This document describes BotMiner, a framework for detecting botnets through analysis of network traffic in a monitored network. BotMiner aims to be protocol- and structure-independent by focusing on the intrinsic communication and activity characteristics of botnets. It clusters similar communication and malicious activity patterns to identify hosts that likely belong to the same botnet. BotMiner monitors traffic for the C-plane (command and control communication) and A-plane (malicious activity). It clusters flows in each plane and performs cross-cluster correlation to detect bots by finding hosts that share patterns in both planes. The goal is to generate low false positives/negatives while requiring reasonable computational resources.
2. INTRODUCTION:
Botnets are becoming one of the most serious threats to
Internet security. A botnet is a network of compromised machines under the influence
of malware (bot) code. The botnet is commandeered by a “botmaster” and utilized as
“resource” or “platform” for attacks such as distributed denial-of-service (DDoS)
attacks, and fraudulent activities such as spam, phishing, identity theft, and information
exfiltration.
In order for a botmaster to command a botnet, there
needs to be a command and control (C&C) channel through which bots receive
commands and coordinate attacks and fraudulent activities.
The C&C channel is the means by which individual bots
form a botnet.
3. Centralized C&C structures using the Internet Relay Chat
(IRC) protocol have been utilized by botmasters for a long time.
Therefore,we need to develop a next generation botnet
detection system, which should be independent of the C&C protocol, structure, and
infection model of botnets, and be resilient to the change of C&C server addresses.
In addition, it should require no a priori knowledge of
specific botnets (such as captured bot binaries and hence the botnet signatures, and
C&C server names/addresses).
In order to design such a general detection system that
can resist evolution and changes in botnet C&C techniques, we need to study the
intrinsic botnet communication and activity characteristics that remain detectable
with the proper detection features.
4. We thus start with the definition and essential properties of a
botnet. We define a botnet as:
“A coordinated group of malware instances that are
controlled via C&C channels”.
If the botmaster commands each bot individually
with a different command/channel, the bots are nothing but some isolated/unrelated
infections. That is, they do not function as a botnet according to our definition and
are out of the scope of this work3.
5. ABOUT THE PROJECT:
We propose a general detection framework that is
based on these essential properties of botnets. This framework monitors both who is
talking to whom that may suggest C&C communication activities and who is
doing what that may suggest malicious activities, and finds a coordinated group pattern
in both kinds of activities.
More specifically, our detection framework clusters
similar communication activities in the C-plane (C&C communication traffic), clusters
similar malicious activities in the A-plane (activity traffic), and performs cross
cluster correlation to identify the hosts that share both similar communication patterns
and similar malicious activity patterns.
These hosts, according to the botnet
definition and properties discussed above, are bots in the monitored network.
6. OBJECTIVE:
The objective of BotMiner is to detect groups of compromised machines
within a monitored network that are part of a botnet.
We do so by passively analyzing network traffic in the monitored network.
DETECTION APPROACH MEETS SEVERAL GOALS:
It is independent of the protocol and structure used for communicating with
the botmaster, and is resistant to changes in the location of the C&C server(s).
It is independent of the content of the C&C communication. That is,we do
not inspect the content of the C&C communication itself, because C&C could be
encrypted or use a customized(obscure) protocol.
It generates a low number of false positive and false negatives.
The analysis of network traffic employs a reasonable amount of resources
and time, making detection relatively efficient
7. EXISTING SYSTEM:
Botnets are now the key platform for many Internet
attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing.
Most of the current botnet detection approaches work only
on specific botnet command and control (C&C) protocols (e.g., IRC) and structures
(e.g., centralized), and can become ineffective as botnets change their C&C techniques.
8. PROPOSED SYSTEM:
In this project, we present a general detection framework
that is independent of botnet C&C protocol and structure, and requires no a priori
knowledge of botnets (such as captured bot binaries and hence the botnet signatures,
and C&C server names/addresses). We start from the definition and essential properties
of botnets. We define a botnet as a coordinated group of malware instances that are
controlled via C&C communication channels.
We propose a general detection framework that is based on
these essential properties of botnets.
This framework monitors both who is talking to whom that
may suggest C&C communication activities and who is doing what that may suggest
malicious activities, and finds a coordinated group pattern in both kinds of activities.
9. More specifically, our detection framework clusters similar
communication activities in the C-plane (C&C communication traffic), clusters similar
malicious activities in the A-plane (activity traffic), and performs cross cluster
correlation to identify the hosts that share both similar communication patterns and
similar malicious activity patterns.
These hosts, according to the botnet definition and properties
discussed above, are bots in the monitored network.
The objective of BotMiner is to detect groups of
compromised machines within a monitored network that are part of a botnet. We do so
by passively analyzing network traffic in the monitored network.
12. LOADING SCREEN:
* This module is, just load your project for a certain times. It have
your title of the project and it loads for a time.
