Inter security : botnet detection on a campus network using a historical perspective

This research aims to improve internet security. Specifically it aims to improve enterprise defences against botnets. A botnet is a collection of computer resources that can be remotely instructed to perform actions, often without the host computer user’s knowledge or consent. These controlled computers are known as bots. Botnets are considered to be a major security threat on the internet. Botnets have been used to probe every internet address collecting terabytes of data while apparently remaining undetected. Botnets are a major source of spams and are a major threat to the internet banking industry. Botnets can be used to exhaust the resources of targeted computing systems making those systems unavailable to legitimate users. Botnets can also be used in targeted attacks with the aim of collecting secrets. Botnets can use a number of techniques including per instance mutation, selective infection, encryption, rootkits and sophisticated architecture to avoid detection. Up-to-date antivirus software provides limited protection. Many detection techniques require signatures generated from samples collected by some other method such as honeypots. Bots may be programmed to remove all traces of their activity once their task is completed. My objective was to determine if undetected botnets exist on a well-managed university network. I was dubious at the reports produced by the computer security industry. However, it is completely plausible that botnets can exist on a well-managed computer network. So the problem is how to find botnets that have evaded real time detection and are unknown to the anti-malware systems in place? My idea was to collect historical data and examine it at a later date, thus giving the unknown botnets a chance to become known. Studying historical network activity can be useful in determining the extent of botnet activity. I collected over one terabyte of data consisting of a one month trace of internet traffic from one campus subnet. I used a number of different botnet detection techniques to examine the data and discovered limit botnet activity on the network. The most successful feature used to identify botnet activity was the destination address using blacklists. I found using IP addresses alone to identify hosts was not reliable. I suggest monitoring for abnormal DNS traffic may be a useful early warning indicator. Monitoring DHCP abnormalities may point to high risk systems. There is no effective way of detecting all botnet activity. It is far easier to devise evasion techniques than it is to implement detection methods. Improving virus detection would also be very useful. This work was conducted completely independently from the network administrators.