Auto-Pattern Programmable Kernel Filter (Auto-PPKF) for Suppression of Bot Generated Traffic

Abstract

Bots usually vary from their other malicious counter parts by periodically reporting to the botmaster through regular exchange of messages. Our experiments on bot attack generation showed a continuous exchange of packets with similar content between the botmaster and the zombie machine at various time intervals. Though there were also genuine packets with similar content being sent out of the victim machine challenge was to differentiate between the two and pass only the genuine ones. In this paper, an algorithm namely Auto-Pattern Programmable Kernel Filter (Auto-PPKF), for automatic detection of patterns from packet payload for filtering out malicious packets generated by bots is proposed. The significant feature of our proposed Auto-PPKF algorithm is that, the malicious pattern is deduced at kernel level on the fly from packet payload. Traditional algorithms such as Boyer Moore, Knuth Morris Patt, and Naive Pattern search algorithms require the pattern to be identified available a priori. Currently, Longest Common Subsequence (LCS) algorithm stands as the most preferred algorithm for pattern matching. But the disadvantage is that common sequences can also exist in many genuine packets. Hence, the challenge lies in automatic detection of malicious patterns and filtering of the packets having such malicious patterns. This would not only put off the communication between the Botmaster and Zombie machine, but will also thus prevent user information from being sent to the botmaster.