Research On Hybrid Botnet Ecological Environment

In recent years, botnets have caused serious harm to the Internet,and will continue to be one of the most threatening attack platforms. Therefore, research into defense against botnets, especially countermeasures against the command and control (C&C) protocol, has become increasingly significant. However, most existing research efforts lack safe and efficient analysis platforms for C&C protocol fuzzing. Moreover, owing to the complex triggering conditions of botnet behaviors, these analysis platforms are unable to discover some of the "potential" behaviors of bots. More importantly, there lacks a relatively closed and controllable environment to conduct experiments of botnet countermeasures, avoiding doing harm to the Internet. Consequently, we propose the Hybrid Botnet Ecological Environment (HBEE), which aims to address the problems identified above. HBEE is not only able to provide various virtual machine (VM) operation environments by setting both hardware and software configurations to make bots expose as many of their execution paths as possible in order to mine the C&C protocol vulnerabilities of bots, but also achieve the simulation of large-scale botnet with a small amount of resources using VirtualBots and verify the correctness of server’s functions. More importantly, HBEE provides a closed and controlled environment for experiments in botnet measurement, tracking and countermeasures, avoiding doing harm to the Internet.In this paper, we first proposed a kind of model for botnet ecological environment, which consists of IaaS, Bot Group, HoneyServer Group and monitoring systems, and then carried out a detailed design for each of them. Then, we introduced some key technologies needed to implement the model, including VirtualBots-based server assessment techniques, mining vulnerability of bots technology and botnet countermeasure technology. And then, on the basis of the first twe chapters, we implemented HBEE, which takes OpenStack as IaaS. OpenStack is mainly responsible for providing infrastructure services, VirtualBot module for server assessment, Analysis Center for displaying real-time data and automatic module which including ADHIPS developed independently and open source Cuckoo Sandbox for analyzing malicious bots. Finally, we successfully conducted a series of experiments based HBEE, including experiment of server functional verification, experiments of malicious bots automatical analysis and experiments of botnet countermeasures. Our preliminary results show that our implemented HBEE is feasible in solving the problems above.