Botnet Forensics – An Introduction
Botnets are the programs that are executed by a malicious programmer known as a botmaster or botherder. Botherder sends the infection or viruses to the feeble user’s computer whose payload is a malicious application. It connects through the command and control server. Spammer purchase the services from the botherder and botherder then itself issues the updated command. Botnet forensic deals post mortem activities on botnet attacks and its associated vulnerabilities. Botnet forensics is of utmost importance nowadays, as it assists and prevents the organization from the outside and the inside network attacks.
In this article, we will cover the following topics:
- What is Botnet Forensics?
- Classification of Botnet Forensics.
- Botnet Forensics Framework.
- Challenges in Botnet Forensics Framework.
Let’s get started and cover each of these sections in detail.
What is Botnet Forensics?
Botnet forensics is the science that determines the scope of the breach and applies the methodology to find out the type of the infection. It is an investigation of the botnet attacks that includes a collection of activities like collection, identification, detection, acquisition, and attribution. The prime objective of botnet forensics is to measure the level of intrusions, investigate the intrusions, and provide information to recover from an intrusion so as to strengthen system security. The available information from the Botnet Forensics can be used to:
- Strengthen security tools.
- Understanding the modus of Operandi.
- In the future can be used to prevent a potential threat to network security.
Botnet forensics not only ensures network security but also facilitates law enforcement.
Classification of Botnet Forensics System
Broadly the whole research in the area of Botnet Forensics can be classified into the following categories –
In this, the packets are classified based on the field of the payload. The payload uses classification techniques like Deep Packet Inspection that utilizes the signature analysis for verification and classification of the traffic. Signature analysis can be of further types –
Heuristic Analysis: Heuristic Analysis includes monitoring network traffic to identify suspicious network traffic. Detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor.
Here suspicious network traffic behavior includes command and control traffic associated with a botmaster. Heuristic analysis and Behavioral analysis go side by side. Some antivirus Software utilizes both techniques for identifying the virus and infection.
Behavioral Analysis: Behavioral analysis and heuristic analysis go simultaneously, and several antiviruses utilize both techniques for identifying viruses and infections.
Pattern Analysis: Applications have some patterns in the payload of the packets, which can be used to identify the protocols. The pattern may be present in any position in the packet.
Numerical Analysis: This includes taking into account the numerical characteristics of the packet like Payload size, the number of response packets, etc.
Signature Based Classification:
The main objective here is to detect, investigate the nature, and find out the feature of a bit string operating in the given payload. This classification method was used on free zone which is a free network service provider operated by the City of Fredericton.
Decision-Tree Based Classification:
In this method, while splitting the data into smaller subsets, a decision tree is generated simultaneously. The outcome is presented in the form of a tree that has decision nodes and leaf nodes. It is the best technique to use for classification when you are dealing with unknown traffic.
Rokach et al. divided the ensemble model into a Dependent and Independent method. In the Dependent method, the most well-versed model instance is boosting which is known as resampling and combining. It is used to improve the performance of week classification on distributed training data. Through the iterative process, AdaBoost is a well-known ensemble algorithm to improve a simple boosting algorithm. An independent well-known method is Bagging and Wagging.
Botnet Forensics Framework
In this section, we are discussing a generic framework for Botnet forensics based on the existing models and research.
The Botnet Forensic Framework comprises 5 stages –
The first phase is the Malware phase. It involves propagation, infection, communication, and attack that will show the stages of the malware. IRC is the most common and widely used channel. This phase shows the type of malware whether it is a botnet or some other kind of malware.
2. Botnet Forensic Investigator:
This is the second phase of the Botnet Forensics Framework. This phase focuses on –
- Identifying whether the system is compromised or it is infected.
- In case the system is compromised, it will identify whether it is a bot attack or some other type of attack.
- It searches the bot through the reconnaissance of traffic, attribution, automotive passive, and malware sample.
- It also focuses on Attribution, Automotive passive, and Malware Sample.
3. Botnet Forensic Analyzer:
This is the third phase in the Botnet Forensics Framework. This phase includes –
- Analyzing the results generated from the identifier phase.
- It works to search after the criminal investigation.
- In case the identifier ensures malware, then the analyzer will seek what type of malware it is, and where it is infected.
- It finds out clues with the actual information and forwards all the details to the Botnet Evidence Phase.
- This phase includes stages like analysis, investigation, examination, collection, and preservation.
4. Botnet Evidence:
This is the fourth phase of the Botnet Forensics Framework. This stage collects all the information from all the previous stages and forwards it to the Incident Response Phase 3.
5. Incident Action:
This is the last phase of the Botnet Forensics Framework. This phase involves three activities- Containment, Eradication, and Recovery. This phase involves the following steps –
- Having gathered all the information and gained an understanding of the incident the IR team will begin to combat the threat.
- It includes taking actions to prevent further damage.
- Once the threat is resolved, the recovery step involves restoring systems to normal functionality, by taking actions like tightening network security, rebuilding systems, and replacing compromised files.
Challenges in Botnet Forensics
There are some limitations in different phases on Botnet Forensics. We will highlight the gap in each phase.
1. Collection Phase –
There should be an effective mechanism to identify the attack features from packet captures and capture the bot traffic in real-time, transmitted through a high-speed network.
2. Identification Phase –
This phase has the following limitations:
- There is a need to identify the attacks simultaneously to trigger the forensic process.
- Identification of the type of attack should be possible in real-time.
- There should be an efficient technique to identify a centralized botnets.
- Malicious network events must be identified.
3. Analysis Phase –
This phase has some limitations like:
- The deep analysis of IRC traffic is still a challenge.
- Machine Learning technique is required to improve the algorithms.
- It is hard to detect the traffic flow, in the case of Waledac traffic and P2P traffic.
- The information must be considered from various hosts from a compromised network for reconnaissance.
- Attack information and alerts must be taken from a combination of security sensors as no single security tool can give comprehensive alert information.
Botnet forensics is a proactive and reactive investigation on Botnet. However, this study is based on prior research reactive investigation. this article focuses on the different classifications of botnet forensics, its framework, and its challenges.