LOGIN SCREEN:
* This module is used for enter the user and password. It have the
Username and Password.
* We have to enter the username and password.
* Then select the login button ,If it is right, then it will go to the next
screen.
* Else it will send the message of enter the correct username and
password.
13. A-PLANE MONITOR:
The A-Plane Monitor logs information on who is doing
what. It analyzes the outbound traffic through the monitored network and is capable
of detecting several malicious activities that the internal hosts may perform.
The malware activities are like
* Spam
* Task Report
* SPAM:
* If anyone sending Bulk of messages then it will be stored
in a Spam folder and it also referred as unwanted messages.
* To Stop that kind of activities we are splitting the message
by a packets.
14. * It checks the header, body and content.
* TASK REPORT:
* It generates the report of the task list performed by other
nodes on the network.
C-PLANE MONITOR:
* It retrieves the type of message transferred and to find the
protocol used for communication.
A-PLANE CLUSTERING:
* The spam activity clustering, because there are very few
hosts that show spamming activities in our monitored network, we simply cluster hosts
together if they perform spamming.
15. C-PLANE CLUSTERING:
C-plane clustering is responsible for reading the logs
generated by the C-plane monitor and finding clusters of machines that share similar
communication patterns.
17. ACTIVITY DIAGRAM:
Traffic
Monitoring
Sending the Spam
Receiving By Botnet
Attack the near node
Detect the content
Correct then save it In Correct then save Who is Bot Master
in Inbox it in Spam and Who Is Bot Net
18. USE CASE DIAGRAM:
Sending the Content
Receiving the content
Traffic
Forwarding to the next node which
is going to be attack by the bot net
Checking the
content
If the content is good then it
will save in Inbox If the content is good then it It will display who is bot
will save in Spam master and which is bot
net
33. SYSTEM REQUIREMENTS:
Software:
• Client : Windows Client
• Software : JAVA
Hardware:
• Memory : 128MB RAM or above
• Secondary Storage : 40 GB HDD or above
• FLOPPY DISK : .44 MB or above
• Display unit : Color Monitor and other suitable accessories
• Processor : PIII or above
34. SOFTWARE FEATURES:
Simple:
Java was designed to be easy for the professional programmer to
learn and use effectively. Java has another attribute that makes it easy to learn. It makes
an effort not to have surprising features.
Object-Oriented:
Although influenced by its predecessors, Java was not designed to be
source-code compatible with any other language. This allowed the Java team the
freedom to design with a blank slate
Robust:
The multiplatformed environment of the web pages extraordinary
demands on a program, because the program must execute reliably in a variety of
systems. Thus the ability to create robust programs was given a high priority in the
design of Java.
35. Multithreaded:
Java was designed to meet the real-world requirement of creating
interactive, networked programs. To accomplish this, Java supports multithreaded
programming, which allows you to write programs that do many things simultaneously.
Architectural-Neutral:
A central issue for the designers was that of code longevity and
portability. One of the main problems facing programmers is that no guarantee exists
that if you write a program today, it will run tomorrow-even on the same machine.
Interpreted and High Performance:
Java enables the creation of cross-platform programs by compiling
into an intermediate representation called java bytecode. This code can be interpreted
on any system that provides a Java Virtual Machine.
36. Distributed:
Java is designed for the distributed environment of the Internet,
because it handles TCP/IP protocols. In fact, accessing a resource using a URL is not
much different from accessing a file. The original version of Java(Oak) included
features for intra-address-space messaging..For example:RMI
Dynamic:
Java programs carry with them substantial amounts of run-time type
information that is used to verify and resolve accesses to objects at run time. This
makes it possible to dynamically link code in a safe and expedient manner.
37. FUTURE SCOPE:
In future botnets (especially P2P botnets) may utilize
evasion techniques to avoid detection, as discussed in Section 4. In our future work, we
will study new techniques to monitor/cluster communication and activity patterns of
botnets, and these techniques are intended to be more robust to evasion attempts.
In addition, we plan to further improve the efficiency of the
C-flow converting and clustering algorithms, combine different correlation techniques
(e.g., vertical correlation and horizontal correlation), and develop new real-time
detection systems based on a layered design using sampling techniques to work in very
high speed and very large network environments.
38. BIBLIOGRAPHY:
1) N. Ianelli and A. Hackworth. Botnets as a vehicle for online crime.
http://www.cert.org/archive/pdf/Botnets.pdf, 2005.
2) A. Karasaridis, B. Rexroad, and D. Hoeflin. Widescale
botnet detection and characterization. In Proceedings of USENIX
HotBots’07, 2007.
3) A. Ramachandran and N. Feamster. Understanding the network-
level behavior of spammers. In Proceedings of ACM SIGCOMM’06,
2006.
4) E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup:
Understanding, detecting, and disrupting botnets. In Proceedings of
USENIX SRUTI’05, 2005.