Methods for detecting bot nets in computer systems

Abstract

Object. The process of the botnets detection in the corporate area networks based on network traffic analysis and on the of computer systems software’s behavior. Subject. Methods for botnets detection in computer systems. Goal. Increasing of the botnet detection efficiency by developing new methods for its detection in the corporate networks. Results. A new approach for the botnet detection in the corporate area networks based on the analysis of the bots’ behavior is proposed. The detection of botnets is accomplished by applying the developed two methods: by means of network-level and host-level analysis. The first method allows you to analyze the behavior of the software on the host, which may indicate the possible presence of the bot directly on the host and the detection of malicious software, while the second method involves monitoring and analysis of DNS traffic, which also allows to make a conclusion about infection of network hosts with botnets. Based on the proposed methods, an effective tool for botnet detection - BotGRABBER - was developed. It is capable of detecting bots that use such evasion methods as IP mapping, fast flux, domain flux, and DNS tunneling. Conclusions. The usage of the developed system allows to detect the hosts infected with botnet and localize malware with high efficiency - up to 96%, and also shows low rate of false positives 3-5%. A feature of the proposed approach is that the detection of botnets is "invisible" to botnet owners.