10-07-2012, 12:02 PM
Architecting a Secured Enterprise Data Sharing Environment to the Edge
ARCHITECTING A SECURED .docx (Size: 1.46 MB / Downloads: 66)
INTRODUCTION
PROBLEM DEFINITION
In the scheme, the Internet malware attacks like the Dos attacks are defended. Usually, the attackers (normally called botmasters) used the botnets to perform such kind of attacks. But, most of the current botnets have many disadvantages. So, the botmasters will use the hybrid peer to peer architecture to perform the attacks. But, this project should defend the attacks in the proposed architecture.
The botmasters perform the Dos attacks using the botnets. But, in this scheme, it uses the honey pot technique to defend the attacks. In the peer to peer architecture, the files are forwarded through its neighbors only. So, when the redundant packets are forwarded to one system, this honeypot blocks the packets travelling.
The attackers (normally called as botmasters) will use the hybrid peer to peer architecture to perform such kind of attacks. But, in the system, to introduce the honeypot technique to defend such kind of malware attacks. So, it can avoid the malware attacks like Dos attacks using the honeypot.
The botnet communicates via the peer list contained in each bot. Each bot has a fixed and limited size peer list and does not reveal its peer list to other bots. In this way, when a bot is captured by defenders, only the limited number of bots in its peer list is exposed.
LITERATURE SURVEY
1. Botz-4-sale: Surviving organized ddos attacks that mimic flash crowds:
Recent denial of service attacks are mounted by professionals using Botnets of tens of thousands of compromised machines. To circumvent detection, attackers are increasingly moving away from bandwidth floods to attacks that mimic the Web browsing behavior of a large number of clients, and target expensive higher-layer resources such as CPU, database
and disk bandwidth. The resulting attacks are hard to defend against using standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content. We present the design and implementation of Kill-Bots, a kernel extension to protect Web servers against DDoS attacks that masquerade as flash crowds.
Modeling botnet propagation using time zones
Time zones play an important and unexplored role in malware epidemics. To understand how time and location affect malware spread dynamics, we studied botnets, or large coordinated collections of victim machines (zombies) controlled by attackers. Over a six month period we observed dozens of botnets representing millions of victims. We noted diurnal properties in botnet activity, which we suspect occurs because victims turn their computers off at night. Through binary analysis, we also con_rmed that some botnets demonstrated a bias in infecting regional populations. Clearly, computers that are of_ine are not infectious, and any regional bias in infections will affect the overall growth of the botnet. We therefore created a diurnal propagation model. The model uses diurnal shaping functions to capture regional variations in online vulnerable populations. The diurnal model also lets one compare propagation rates for different botnets, and prioritize response. Because of variations in release times and diurnal shaping functions particular to an infection, botnets released later in time may actually surpass other botnets that have an advanced start. Since response times for malware outbreaks is now measured in hours, being able to predict short-term propagation dynamics lets us allocate resources more intelligently. We used empirical data from botnets to evaluate the analytical model.
Revealing botnet membership using dnsbl counter-intelligence
Botnets.networks of (typically compromised) machines. are often used for nefarious activities (e.g., spam, click fraud, denial-of-service attacks, etc.). Identifying members of botnets could help stem these attacks, but passively detecting botnet membership (i.e., without disrupting the operation of the botnet) proves to be dif_cult. This paper studies the effectiveness of monitoring lookups to a DNS-based blackhole list (DNSBL) to expose botnet membership. We perform counter-intelligence based on the insight that botmasters themselves perform DNSBL lookups to determine whether their spamming bots are blacklisted. Using heuristics to identify which DNSBL lookups are perpetrated by a botmaster performing such reconnaissance, we are able to compile a list of likely bots. This paper studies the prevalence of DNSBL reconnaissance observed at a mirror of a well-known blacklist for a 45- day period, identi_es the means by which botmasters are performing
reconnaissance, and suggests the possibility of using counter-intelligence to discover likely bots. We _nd that bots are performing reconnaissance on behalf of other bots. Based on this _nding, we suggest counterintelligence techniques that may be useful for early bot detection.
An algorithm for anomaly-based botnet detection
We present an anomaly-based algorithm for detecting IRC-based botnet meshes. The algorithm combines an IRC mesh detection component with a TCP scan detection heuristic called the TCP work weight. The IRC component produces two tuples, one for determining the IRC mesh based on IP channel names, and a sub-tuple which collects statistics (including the TCP work weight) on individual IRC hosts in channels. We sort the channels by the number of scanners producing a sorted list of potential botnets. This algorithm has been deployed in PSU’s DMZ for over a year and has proven effective in reducing the number of botnet clients.