13:51 Botsniffer a system for early detection of bots in the network | |
| At Georgia Tech have developed a prototype program BotSniffer (research work in PDF), which alone is capable of finding botnets, analyzing network activity of individual computers on the network. The program identifies patterns that are characteristic for infected zombie PCs, and then introduced them to the network and goes to the management server (C & C) botnet. Typically, the management server runs through IRC or HTTP, and BotSniffer supports both modes. BotSniffer does not need a signature-based or IP-address list, to get started. It detects bots and finds C & C-servers, even if the traffic between them is encrypted. The fact that all the bots exhibit the same behavior. At the same time, they simultaneously begin to or send information, or to scan the network. The program determines these patterns. Then you can quickly block the transmission of commands over the network, that is to neutralize this paper. The researchers explain that the mechanism of transmission of commands from the C & C - it is the weakest link in botnets. A prototype system developers have implemented as a plugin for the popular open program Intrusion Detection Snort, but BotSniffer shipped separately and not included in the basic distribution of Snort. BotSniffer system will take its rightful place in the list antibotovskih utilities, along with similar programs BotHunter, BotMiner and BotProbe. They all operate in different ways. Via NetworkWorld | |
|
| |
| Total comments: 0 | |