Bonfring International Journal of Research in Communication Engineering, Vol.

1, Special Issue, December 2011 23

ISSN 2250 110X | 2011 Bonfring
Abstract--- Todays attack scenery is governed by Botnets.
Botnet refer to a group of botsa sort of malware which
allows an attacker to achieve complete control over the
affected computer. Botnets are often run by malicious
programmers with specific skills while advanced attackers
manage the control channel. This work is to understand the
consequence of large-scale botnet probes through
investigating the ways to analyze collections of malicious
probing traffic .In such events, a whole collection of remote
hosts together probes the address space monitored by a sensor
in somewhat a synchronized fashion. Our goal is to extend
methodologies by which sites receiving such probes can
understand using purely local surveillance i.e., information
about the probing activity regarding scanning strategies the
probing employ and whether the attack specifically targets the
site, or the site just accidentally probed as part of a larger,
unselective attack? Our analysis draws upon comprehensive
honeynet data to discover the occurrence of diverse types of
scanning, with properties such as trend, uniformity,
coordination, and darknet avoidance. Cross-evaluating with
data from DShield assures that our approach holds for
contributing to a sites situational awareness accurately.
Keywords--- Botnet, Computer Network Security, Global
Property Extrapolation, Honeynet

I. INTRODUCTION
NTERNET has been recently witnessing notable in
increase in malwares. The major reason for this kind of
Internet malware epidemic is Bots-Maliciously compromised
machines. When probes are sent from the Internet to site,
which is either to connect to its services, or obvious attacks
aimed at those services. The sites security personnel most
want to know is not are we being attacked? but to a certain
extent what is the significance of this activity? Is the site
being intentionally targeted? Or is the site simply receiving
one small part of much larger probing activity? Obviously, the
site will often think more about the probing, if the attacker has
exclusively targeted the site.
Here, we are looking for contributing to the types of
analysis that sites can apply to determine such risks. The
assumption is that most probing events reflect activity from
botnets that govern todays Internet attack scenery.
Our approach aims to analyze rather large-scale activity

J. Vinu is with Francis Xavier Engineering College, Tirunelveli, India. E-
mail: vinu5univ@gmail.com
R. Rajesh Perumal, Technologies, Chennai, Indi. E-mail:
jeshmal4u@gmail.com
that involves several local addresses. As such, our techniques
are suitable for use by sites that set up darknets, honeynets, or
any monitored networks with unexpected access, for which we
can identify the botnet probing events. The main contribution
of this paper is the expansion of a set of techniques for
analyzing botnet events, most of which do not need the use of
responders.
A honeypot is a trap set to detect unauthorized use of
systems. A honeynet is used for monitoring a larger and/or
more diverse network in which one honeypot may not be
sufficient. DShield is a community-based collaborative
firewall log correlation system. It receives logs from
volunteers worldwide and uses them to analyze attack trends.
A darknet refers to any closed, private group of people
communicating. It is used to refer all covert (secret)
communication networks.
Existing work on botnets focused on either host-level
observations of single occurrence of a botnet activity, studies
of particular captured botnet binaries, or network-level
analysis of command-and-control (C&C) activity [2], our
techniques aspire to characterize facets of large-scale botnet
probing events in spite of the nature of the botnet.
Here, the analysis does not involve assumptions about the
internal organization and communication mechanisms used by
the botnets.Previously; NetSA (Network Situational
Awareness) system was used to enable an analyst to quickly
assess high-level information such as cause of an attack [1].
Our paper focuses on the botnet inference and
characterization through its probing behavior. In addition, this
approach has the significant benefit of requiring only local
information, although such inferences may possibly be also
achievable by using a mutual effort such as DShield, expose to
with certain limitations.
The proposed paper travels as follows, first to develop a
set of statistical approaches to evaluate the attributes of large-
scale probing events seen in Sensors, together with checking
for trends, uniformity, coordination, and hit-lists (liveness).
Here we mainly focus on checking a special kind of hit-list,
liveness-aware scanning, in which the attackers try to avoid
the darknets.
Second, two algorithms are devised to extrapolate the
global properties of a scanning event based on a sensors
inadequate local view. These algorithms are based on various
underlying assumptions and exhibit different accuracies. To
track the trends in botnet usage, the total size of botnet
estimates can be deployed with implications for their
command and control (C&C) facilities.
Moreover, botnet scans are one key technique in use for
Towards Realization of Large-Scale Botnet Probing
Events
J. Vinu and R. Rajesh Perumal
I
Bonfring International Journal of Research in Communication Engineering, Vol. 1, Special Issue, December 2011 24

ISSN 2250 110X | 2011 Bonfring
botnet recruitment. On the way to validate our estimates of the
global properties, the results are compared with those from
DShield, the Internets largest global alert repository. The
results demonstrate that our approaches are accurate enough to
enable sites to make consistent inferences.
In the detection of botnets, earlier detection has been done
by monitoring and analyzing the command and control (C2)
communication traffic [6]. The advantage of such approach is
that it was based on an essential property shared by many
botnet invariants and is independent of the structure and
communication protocol used in the botnet.
One step forward in the study of BotNets, more
importantly, we should study advanced botnet designs that
could be developed by botmasters in the near future. Now the
researchers working on the design of an advanced hybrid P2P
(Peer-to-Peer) botnet which is expected as harder to be
monitored and much harder to be shut down [4].
II. SYSTEM FRAMEWORK
The following figure (Fig. 1.) shows the architecture of our
system. There are two subsystems namely Botnet detection
subsystem and botnet inference subsystem.

