Pattern Programmable Kernel Filter for Bot Detection

Kritika Govind; Vivek Kumar Pandey; S. Selvakumar

doi:10.14429/dsj.62.1425

Kritika Govind National Institute of Technology, Tiruchirappalli
Vivek Kumar Pandey National Institute of Technology, Tiruchirappalli
S. Selvakumar National Institute of Technology, Tiruchirappalli

DOI: https://doi.org/10.14429/dsj.62.1425

Keywords: Command and control, SpyEye exploit kit, WFP-windows filtering platform, kernel, zombie

Abstract

Bots earn their unique name as they perform a wide variety of automated task. These tasks include stealing sensitive user information. Detection of bots using solutions such as behavioral correlation of flow records, group activity in DNS traffic, observing the periodic repeatability in communication, etc., lead to monitoring the network traffic and then classifying them as Bot or normal traffic. Other solutions for Bot detection include kernel level key stroke verification, system call initialization, IP black listing, etc. In the first two solutions there is no assurance that the packet carrying user information is prevented from being sent to the attacker and the latter suffers from the problem of IP spoofing. This motivated us to think of a solution that would filter out the malicious packets before being put onto the network. To come out with such a solution, a real time bot attack was generated with SpyEye Exploit kit and traffic characteristics were analyzed. The analysis revealed the existence of a unique repeated communication between the Zombie machine and the botmaster. This motivated us to propose, a Pattern Programmable Kernel Filter (PPKF) for filtering out the malicious packets generated by bots. PPKF was developed using the windows filtering platform (WFP) filter engine. PPKF was programmed to filter out the packets with unique pattern which were observed from the bot attack experiments. Further PPKF was found to completely suppress the flow of packets having the programmed uniqueness in them thus preventing the functioning of bots in terms of user information being sent to the Botmaster.

Defence Science Journal, 2012, 62(1), pp.174-179, DOI:http://dx.doi.org/10.14429/dsj.62.1425

Author Biographies

Kritika Govind, National Institute of Technology, Tiruchirappalli

Ms Kritika Govind received her BE (Computer Sci. Engg) from Sakthi Marriaman Engineering College, Anna University, Chennai, Tamil Nadu, in 2009. She is working as a Research Assistant at Department of Computer Science and Engineering, National Institute Technology (NIT), Tiruchirappalli, Tamil Nadu. She is also pursuing her Master of Science (MS by Research) in Computer Science and Engineering at NIT, Tiruchirappalli. Her areas of interest include: Cyber security and network security.

Vivek Kumar Pandey, National Institute of Technology, Tiruchirappalli

Mr Vivek Kumar Pandey is pursuing his BE (Computer Sci. Engg) at National Institute of Technology, Tiruchirappalli. He has a keen interest towards coding and his field of interest includes: Network
Security besides astrophysics.

S. Selvakumar, National Institute of Technology, Tiruchirappalli

Dr S. Selvakumar is a Professor in the Department of Computer Science and Engineering, National Institute of Technology, Tiruchirappalli, Tamil Nadu, India. He received his PhD from the Indian Institute
of Technology Madras (IITM), Chennai in 1999. His research interests include group communication in high-speed networks, routing, multimedia communication, scheduling for QoS guarantee, mobile networks, network security, wireless sensor networks, and network computing. He has to his credit of publishing 54 research papers. He is currently the Investigator of the Collaborative Directed Basic
Research–Smart and Secure Environment (CDBR-SSE) Project sponsored by NTRO, Government of India, New Delhi. He is presently the member of All India Board of IT Education, AICTE, New Delhi.

References

Website referred for fast flux definition. http://my.safaribooksonline.com/book/-/9781597495356/2dotbotnet-overview/196#X2lud ODE1OTc0OTUzNTYvMTk2 [Accessed on 13 March 2011]

Mazzariello, Claudio & Sansone, Carlo. Anomalybased detection of IRC botnets by means of oneclass support vector classifiers. In Proceedings of the 15th International Conference Image Analysis and Processing - ICIAP 2009, Vietri sul Mare, Italy, September 2009. LNCS 5716, pp. 883-92.

Lee, Jae-Seo; Jeong, HyunCheol; Park, Jun-Hyung; Kim, Minsoo & Noh, Bong-Nam. The activity analysis of malicious HTTP-based botnets using degree of periodic repeatability. In Proceedings of International Conference on Security Technology, SECTECH’08, December 2008, Hainan Island, China. pp. 83-86.

Al , Y ousof & Aickelin, Uwe. Behavioral correlation for detecting P2P bots. In Proceedings of the Second International Conference on Future Networks, ICFN 2010, Sanya, Hainan, China, January 2010. pp. 323-327.

Li, Zhitang; Hu, Jun; Hu, Zhengbing; Wang, Bingbing; Tang, Liang & Y i, Xin Measuring the botnet using the second character of bots. Journal of Networks, 2010, 5(1), 98-105.

Balduzzi, Marco; Egele, Manuel; Kirda, Engin; Balzarotti, Davide & Kruegel, Christopher. A solution for the automated detection of clickjacking attacks. In Proceedings of ASIACCS’10, Beijing, China, April 2010. pp. 135-44.

Williams, Craig. Exploring a Java bot: Pt 1. Cisco Blog, December 2009.http://blogs.cisco.com/security/exploring_a_java_bot_part_1/ [Accessed on 04 March 2010]

Stinson, Elizabeth; John, C. & Mitchell. Characterizing Bot’s remote control behavior. In Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA ‘07, Lucerne, Switzerland, July 2007. pp. 89-108.

Choi, Hyunsang; Lee, Hanwoo; Lee, Heejo & Kim, Hyogon. Bot detection by monitoring group activities in DNS traffic. In Proceedings of the 7th IEEE International Conference on Computer and Information Technology, CIT ‘07, University of Aizu, Fukushima Japan, October 2007. pp. 715-20.

Karasaridis, Anestis; Rexroad, Brian & Hoeflin, David. Wide-scale botnet detection and characterization. In Proceedings of the 2nd conference on USENIX’08, Annual Technical Conference, Boston, Massachusetts, June, 2008. pp. 7-7.

Zeidanloo, Hossein Rouhani & Manaf, Azizah Bt Abdul. Botnet detection by monitoring similar communication patterns. Int. J. Comp. Sci. Inf. Security, 2010, 7(3), 36-45.

Jackson, Alden W.; Lapsley, David; Jones, Christine; Zatko, Mudge; Golubitsky, Chaos & Strayer, W. Timothy. SLINGbot: A system for live investigation of next generation botnets. In Proceedings of the Cybersecurity Applications & Technology Conference for Homeland Security CATCH ‘09, Washington, DC, USA, March 2009. pp. 313-318.

Nazario, Jose. BlackEnergy DDoS bot analysis. Arbor Networks Security Blog, October 2007. http://ddos.arbornetworks.com/2007/10/blackenergy-ddos-botanalysis-available/ [Accessed on 20 April 2010]

Mieres, Jorge. SpyEye Bot Analysis of a new alternative scenario crimeware. Malware Intelligence. February 2010.http://www.malwareint.com/docs/spyeye-analysisen. pdf [Accessed on 09 November 2010]

Coogan, Peter SpyEye Bot versus Zeus Bot. Symantec blog. February 2010. http://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot [Accessed on 20 September 2010]

Website referred for the design of WFP filter driver http://msdn.microsoft.com/en-us/library/ff571068.aspx [Accessed on 10 January 2011]