Finding, Stopping a Bot

Wednesday, May 2, 2012 @ 09:05 AM gHale


A two-pronged algorithm can now detect the presence of a botnet on a computer network and block its malicious activities before it causes too much harm.

One of the most significant threats faced by computer networks is from “bots,” are simply programs that run on a computer without the owner’s knowledge and carries out any of a number of tasks over the network and the wider Internet.

RELATED STORIES
Conficker Covers Other Infections
Conficker Still Going Strong
New Botnet Goes to Market
Malware has Bots Acting as C&C Server

It can run the same tasks, such as sending emails or accessing a specific page on the Internet, at a much higher rate than would be possible if a person were to carry out the task. A collection of bots in a network, used for malicious purposes, is a botnet. While a botmaster often runs these networks, there are bots available for hire for malicious and criminal activity.

Bots may end up illicitly installed on computers in the home, schools, businesses, government buildings and other installations. They usually end up on a computer via a malicious link on the Internet, in an email or when a contaminated external storage device, such as a USB drive ends up plugged into a computer that has no malware protection.

Botnets have sent mass emails, spam, numbering in the hundreds of millions, if not billions of deliveries. They have also seen use in corporate spying, international surveillance and for carrying out attacks known as Distributed Denial of Service (DDoS) attacks, which can decommission whole computer networks by accessing their servers repeatedly and blocking legitimate users.

To counteract the malicious nature of a bot, Manoj Thakur of the Veermata Jijabai Technological Institute (VJTI), in Mumbai, India, and colleagues developed a new approach to detecting and combating bots.

Their technique uses a two-pronged strategy involving a standalone and a network algorithm.

The standalone algorithm runs independently on each node of the network and monitors active processes on the node. If it detects suspicious activity, it triggers the network algorithm. The network algorithm then analyzes the information transferring to and from the hosts on the network to deduce whether or not the activity is due to a bot or a legitimate program on the system.

The standalone algorithm is heuristic in nature, which means it can spot previously unseen bot activity, whereas the network algorithm relies on network traffic analysis to carry out its detection, the researchers said.

The two techniques working together can thus spot activity from known and unknown bots, while also reducing the number of false positives.



Leave a Reply

You must be logged in to post a comment.