Figure 1: System Framework

Honeynet sensor is mainly focussed in this paper, even
though other data collecting sensors can be used too. A
framework has been proposed by Hossein Rouhani
Zeidanlooto [5] to find similar communication patterns and
behavior among the group of hosts that are performing at least
one malicious activity.
A. Honeynet and Data Collection
Our detection sensor comprises of ten contiguous /24
subnets. We deployed Honeyd responders on five of the
subnets and operated the other five completely dark which is
used for hit-list detection latter. This technique resembles a
whitelist called a VIP list in which the source addresses in the
list are given higher priority when the Critical Internet Site is
under attack [3].
B. Botnet Detection Subsystem
Bots are software Robots that are liable for performing
tasks automatically with the same goal, where the same
protocol(s) and protocol/session semantics are used by the
probes. BotNets are the networks of computer systems using
IRC (Internet Relay Chat) or related capabilities for
communication, command and control.
A session is defined as a set of connections between a pair
of hosts with a specific purpose, possibly involving multiple
application protocols. Sessions occur when the botmaster
commands the bots to probe in a similar fashion, reflecting the
same core bot software.
We assume that the botmaster commands the bots to probe
in the same time frame, since the events of interest reveal
coordinated bot activity. This behavior is obvious as a large
number of unique sources incoming at the detection sensor in
a short time window for a given protocol or protocol/session
semantics.
Worms or misconfigurations can too evident such traffic
spikes. Hence, we need to further distinguish types of probing.
For example, Large spikes match up to scanning from worms,
botnets, or misconfigurations.
We recognize the botnet events from the traces via three
steps.
Through traffic classification, we categorize the traffic
by different protocols or protocol/session semantics.
We identify large spikes of unique source arrivals,
which correspond to worm, botnet or misconfiguration
events for each stream of traffic.
Finally, we separate worm and misconfiguration
events from botnet events.
1) Traffic Classification
The application protocol contacted first is the
representative of the probing goal, therefore we label the
session by the first protocol used. Doing so offers consistent
labeling for connection efforts where the honeynet did not
respond.
We aggregate the connections into sessions and we
consider all those connections contained by each other as part
of the same session for a given pair of hosts. The same
threshold is used and found that this appeared to properly
group the majority of connections between any agreed pair of
hosts.
Assuming that we observe as a minimum one successful
session from each sender, we can use the payload analysis of
that session to separate it from other traffic.
2) Event Extraction
We can gain insight of botnets, worms and
misconfigurations by detecting large spikes of unique source
counts as events. The problem is to recuperate the signal in a
noisy time series. Also, many signal detection and
reconstruction techniques can be used.
At this point, we use a simple semiautomated approach to
discover the events. We calculate the unique source count of
every time interval, and perform event extraction by means of
time series analysis.
We currently extract the events semi automatically,
whereas a lot of general statistical signal detection approaches
may be applied here. First we automatically identify and mine
the rough boundaries of events, and then manually refine the
Bonfring International Journal of Research in Communication Engineering, Vol. 1, Special Issue, December 2011 25

ISSN 2250 110X | 2011 Bonfring
event starting and ending times.
After extracting an event, we further refine it by rescaling
it into smaller time intervals and recalculating the unique
source counts. Manual analysis and visualization techniques
are used here to refine the event starting and ending times.
3) Misconfiguration and Worm Separation
Misconfigurations are separated from worms and botnets
on the basis of assumption that botnet scans and worms will
contact a significant range of the IP addresses in the sensor,
whereas events with few hotspots frequently targeted are more
probable due to misconfigurations. Here we use two metrics to
separate misconfiguations from other events.
The address hit ratio where the number of destination
addresses involved in the event and the number of
destination addresses in the honeynet, should be much
smaller for misconfigurations than for botnet sweeps or
worms.
The average number of sources per destination address
should be much larger for misconfigurations.

If the first metric is below a specified threshold while the
second crosses a specified threshold, we judge the event to be
a misconfiguration; or else, it is classified as a worm or botnet
event.
We found that almost all misconfiguration events are due
to peer-to-peer (P2P) traffic. For our usage, we spot and
remove as worms those events that exhibit an exponential
growing trend and deem the remainder as botnet probing
events.
4) Botnet Inference Subsystem

There are numerous scanning strategies that attackers can
potentially use for botnet probing. Identifying the particular
approach can offer a basis to infer further properties of the
events and maybe of the botnets themselves.
We refer to these strategies as scan patterns, and assume to
develop a set of scan-pattern checking techniques to recognize
different dimensions of such strategies:
Monotonic trend checking,
Hit-list checking,
Uniformity checking, and
Dependency checking.

