Analysis of botnets as being a phenomenon took

Digital Era, Internet

The current work is based on benefits of three directions of research: analysis of botnets as a sensation occurred in the net, including the research of botnet taxonometry, approaches of creation and improving the techniques for counteraction against modern botnets, and development of concepts and techniques for efficient modeling and ruse of botnet infrastructure and counteraction. Currently moment using public process we can discover many understanding of different facets of botnet operation. A group of studies, related to research of botnet as a network phenomenon, defines botnet lifecycle, which is consisting of several phases: initial contamination and dispersing stage, stage of ‘stealth’ operation and attack level. Centralized and decentralized types of architectures are viewed as as effects of research of possible node roles, and different types of botnet arracks are described.

The inspections, devoted to botnet counteraction methods, may be conditionally divided into two logical groupings: methods, which are based on id of predefined signatures, and methods which will rely on recognition of local and network anomalies. The second group of methods has a significant advantage against first group in capability to detect unidentified threats devoid of specific knowledge of their setup. On the other hand, the 2nd group is much more resource eating and more put through false positive and bogus negative errors.

Because of significant variations of botnet lifecycle levels, the mixed protection methods are used widely which think about specificities of each stage. Protection techniques “Virus Throttling” and “Failed Connection” are used to oppose botnet propagation on dispersing stage. This kind of techniques because Threshold Arbitrary Walk and Credit-based Rate Limiting also require consideration.

Beyond many types of botnets attacks, all of us studied botnets which put into action DDoS as a possible attack stage. We deemed protection methods for different phases of DDoS attacks. Approaches Ingress/Egress Filtering and PRESERVE (Source Treat Validity Adjustment Protocol) are being used as strike prevention components. They realize filtering of traffic channels for which IP spoofing was detected. Furthermore, such approaches as SIM (Source Internet protocol address Monitoring) and Detecting SYN flooding had been taken into consideration as methods for obtaining DDoS problems.

All of us also looked into protection methods destined to detect botnets of different architectures. Botnet structure is defined by the utilized communication process. At present moment IRC-, HTTP- and P2P-related botnet architectures are important intended for consideration.

Research in botnet modeling and simulation is based on various methods and approaches. A huge set of journals is devoted to botnet synthetic modeling. As an example, a stochastic model of decentralized botnet distribution is presented in. It represents a botnet being a graph. Nodes of this chart represent the botnet states, and ends depict feasible transitions between states. M. Dagon ou al. suggests an deductive model of global botnet, which describes dependencies between the actions of botnet nodes as well as the time zone intended for location of such nodes.

Another band of studies uses simulation as a main application to investigate botnets and pc networks generally speaking. Studies from this group primarily rely on strategies of discrete-event simulation of procedures being executed in network structures, as well as trace-driven versions initiated by simply trace data taken from real networks. G. Riley ain al. utilize GTNetS ruse environment to generate network earthworm propagation version. A. Suvatne suggests an auto dvd unit of “Slammer” worm propagation by using “Wormulator” simulation environment. M. Schuchard presents simulation environment that allows to replicate a large-scale botnet made up of 250 thousands of nodes. Gamer at ing. consider a DDoS simulation tool, called Distack. Li for al. make use of own ruse environment and testbeds to estimate effectiveness, scalability and cost of execution of protection mechanism PRESERVE.

Other techniques, that are very important for investigation of botnets, are emulation, incorporating analytical, packet-based and emulation-based models of botnets and botnet defense (on macro level), as well as exploring real small-sized networks (to investigate botnets on tiny level). This paper explains the way, which combines discrete-event simulation, component-based design and style and packet-level simulation of network protocols. Initially this method was recommended for network attack and defense ruse. In the present paper, as compared to works of authors, the many methods of botnet attacks and counteraction against botnets are explored by implementing complete libraries of attack and defense components.