Auto-Pattern Programmable Kernel Filter (Auto-PPKF) for Suppression of Bot Generated Traffic

Full Text (PDF, 691KB), PP.48-54

Views: 0 Downloads: 0

Author(s)

Kritika Govind 1,* S. Selvakumar 1

1. National Institute of Technology, Tiruchirappalli

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2014.01.07

Received: 11 May 2016 / Revised: 1 Aug. 2016 / Accepted: 16 Sep. 2013 / Published: 8 Nov. 2013

Index Terms

Auto-PPKF, Bot, WFP, SpyEye Exploit Kit

Abstract

Bots usually vary from their other malicious counter parts by periodically reporting to the botmaster through regular exchange of messages. Our experiments on bot attack generation showed a continuous exchange of packets with similar content between the botmaster and the zombie machine at various time intervals. Though there were also genuine packets with similar content being sent out of the victim machine challenge was to differentiate between the two and pass only the genuine ones. In this paper, an algorithm namely Auto-Pattern Programmable Kernel Filter (Auto-PPKF), for automatic detection of patterns from packet payload for filtering out malicious packets generated by bots is proposed. The significant feature of our proposed Auto-PPKF algorithm is that, the malicious pattern is deduced at kernel level on the fly from packet payload. Traditional algorithms such as Boyer Moore, Knuth Morris Patt, and Naive Pattern search algorithms require the pattern to be identified available a priori. Currently, Longest Common Subsequence (LCS) algorithm stands as the most preferred algorithm for pattern matching. But the disadvantage is that common sequences can also exist in many genuine packets. Hence, the challenge lies in automatic detection of malicious patterns and filtering of the packets having such malicious patterns. This would not only put off the communication between the Botmaster and Zombie machine, but will also thus prevent user information from being sent to the botmaster.

Cite This Paper

Kritika Govind, S. Selvakumar, "Auto-Pattern Programmable Kernel Filter (Auto-PPKF) for Suppression of Bot Generated Traffic", International Journal of Computer Network and Information Security(IJCNIS), vol.6, no.1, pp.48-54, 2014. DOI:10.5815/ijcnis.2014.01.07

Reference

[1]Claudio Mazzariello and Carlo Sansone.“Anomaly-Based Detection of IRC Botnets by Means of One-Class Support Vector Classifiers”. Proceedings of the 15th International Conference Image Analysis and Processing - ICIAP 2009, Vietri sul Mare, Italy, September 8-11, 2009. LNCS 5716, pp. 883–892. Springer 2009, ISBN 978-3-642-04146-4_94. 
[2]Jae-Seo Lee, HyunCheol Jeong, Jun-Hyung Park, Minsoo Kim, Bong-Nam Noh. “The Activity Analysis of Malicious HTTP-based Botnets using Degree of Periodic Repeatability”, International Conference on Security Technology, SECTECH’08, December 13-15, 2008, Hainan Island, China. Pages: 83-86. ISBN: 978-0-7695-3486-2.
[3]Yousof Al and Uwe Aickelin, “Behavioral Correlation for Detecting P2P Bots” Second International Conference on Future Networks, ICFN 2010. January 22-24, 2010, Sanya, Hainan, China. Pages: 323-327, ISBN: 978-0-7695-3940-9.
[4]SubhabrataSen, Oliver Spatscheck, Dongmei Wang, “Accurate, Scalable In­Network Identification of P2P Traffic Using Application Signatures”, WWW2004, May 17.22, 2004, New York, New York, USA. ACM 1­58113­844­X/04/0005.
[5]‘Pattern Matching’ http://www.cs.princeton.edu/~rs/ AlgsDS07/21PatternMatching.pdf.
[6]Gaston H. Gonnet, Ricardo A. Baeza-Yates “An analysis of the Karp-Rabin String Matching Algorithm”, Information Processing Letters 34, 7 May 1990, North-Holland, pages 271-274.
[7]Jan Leeuwen, Handbook of Theoretical Computer Science: Algorithms and complexity, Volume 1, page no. 294, Elsevier Science, ISBN: 9780444880710.
[8]Byung-Chul Park, Young J. Won, Myung-Sup Kim, James W. Hong, “Towards Automated Application Signature Generation for Traffic Identification”, 2008 IEEE, ISSN no. 978-1-4244-2066-7.
[9]Christian Kreibich, Jon Crowcroft, “Honeycomb: Creating Intrusion Detection Signatures Using Honeypots”, ACM SIGCOMM Computer Communications Review, Volume 34, Issue Number 1: January 2004, Pages 51-56.
[10]Alper Caglayan, Mike Toothaker, Dan Drapaeau , Dustin Burke, Gerry Eaton, “Behavioral Analysis of Fast Flux Service Networks”, CSIIRW '09, April 13-15, Oak Ridge, Tennessee, USA , 2009. ACM 978-1-60558-518-5.
[11]AlperCaglayan, Mike Toothaker, Dan Drapeau, Dustin Burke and Gerry Eaton, “Real-Time Detection of Fast Flux Service Networks”, Proceedings of the 2009 Cybersecurity Applications & Technology for Homeland Security, CATCH’09. Pages 285-292, 2009 IEEE, ISBN No. 978-0-7695-3568-5.
[12]Peter Marko, Peter Vilhan, “Efficient Detection of Malicious Nodes Based on DNS and Statistical Methods”, SAMI 2012, 10th IEEE Jubilee International Symposium on Applied Machine Intelligence and Informatics, January 26-28, 2012, Herl’any, Slovakia.
[13]MiroslawSzymczyk, “Detecting Botnets in Computer Networks Using Multi-Agent Technology”, 2009 Fourth International Conference on Dependability of Computer Systems, ISSN No. 978-0-7695-3674-3, 2009 IEEE.
[14]Liang Lu, Jeffrey Horton, ReihanehSafavi-Naini, and Willy Susilo, “Transport Layer Identification of Skype Traffic” ICOIN 2007, LNCS 5200, pp. 465–481, 2008, Springer-Verlag Berlin Heidelberg 2008.
[15]Ali Shiravi, Hadi Shiravi, Mahbod Tavallaee, Ali A. Ghorbani, “Toward developing a systematic approach to generate benchmark datasets for intrusion detection”, Journal of Computers & Security 3I (2012), pp.357-374, Elseveir Publications.
[16]Kritika Govind, Vivek Kumar Pandey, and S. Selvakumar, “Pattern Programmable Kernel Filter for Bot dectection” Vol. 62, No. 3, May 2012, pp.174-179, Defence Science Journal (DSJ), DESIDOC India.
[17]Vadodil Joel Varghese and Stuart Walker, ‘Dissecting Andro Malware’, University of Essex 2011, Information Security Reading Room, SANS Institute.
[18]Experimental Security Analysis of a Modern Automobile, Karl Koscher, Alexei Czeskis, FranziskaRoesner, Shwetak Patel, and Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, HovavShacham, and Stefan Savage, 2010 IEEE Symposium on Security and Privacy, See http://www.autosec.org/ for more information.