A beneficial botnet, which tries to cope with technology of malicious botnets such as peer to peer (P2P) networking and Domain Generation Algorithm (DGA), is discussed. In order to cope with such botnets’ technology, we are developing a beneficial botnet as an anti-bot measure, using our previous beneficial bot. The beneficial botnet is a group of beneficial bots. The P2P communication of malicious botnet is hard to detect by a single Intrusion Detection System (IDS). Our beneficial botnet has the ability to detect P2P communication, using collaboration of our beneficial bots. The beneficial bot could detect communication of the pseudo botnet which mimics malicious botnet communication. Our beneficial botnet may also detect communication using DGA. Furthermore, our beneficial botnet has ability to cope with new technology of new botnets, because our beneficial botnet has the ability to evolve, as same as malicious botnets.

1. A Botnet Detecting Infrastructure
Using a Beneficial Botnet
Takashi Yamanoue, Fukuyama University
ACM SIGUCCS 2018, @Orland Fl. USA, Oct. 9, 2018.

2. #siguccs18
#siguccs18

3. • An Eye for an Eye
• A Tooth for a Tooth
• A Bot for a Bot
• A Botnet for a Botnet
#siguccs18
Vs.
Vs.
Vs.
Vs.

4. Contents
• 1. Introduction
• 2. Beneficial Botnet
• 3. Experiment
• 4. Related Work
• 5. Conclusion
#siguccs18

5. 1. Introduction (1/6)
• Network Managers and
People in charge of Network Security
…Troubled by Malicious Botnet
#siguccs18

6. • A Malicious Botnet does
– Spread SPAM mails
– DDoS Attack
– Click Fraud
– Steal bank account information of users
of zombie computers.
• A Malicious Botnet is
– Persistent
• Continues malicious things even if some
of bots of it were removed.
– Evolving
1. Introduction (2/6)
#siguccs18

7. • Technology of a Malicious Botnet
– It was rely on a single centralized command and control
(C2) server
• The botnet can be disrupted by removing the C2 server
–Peer To Peer (P2P)
• Middle years of 2000 …ex. Agobot/Phatbot
–Domain Generation Algorithm, (DGA)
• Late years of 2000 … ex. Conficker
• Our approach to cope with them
–Beneficial Botnet
1. Introduction (3/6)
#siguccs18

8. • Our Beneficial botnet is A group of beneficial bots
–Agent bots and an analyzing bot.
• An agent bot
– Located between a LAN and its NAT/ router.
– Collects and controls communication of hosts in the
LAN
• The analyzing bot
– Collects communication data from agent bots
– Analyzes the data.
– Can execute R programs for the analysis
1. Introduction (4/6)
#siguccs18
Agent bot
NAT/Router
Sub-LAN

9. • The P2P communication of malicious
botnet
– hard to detect by a single IDS at the entrance of
organizational network
• Because
– No single C2 Server
– Small amount of traffic of P2P communication
between P2P nodes at the inside of the
organizational network and the outside.
• Our beneficial botnet
– has the ability to detect P2P communication
using collaboration of our beneficial bots.
1. Introduction (5/6)
#siguccs18

10. • We have Made a Pseudo Botnet, Pseudo
Gameover ZeuS, for evaluation.
– Performs P2P communication between some nodes
of it without doing malicious things.
• Our beneficial botnet
– could detect P2P communication of the pseudo
Gameover ZeuS
– may also detect communication using DGA.
• Furthermore, our beneficial botnet
– has ability to cope with new technology of new
botnets, because our beneficial botnet has the
ability to evolving,
as same as malicious botnets.
1. Introduction (6/6)
#siguccs18

11. 2. Beneficial Botnet(1/13)
• It is common
– to use an IDS or intrusion prevention system
(IPS)
– at the entrance of an organizational network
now.
• An IDS or IPS at the entrance of the
organizational network
– is effective for a malicious botnet with
centralized C2 server because every
communication between the C2 server and
all bots can be detected by the IDS or the IPS.
#siguccs18

