BoDeS

Currently, one of the most significant threats to personal and corporate Internet security is the proliferation of botnets. Some approaches have been proposed in the last few years to detect botnets. However, they are continuously evolving, since protocols used for command and control are changing and the botnet structure is also moving from a centralized approach to a distributed architecture. An efficient and reliable botnet detection system should be independent of the command and control protocol, of the botnet structure and the infection model and should require no a priori knowledge of specific botnet characteristics (such as captured bot binaries, botnet signatures, etc).

The main purpose of this project is the development of a laboratorial platform for the real time detection of botnets and subsequent counter-measures deployment. The proposed detection approach should be based on diverse information types: the historical traffic profile of network users, on mathematical traffic models that can accurately describe network traffic and/or user profiles, on traffic measurements that can be carried out on some specific probes and on artificial intelligence systems that can take some combination of inputs in order to generate a relevant output that can used by the decision support system. Thus, the proposed platform should collect and store diverse network information that can be dispersed over several network components or obtained in a distributed way: (i) state variables and statistics that are calculated and maintained by network elements; (ii) log files that are stored on different types of network servers and elements; (iii) traffic captures or traffic statistics (for example, first and second order statistics, multifractal characteristics) that are extracted/inferred and stored on network probes that are distributed over the network infrastructure. In this way, the detection framework should inherently include a distributed system for traffic measurement, traffic analysis and network data collection.

Then, the proposed system will perform a joint analysis between the variables that characterize the network and the characteristics of the generated traffic, correlating them in order to identify deviations from the normal behaviour. Normal or legit network behaviours will be described by certain sets of variables’ values: this can be viewed as corresponding to certain areas in a multidimensional space defined by the different system variables (the dimension of this space can be quite large, depending on the number of necessary variables). An artificial intelligence classification module must classify or position each new set of variables’ values into the multidimensional space in order to detect possible deviations from the normal system behaviour. This is one of the main innovations of the proposed botnet detection system: it must be able to correlate different variables of the network activity in order to detect anomalous activity or traffic generated by each network element. The system must be constantly evolving in order to accommodate the appearance of new behaviours and reduce the future number of false positives and negatives.

For critical systems, the platform must be able to associate network traffic to users’ virtual identities, instead of simple network addresses. A user virtual identity is a pair formed by a user identity and a network role. Network roles provide different views of each user activities in the network and help to get more focused user profiles. Thus, all collected network data should contain some cryptographic, unforgeable proof of the sender’s virtual identity. Such virtual identity will increase accuracy and focus while building traffic profiles and will improve the detection of deviations from the normal caused by botnet PCs.

In these critical cases, the proposed system will also provide the mechanisms to enforce strong source authentication of all captured traffic. However, we want to enforce authentication of traffic towards (authorized) traffic analysers, and not towards normal link layer or network layer receivers of that traffic. This is a novel authentication requirement and the other main innovation of the proposed detection system: network hosts under observation should tag their traffic with new source authentication marks, computed from secrets bound to virtual identities. The system should provide the adequate key distribution architecture for producing and validating the tags and these should be included in the traffic at the appropriate protocol layers. Tags may be added by network elements (switches, gateways, etc.) and not necessarily by users’ machines.

Finally, the developed system must propose/suggest and deploy appropriate counter-measures for specific security problems or flaws that were identified: for example, change current routing approaches and decisions or change/optimize configurations on different network elements (servers, switches, routers, etc).