Understanding IRC bot behaviors in network-centric attack detection and prevention framework

Gail-Joon Ahn; Napoleon Paxton; Kevin Pearson

Understanding IRC bot behaviors in network-centric attack detection and prevention framework

Gail-Joon Ahn, Napoleon Paxton, Kevin Pearson

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Botnets are one of the most threatening adversaries over the Internet due in large part to the difficulty of identifying botnet traffic patterns. Also, botnets are a prevalent and continuously growing method for conducting distributed attacks and identity theft. These attacks can include email spamming, distributed denial of service, port scanning, remote exploitation of vulnerabilities, and self-propagation to expand the botnet's size. The botnets can be used to scan infected hosts' machines and log keystrokes for sensitive data such as credit card and banking information, then relay gathered information to the botmasters. We have witnessed that existing signature-based detection and protection methods are ineffective in dealing with unknown bots. For these situations, a more proactive approach must be taken to gather and analyze botnets. In this paper, we introduce a network-centric attack management framework to learn more information about the bots by identifying malicious characteristics through the network traffic. Based on our framework, this paper focuses on our analysis method of IRC bots using IRC monitoring tool called IRC Sandman that observes IRC traffic and automatically downloads secondary injections from a command and control center. In addition, we briefly elaborate our findings and lessons learned.

Original language	English (US)
Title of host publication	3rd International Conference on Information Warfare and Security
Publisher	Academic Conferences Limited
Pages	1-9
Number of pages	9
State	Published - 2008
Externally published	Yes
Event	3rd International Conference on Information Warfare and Security, ICIW 2008 - Omaha, NE, United States Duration: Apr 24 2008 → Apr 25 2008

Other

Other	3rd International Conference on Information Warfare and Security, ICIW 2008
Country/Territory	United States
City	Omaha, NE
Period	4/24/08 → 4/25/08

Keywords

Botnets
IRC bot
Network-centric attack

ASJC Scopus subject areas

Information Systems
Safety, Risk, Reliability and Quality

Cite this

@inproceedings{d594d04d4aee416faf4b132fde312983,

title = "Understanding IRC bot behaviors in network-centric attack detection and prevention framework",

abstract = "Botnets are one of the most threatening adversaries over the Internet due in large part to the difficulty of identifying botnet traffic patterns. Also, botnets are a prevalent and continuously growing method for conducting distributed attacks and identity theft. These attacks can include email spamming, distributed denial of service, port scanning, remote exploitation of vulnerabilities, and self-propagation to expand the botnet's size. The botnets can be used to scan infected hosts' machines and log keystrokes for sensitive data such as credit card and banking information, then relay gathered information to the botmasters. We have witnessed that existing signature-based detection and protection methods are ineffective in dealing with unknown bots. For these situations, a more proactive approach must be taken to gather and analyze botnets. In this paper, we introduce a network-centric attack management framework to learn more information about the bots by identifying malicious characteristics through the network traffic. Based on our framework, this paper focuses on our analysis method of IRC bots using IRC monitoring tool called IRC Sandman that observes IRC traffic and automatically downloads secondary injections from a command and control center. In addition, we briefly elaborate our findings and lessons learned.",

keywords = "Botnets, IRC bot, Network-centric attack",

author = "Gail-Joon Ahn and Napoleon Paxton and Kevin Pearson",

year = "2008",

language = "English (US)",

pages = "1--9",

booktitle = "3rd International Conference on Information Warfare and Security",

publisher = "Academic Conferences Limited",

note = "3rd International Conference on Information Warfare and Security, ICIW 2008 ; Conference date: 24-04-2008 Through 25-04-2008",

}

TY - GEN

T1 - Understanding IRC bot behaviors in network-centric attack detection and prevention framework

AU - Ahn, Gail-Joon

AU - Paxton, Napoleon

AU - Pearson, Kevin

PY - 2008

Y1 - 2008

N2 - Botnets are one of the most threatening adversaries over the Internet due in large part to the difficulty of identifying botnet traffic patterns. Also, botnets are a prevalent and continuously growing method for conducting distributed attacks and identity theft. These attacks can include email spamming, distributed denial of service, port scanning, remote exploitation of vulnerabilities, and self-propagation to expand the botnet's size. The botnets can be used to scan infected hosts' machines and log keystrokes for sensitive data such as credit card and banking information, then relay gathered information to the botmasters. We have witnessed that existing signature-based detection and protection methods are ineffective in dealing with unknown bots. For these situations, a more proactive approach must be taken to gather and analyze botnets. In this paper, we introduce a network-centric attack management framework to learn more information about the bots by identifying malicious characteristics through the network traffic. Based on our framework, this paper focuses on our analysis method of IRC bots using IRC monitoring tool called IRC Sandman that observes IRC traffic and automatically downloads secondary injections from a command and control center. In addition, we briefly elaborate our findings and lessons learned.

AB - Botnets are one of the most threatening adversaries over the Internet due in large part to the difficulty of identifying botnet traffic patterns. Also, botnets are a prevalent and continuously growing method for conducting distributed attacks and identity theft. These attacks can include email spamming, distributed denial of service, port scanning, remote exploitation of vulnerabilities, and self-propagation to expand the botnet's size. The botnets can be used to scan infected hosts' machines and log keystrokes for sensitive data such as credit card and banking information, then relay gathered information to the botmasters. We have witnessed that existing signature-based detection and protection methods are ineffective in dealing with unknown bots. For these situations, a more proactive approach must be taken to gather and analyze botnets. In this paper, we introduce a network-centric attack management framework to learn more information about the bots by identifying malicious characteristics through the network traffic. Based on our framework, this paper focuses on our analysis method of IRC bots using IRC monitoring tool called IRC Sandman that observes IRC traffic and automatically downloads secondary injections from a command and control center. In addition, we briefly elaborate our findings and lessons learned.

KW - Botnets

KW - IRC bot

KW - Network-centric attack

UR - http://www.scopus.com/inward/record.url?scp=84896529289&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84896529289&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84896529289

SP - 1

EP - 9

BT - 3rd International Conference on Information Warfare and Security

PB - Academic Conferences Limited

T2 - 3rd International Conference on Information Warfare and Security, ICIW 2008

Y2 - 24 April 2008 through 25 April 2008

ER -

Understanding IRC bot behaviors in network-centric attack detection and prevention framework

Abstract

Other

Keywords

ASJC Scopus subject areas

Other files and links

Fingerprint

Cite this