Mimicking attack by botnet and detection at gateway

Abstract

In cyber world Botnets becoming more popular and great challenge to security. Attacker by using bot net taking legacy attacks towards new dimension. Existing Intrusion Prevention / Intrusion Detection (IPS/IDS) systems can detect botnets attacks by using anomaly detection methods (or) signature. To fly the radar of IDS/IPS systems Bot master creates an attack either anomaly (or) any known signature. One possible thing is mimicking attack. Attacker hack the popular website browsing history. By using, browsing history they will simulate thousands of users through bots and will try to degrade the performance of the website. Mimicking kind of attacks can be made as distributed by using Botnet. In this paper, we are discussing about the possibility of mimicking attack by using Botnet. The first phase attacker will inject bots into the targeted systems. In second phase Bot master will inject respective mimicking profile in to targeted systems similar to their browsing behavior. We are proposing possible algorithm to identify the mimicking attack at gate way level, which will be tied up with NIDS. We worked on example of mimicking attack by using HTTP protocol. The attacker will collect the profile of users and using that mimicking profile was extracted. With that heterogeneous mimicking attack was executed. NIDS will be installed at gateway which will collect the connection statistics. The statistics will be given to the detection algorithm which will identify the similar flows based on Layer 3, Layer 4, Layer 7. The suspicious flows will be sent for challenges to prove the identity of the user. If it is in attack mimicking applications can’t respond to the challenges, the source ip address does not respond to challenges were added to the block list.