Once we recognize a probing events scan pattern, we then
apply the scan pattern to extrapolate global properties of the
event. Here two of the most familiar scan patterns are used:
uniform random scanning, and uniform hit-list (liveness)
scanning. We then extrapolate the global properties, such as
the global scan scope and the global number of bots.
III. RESULTS OBTAINED
In Table 1, Consider there are totally six bots ready to
attack a site (server), with three honeynets in each server. At
the time interval of 1second, let the number of bots that are
probed to be 2, and when all the three honeynets are shutdown
at that instance, the delay is increased and thereby the
performance of the server gets diminished.

Table 1: Performance of Sites with Varying Large-Scale
Botnet Probes

Time
interval
in
seconds
No
of
bots
Performance of
server with
honeynet
Performance of
server without
honeynet
After 1 2
1000
nanosecond
3000
nanosecond
After 2 4
1500
nanosecond
3500
nanosecond
After 3 6
2000
nanosecond
4500
nanosecond

Similarly when 4bots are probed after 2 seconds, the
performance of the server is increased with the presence of
honeynets, since the bots gets confused with the server and the
three honeynets.The bots will not have a clear idea of targeting
the particular site. Thus we can determine such events as
malicious bots with the usage of honeynets.
The following graph (Fig.2) demonstrates the performance
variation of server with and without the usage of honeynets.

Figure 2: Performance Graph
Performance means the time taken by the server to respond
to the client during the attack of bots.
IV. CONCLUSION
In this paper, we developed techniques for recognizing
botnet scanning strategies and deducing the global properties
of botnet events. Cross-evaluating with data from DShield
assures that our approach holds for contributing to a sites
situational awarenessincluding the crucial question of
whether the attack specifically targets the site, or the site just
accidentally probed as part of a larger, indiscriminate attack?
Bonfring International Journal of Research in Communication Engineering, Vol. 1, Special Issue, December 2011 26

ISSN 2250 110X | 2011 Bonfring
ACKNOWLEDGMENT
Vinu.J thanks Mr.T. Anto Theepak M.E., Asst. Prof,
Department of Information Technology in Francis Xavier
Engineering College for his valuable guidance throughout the
completion of the project.
REFERENCES
[1] Yegneswaran V., Barford.P, and Paxson.V (2005). Using
honeynets for internet situational awareness. Proceedings. ACM
Hotnets IV, College Park, MD.
[2] Basil AsSadhan, Jos M. F. Moura, David Lapsley and Christine
Jones (2009). Detecting Botnets using Command and Control Traffic.
IEEE International Symposium on Network Computing and
Applications.
[3] MyungKeun Yoon (2010). Using Whitelisting to Mitigate DDoS
Attacks on Critical Internet Sites. IEEE Communications Magazine
July 2010
[4] Ping Wang, Sherri Sparks, and Cliff C. Zou, (2010). An Advanced
Hybrid Peer-To-Peer Botnet.IEEE Transactions on Dependable and
Secure Computing, Vol. 7, No. 2, April-June 2010
[5] Hossein Rouhani Zeidanloo, Azizah Bt Manaf, Payam Vahdani,
Farzaneh Tabatabaei, Mazdak Zamani (2010). Botnet Detection Based
on Traffic Monitoring. International Conference on Networking and
Information Technology.
[6] Basil AsSadhan, Jos M. F. Moura, David Lapsley,and Christine
Jones(2009), Detecting Botnets Using Command And Control
Traffic.IEEE International Symposium on Network Computing and
Applications.


J. Vinu is born at Nagercoil, Tamil Nadu, India on May
20, 1989.She received his B.Tech. Degree with First
Class in Information Technology from Ponjesly College
of Engineering, in 2010 may. She worked for 6 months
on java based Email client as part time Software Trainee
Developer in Praise Soft Solutions. She is currently
doing M.Tech Degree in Information Technology in
Francis Xavier Engineering College, Tirunelveli, India.
Her research interests include Mobile Computing, Fuzzy
logic Systems and Email Systems. Her paper titled Preventing Malicious
Imposter Emails using REAB has published in iCIRET International journal
on 2010.

R. Rajesh Perumal is born at Nagercoil, Tamil Nadu,
India on October 18, 1988.He received his B.Tech.
Degree with First Class in Information Technology
from Ponjesly College of Engineering, in 2010 may. He
worked for 6 months on java based Email client as part
time Software Trainee Developer in Praise Soft
Solutions. After that he worked as Network
Administrator in Fortune Tech Private Ltd, Bangalore.
He is currently a Software Trainee Engineer at Aricent
Technologies, Chennai, India. His research interests include Intrusion
Detection Systems, Image Processing and Email Systems. His paper titled
Preventing Malicious Imposter Emails using REAB has published in iCIRET
International journal on 2010.