Presenting a peer-to-peer (P2P) botnet detection method based on cluster similarity

Dissertation for Master's degree (M.S.c)

Field: Computers            Tension: Software

Abstract

Today, the use of botnets as a tool for large-scale criminal activities in computer networks against large targets such as a country has greatly increased. Bot is a distributed environment that is used for various attacks with a large volume. For this reason, the detection of this type of attacks has been raised as one of the important issues in the security of computer networks and Internet users. With the advancement of network bandwidth and the computing power of machines, distributed computing is widely used today. In this regard, hackers also use this concept to carry out more powerful attacks. Botnets are a practical example of this type of attacks that usually pursue financial goals. These types of malware are called bots or bots for short. This name originates from their automatic behavior. In this research, the term botnet and botnet detection techniques, including the interpretation of packets from data sets, primary data filtering and clustering, are examined.

Key words: botnet, network security, internet security, clustering, computer networks

Chapter 1

Definitions and generalities

1-1-    Introduction

With the expansion of virtual spaces and the development of vast networks, the topic of security [1] and protection of important information and programs has always been desired by senior IT managers. Network security [2] and information security [3] are two terms that are used a lot in the field of information technology.  With the development and expansion of the Internet and virtual space in the web environment, information has increased rapidly and the access of users has also increased. Therefore, paying attention to network security is one of the modern necessities of continuous environments and virtual space. Network security protects the information of organizations and institutions against intruders and creates suitable conditions for service and professional activity. Information technology operates based on a platform of technical infrastructure, tools, software, networks, and high-speed telecommunication lines, and all of them require safe conditions to support professional activities. In addition to that, it should be specified in relation to what cases the systems and units should be protected. This point is of great importance in examining the state of information networks and technology fields, and it needs to be taken into account in planning for network security. Identifying the types of threats [4] and leading risks is another important factor that can be used in the field of protecting the environment of organizational networks in an appropriate way in order to provide the necessary preparation to deal with possible risks. Computer networks facilitate the communication process and help managers and organizational users to support assigned tasks. Therefore, ensuring the security of networks is one of the essential and important issues of organizations.

Therefore, preventing the penetration of malicious agents into the network will become a strategic issue, and failure to do so will cause damages that will sometimes be irreparable, and the many advantages of the network will not be achieved well, and money, electronic commerce [5], services to specific users, personal information [6], public information [7] and electronic publications [8] are all subject to manipulation [9]. and material and spiritual abuses [10] will be placed.

Today, the use of botnets [11] as a tool for criminal activities [12] with a large scope in computer networks against large targets such as a country has increased a lot. Bot is a distributed environment [13] that is used for various attacks with a large volume, therefore today the detection of this type of attacks [14] has been raised as one of the important issues in the security of computer networks.

In recent years, Internet malware has grown towards better organization and more profit-oriented. Today, botnets are considered as the most important threat to Internet users.

The attackers, after taking over the vulnerable systems of the victims, install their malicious software [15] that can be controlled remotely [16] on those systems, and then they can use these victims to carry out various Internet attacks [17] such as sending spam [18], distributed denial of service attacks [19], identity theft and other criminal activities on a very large scale, while the real identity of the attacker remains hidden. .

The main problem with botnets is to perform these actions secretly, that is, until we specifically look for them, we will not be aware of their presence in the system, and as long as they remain in the victim's system, the victim's system will not be able to resist the non-execution of the botnet owner's commands [20]. is placed In this regard, hackers[23] also use this concept to carry out more powerful attacks.

Botnets are a practical example of this type of attacks. A botnet is a collection of infected machines on the Internet that are remotely controlled by attackers to perform malicious [24] and illegal [25] activities.

They are called bots [26] or abbreviated bots [27] and this name originates from their automatic behavior. Unlike worms[28] and viruses[29] that have destructive purposes[30], the purpose of using botnets by their controllers[31] is usually financial[32]. Xarvester and Rustock botnets are the strongest spammers in the world and are able to send 25,000 messages per hour, 600,000 messages per day and 4.2 million messages per week, which alone makes it necessary to investigate various botnet detection methods. .

Also, the discussion of C&C (Command & Control) and life cycle [34] of botnet distinguishes this topic from other topics of malware.

This thesis consists of 5 chapters, in which the definitions of the topic are introduced in the first chapter. In the second chapter, he reviewed previous studies on the topic of botnet detection. In the third chapter, the proposed method is stated and finally in the fifth chapter, the conclusion is made. Chapter Two: Review of Previous Studies 2-1 Introduction Considering that in recent years Internet malware has grown towards better organization and more profit-oriented, today botnets are the most important are considered a threat to Internet users.

For this reason, several researches have been conducted in the field of botnet detection.

2-2- Diagnosis criteria [35]

Botnet detection has different criteria, which are mentioned below. disable them before participating in a cyber attack[36]. On the other hand, methods that detect botnets in the attack phase of their life cycle are more accurate. 2-3 detection levels [37] On the other hand, botnet detection methods can use two different levels of correlation analysis, including individual level [38] and group level [39]. In individual level analysis, botnet detection methods focus on identifying each host [40] infected with bot It is solitary in the network, without paying attention to the behavior of other bot-infected hosts. These methods have the advantage of being able to detect even one bot-infected host in the monitored network. Individual level analysis is usually performed by matching observed activities with known patterns [41] in the database [42]. Therefore, it requires prior knowledge[43] of botnets.

2-4-    Group level

In group level analysis, botnet detection methods try to identify two or more hosts that have similar behavior patterns[44] and identify them as suspicious hosts[45] for bots.