Botnet Defense
From MilcordWiki
| Botnet Defense
| |
|---|---|
| Mission | Provide real-time botnet intelligence situation awareness to the enterprise while contributing to the botnet community knowledge base to enhance DHS cyber security mission |
| Sponsor |  DHS Cyber Security R&D Center
|
Overview
Our botnet defense solution detects and classifies fast flux service networks (FFSNs) in real time. FFSNs exploit a network of compromised machines (zombies) for illegal activities such as spam, phishing and malware delivery using DNS record manipulation techniques.
Need
- 20 Million PCs infected with bots – 250,000 more infected each day (Zombie Statistics)
- Botnets used for identity theft, spam, ad networks, pump and dump, malware distribution, DDoS
- A compliance and national security risk in the government sector
- A brand damage, financial loss, and legal risk in the commercial sector
Approach
Our botnet defense solution is a web service that detects and classifies fast flux service networks using both active and passive DNS monitoring. In addition, our approach is able to differentiate and classify all three fast-flux variants, including name server flux and double-flux. The primary components of our botnet defense solution include:
- sensors which perform real-time detection of FF service networks using behavioral analysis that examine various indicators
- a database of known FF service networks – zombie IPs used for domain names, nameservers
- analytical knowledge harvested from the database
The active sensors include Fast Flux Activity Index, Footprint Index, Time To Live (TTL), Guilt by Association Index, and others. Activity Index captures how aggressively the domain’s DNS information changes. The Footprint Index captures the global dispersion of the fast flux service network. TTL captures the low values of this parameter employed by fast flux service networks. The ‘Guilt by Association’ sensor examines if any of the current IP addresses of a domain have previously been associated with another fast flux domain. A Bayesian classifier fuses the multiple active and passive DNS sensors.
Detailed reports for the domains and nameservers provide details for both current and historical behavior. Analytical reports include the fast flux service network’s size and growth rate estimates , the social network of a fast flux service network, the footprint of a fast flux service network for a given ASN, ISP, and country.
Benefits
- Risk Aversion: Limits exposure to liability associated with identity theft
- Performance: 97% accuracy in detecting fast flux domains
- Adaptability: Real time detection enables fastest discovery of fast flux domains
Applications
- Enterprise: Checks outbound traffic to detect visits to malicious sites
- ISP: Tracks consumer machines recruited as zombies by fast flux service networks
- Threat Intelligence Services: Detects client domains used in phishing scams for brand protection
- Registrars: Provides evidence for malicious behavior of hosted domains
- Law Enforcement: Furnishes solid evidence for prosecution
Test Drive
- Want to evaluate our botnet defense web service?
- > Please contact for more information.
References
- Caglayan, A. Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2009) “Real Time Detection of Fast Flux Service Networks", Cybersecurity Applications and Technologies Conference for Homeland Security (CATCH 2009), Washington, DC, March 3-4, 2009.
presentation
- Buxbaum, P. A. Battling Botnets Military Information Technology, 2008, Vol. 12, No. 7.
- Caglayan, A., Toothaker, M. and Windholz, T. (2007) “A Bayesian Activity Monitor for Botnet Defense”, 2007 Monterey Homeland Security Conference, Monterey, CA August 2007.
