain commands and uses TOR Hidden Service to protect the key nodes of thebotnet. When the communication C&C can not work, it uses recovery C&C to rebuild thebotnet. This dissertation discusses the week point of this recoverable botnet and extendsthe lifecycle of botnet. To defend against such an advanced botnet, preventing publicservices abused, infiltrating botnet to tracking its activities, and monitoring the subsequentaction of zombies may play an important role.Design and implement a botnet detection system on large-scale network. This sys-tem is based on a high-speed packet capturing platform. It uses honeymonkey and hon-eypots to catch bot samples and generate botnet rules in the form of URL and sensitivecontents keywords. HTTP-based botnet detection algorithm based on rules and IRC basedbotnet detection algorithm based on host behaviors are the kernel of this system. This dis-sertation analyzes the detection results in detail. The results re?ect that botnets are stillactive and the detection results prove that the detection system is correct and valid.