Botnet Defense
From MilcordWiki
(Redirected from Solutions:Botnet)
| Botnet Defense
| |
|---|---|
| Mission | Provide real-time botnet intelligence situation awareness to the enterprise while contributing to the botnet community knowledge base to enhance DHS cyber security mission |
| Sponsor |  DHS Cyber Security R&D Center
|
Overview
Our botnet defense solution is the Botnet Analytics (BNA) appliance that leverages botnet intelligence contextual knowledge and integrates with Security Event Management platforms.
Need
- 20 Million PCs infected with bots – 250,000 more infected each day (Zombie Statistics)
- Botnets used for identity theft, spam, ad networks, pump and dump
- A compliance and national security risk in the government sector
- A brand damage, financial loss, and legal risk in the commercial sector
Approach
BNA includes indicators for measuring botnet behavior, mechanisms for capturing and analyzing packet content to detect bot commands, blacklist interfaces, and a set of Belief Networks that fuse network indicators, DNS data, and bot commands in order to detect and classify botnet behavior. Our results have shown the feasibility of learning and predicting botnet behavior at the network level, and blacklist membership in DNS queries.
- Monitor Web information repositories to develop current context of worldwide botnet activity
- Use the context to detect botnets by their behavior at the network traffic level
- Employ machine learning based information fusion algorithms for context and behavior modeling
- Mitigate by leveraging existing enterprise IS infrastructure components
Benefits
- Risk Aversion: Limits exposure to liability associated with identity theft
- Performance: Preliminary tests demonstrate 90% accuracy in predicting botnet membership
- Adaptability: Machine learning enables rapid adaptation to new threat signatures
Applications
- Enterprise: Integrates into Security Event Management platforms to provide Botnet detection and mitigation services
- ISP: Integrates into ISP cybersecurity infrastructure to detect zombies
- Competitive Advantages:
- Unlike services that monitor blacklists, BNA finds botnet IPs that should belong on these lists
- BNA enables IS staff to be a problem solver instead of data collection for botnet information, and fusion of multiple botnet indicators
References
- Caglayan, A., Toothaker, M. and Windholz, T. (2007) “A Bayesian Activity Monitor for Botnet Defense”, 2007 Monterey Homeland Security Conference, Monterey, CA August 2007.
