Return to search

IRC-Based Botnet Detection on IRC Server

Recently, Botnet has become one of the most severe threats on the Internet because it is hard to be prevented and cause huge losses. Prior intrusion detection system researches focused on traditional threats like virus, worm or Trojan. However, traditional intrusion detection system cannot detect Botnet activities before Botmasters launch final attack. In Botnet attack, in order to control a large amount of compromised hosts (bots), Botmasters use public internet service as communication and control channel (C&C Channel). IRC (Internet Relay Chat) is the most popular communication service which Botmasters use to send command to their bots. Once bots receive commands from Botmasters, they will do the corresponding abnormal action. It seems that Botnet activities could be detected by observing abnormal IRC traffic.
In this paper, we will focus on IRC Server and, we will use four unique characteristics of abnormal channel, (1) the prefix of Botmaster communication in C&C channel, (2) the response messages of bots, (3) average response time from bots, and (4) average length of message, to detect abnormal Channel in IRC Server. We develop an on-line IRC IDS to detect abnormal IRC channel. In the proposed system, abnormal IRC channel can be detect and we can (1) identify the infected hosts (bots) and Botmaster in C&C Channel, (2) trackback the IP of Bots and Botmaster, (3) identify Bots before Botmasters launch final attack, and (4) find the pattern of abnormal channel. The experiments show that the proposed system can indeed detect abnormal IRC channel and find out bots and Botmaster.

Identiferoai:union.ndltd.org:NSYSU/oai:NSYSU:etd-0806109-175029
Date06 August 2009
CreatorsChen, Yi-ling
ContributorsBing-chiang Jeng, Chia-mei Chen, none, none
PublisherNSYSU
Source SetsNSYSU Electronic Thesis and Dissertation Archive
LanguageCholon
Detected LanguageEnglish
Typetext
Formatapplication/pdf
Sourcehttp://etd.lib.nsysu.edu.tw/ETD-db/ETD-search/view_etd?URN=etd-0806109-175029
Rightscampus_withheld, Copyright information available at source archive

Page generated in 0.0027 seconds