A HIERARCHICAL HYBRID STRUCTURE FOR BOTNET CONTROL AND COMMAND
ABSTRACT:
While “botnets” have become the root cause of many cyber attacks, most research has focused on detection and defence against botnet. There has not been extensive research focus on attack technology. In order to win the defense against future botnet attacks, it is important to study the design of potential botnets. In this paper, we present a hierarchical hybrid P2P botnet which is difficult to be monitored, hijacked, and shut down. In contrast with traditional P2P botnets, it has no bootstrap procedure and could defend against Sybil attack to some extent. In addition, a reconstruction scheme is proposed. Most important, the presented botnet is close to practical implementation. More attention should be paid to the defense against the proposed model.
EXISTING SYSTEM:
• Traditionally, information security has been purely defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one's resources.
• A variety of detection tools exist such as Intrusion Detection systems (IDS) and firewalls, but the main problem is that they only react on reconfigured and therefore known attacks.
• In an existing system that will produce only the simulation result.
• There is no secured architecture for data sharing.
• Existing system can only run on single system.
Disadvantages of Existing System:
Ã’ Phatbot utilizes Gnutella cache servers for the bootstrap process.
É Easy to shut down or block
Ã’ Sinit removes the bootstrap procedure and uses random probing to find other bots.
É Poor connectivity
Ã’ Slapper does not implement command encryption and authentication.
É Easy to hijack
PROPOSED SYSTEM:
• In order to deal with these challenging and complex ideas on information sharing, we must consider one of the premier drivers that provide the infrastructure to achieve this notion of Core to Edge security to enable information sharing.
• Proposed system can note the IP address of Hackers and can identify what type of file they want to access and what password and key was given by hackers to access the file.
• This system can produce the real time result.
• We can run it on more than one system without changing, and can run in single system too.
• The primary purpose of a Honey net is to gather information about threats that exist. In the proposed system we does not use a real time Honey net, But uses a offline type of honey pot. Which just view the old collected data.
Advantages of Proposed System:
Ã’ Proposed a hybrid P2P botnet with the following features
É Two classes of bots – servent and client
É Command authentication and individualized encryption
É Limited-sized peer lists
É Dynamically changeable sensor for bots monitoring
É No bootstrap procedure
É Balanced and robust connectivity
Ã’ Analyzed several possible defences against this botnet
HARDWARE SPECIFICATION
The required hardware interfaces are LAN and a standard PC.
Processor Type : Pentium -IV
Speed : 2.4 GHZ
Ram : 128 MB RAM
Hard disk : 20 GB HD
SOFTWARE SPECIFICATION
A tool is used for capturing packets from network.
Operating system : Windows - XP
Tools : Eclipse
SDK : JDK.1.5.0
Database : MS-Access
MODULES
1. Key generation
2. Construct botnet (Proposed Secured System for Data Sharing)
3. Monitoring
MODULE DESCRIPTION:
1) Key generation:
Command Authentication
Compared with a C&C botnet, because bots in the proposed botnet do not receive commands from predefined places, it is especially important to implement a strong command authentication. A standard public-key authentication would be sufficient. A botmaster generates a pair of public/private keys, hKþ;K_i, and hard codes the public key Kþ into the bot program before releasing and building the botnet. There is no need for key distribution because the public key is hard-coded in bot program. Later, the command messages sent from the botmaster could be digitally signed by the private key K_ to ensure their authentication and integrity. This public-key-based authentication could also be readily deployed by current C&C botnets. So botnet hijacking is not a major issue.
Implementation of Individualized encryption key and service port
In the proposed botnet, each servent bot i randomly generates its symmetric encryption key Ki. Suppose the peer list on bot A is denoted by LA. It will not only contain the IP addresses of M servent bots, but also the symmetric keys used by these servent bots.
Thus, the peer list on bot A is:
LA = { (IPi1, Ki1), (IPi2, Ki2), ¼(IPiM, KiM)}
Where (IPij, Kij) are the IP address and symmetric key used by servent bot ij. With such a peer list design, each servent bot uses its own symmetric key for incoming connections from any other bot. This is applicable because if bot B connects to a servent bot A, bot B must have (IPA, KA) in its peer list.
This individualized encryption guarantees that if defenders capture one bot, they only obtain keys used by M servent bots in the captured bot's peer list. Thus the encryption among the remaining botnet will not be compromised.
2) DATA ENCRYPTION / DECRYPTION:
The Blow fish involves replacing each letter of the alphabet with the letter standing k places further down the alphabet.
Encryption: Blowfish is a Feistel network consisting of 16 rounds (see Figure 1). The input is a 64-bit data element, x.
Divide x into two 32-bit halves: xL, xRFor i = 1 to 16:xL = xL XOR PixR = F(xL) XOR xRSwap xL and xRSwap xL and xR (Undo the last swap.)xR = xR XOR P17xL = xL XOR P18Recombine xL and xRFunction F (see Figure 2):Divide xL into four eight-bit quarters: a, b, c, and dF(xL) = ((S1,a + S2,b mod 232) XOR S3,c) + S4,d mod 232Decryption It is exactly the same as encryption, except that P1, P2,..., P18 are used in the reverse order.
This algorithm used to encrypt the all the data before going to send to the user.
Using the private key k it is decrypted on the end user side. The user who knows the private key can only decrypt the data.
3) MONITORING:
Ã’ Botmasters need to know
É Bot ID (used to find NAT and DHCP)
É Bot population, connectivity, bandwidth, diurnal dynamics, …
É IP address types (DHCP ones can be used for spam)
Ã’ Challenges – monitoring should be easy for botmasters but difficult for defenders.
Ã’ Monitor via dynamically changeable sensors
É Each bot sends its information to one or some sensors after receiving the report command.
É A botmaster can change the role of sensors each time she issues the report command.
REFERENCE:
Zhigi Zhang, Baochen Lu, Peng Liao, Chaoge Liu, Xiang Cui, “A Hierachical Hybrid Structure for Botnet Control and Command”, IEEE Conference 2011.