12. • An Example of Botnets
– Gameover ZeuS
• Disrupted in 2014 by the international collaborative
investigating activity.
• The losses attributable to Gameover ZeuS were
estimated over one hundred million dollars according
to the FBI announcement
• “The second centralized version of Zeus mutated into
a peer-to-peer (P2P) variant, known as P2P Zeus or
Gameover. Since P2P Zeus does not rely on
centralized command and control server (C2), it is
immune to traditional countermeasures against Zeus”,
according to Andriesse and Bos
2. Beneficial Botnet (2/13)
#siguccs18

13. • Botnets with the P2P feature are
– difficult to detect, difficult to disrupt.
– No Centralized command and control server
(C2 server)
• A reason of great losses of the Gameover
Zeus can be considered that the Gameover
Zeus acquired the P2P feature.
– Gameover ZeuS has been disrupted.
However, there are chances that similar P2P
botnets intrude campuses and conduct their
malicious operation.
2. Beneficial Botnet(3/13)
#siguccs18

14. • By the single IDS at the network
entrance of the campus
–Hard to detect P2P
communication of bots in the
campus.
–Hard to locate such Bots in the
campus.
2. Beneficial Botnet(4/13)
#siguccs18

15. • We have designed our beneficial botnet to cope
with malicious botnet such as the Gameover
ZeuS.
2. Beneficial Botnet(5/13)
#siguccs18

16. • We want cope with technologies of Malicious
Botnets
– Developing The Beneficial Botnet using our
Beneficial Bots
• “Monitoring Servers With a Little From My Bots”
• “Capturing Malicious Bots using a Beneficial Bot”
– A Beneficial Botnet is a group of Beneficial Bots
• Agent Bots behind the NAT of a LAN
• Analyzing Bots which analyzes data which collected by
Agent Bots
– The Beneficial Botnet has ability to detect P2P
communication of malicious Bots, using
collaboration of Beneficial Bots.
2. Beneficial Botnet(6/13)
#siguccs18
Agent bot
NAT/Router

17. 2. Beneficial Botnet(7/13)
#siguccs18

18. 2. Beneficial Botnet(8/13)
2.1 A Bot of a Beneficial Botnet(1/2)
#siguccs18
It is a script interpreter
#siguccs18
Sensors, Actuators,
Traffic Controller

19. Ex. Of Other command
- set pageName <page-name>
- include <url>
An example of a wiki page
2. Beneficial Botnet(9/13)
2.1 A Bot of a Beneficial Botnet(2/2)

20. 2. Beneficial Botnet(10/13)
2.1 Agent Bot (1/3)
#siguccs18
Agent bot
NAT/Router
Sub-LAN

21. • Buffers
– Packet History
• Sub buffers for every (Source IP, Destination
IP)
• Packet Information + Date/Time, Sha1 hash of
the Packet Payload
– MAC-list …
• which hosts are connected to this sub-LAN
and its IP addresses in this LAN.
2. Beneficial Botnet(11/13)
2.1 Agent Bot (2/3)
#siguccs18

22. – Domain-list … DNS queries
• which host in this sub-LAN communicated with
which host outside of this LAN.
• Can be used to detect the usage of Domain
Generation Algorithm (DGA).
– Dhcp-list … DHCP server queries
• Can be used to
–detect the DHCP spoofing
–detect un-authorized DHCP server.
– Arp-list
• Can be used to
–detect the Arp spoofing.
#siguccs18
2. Beneficial Botnet(12/13)
2.1 Agent Bot (3/3)

23. • The analyzing bot gathers information of each
agent bot and analyzes them.
• The language processor of Beneficial Bot
– CSV parser
– Spread Sheet Manipulation/Spread sheet functions.
• Analyzing Bot,
– The language processor of Beneficial Bot +
– R language processor
2. Beneficial Botnet(13/13)
2.2 Analyzing Bot (1/1)
#siguccs18

24. 3. Experiment(1/18)
• Gameover
ZeuS
#siguccs18
We can download
the source code
However,
It is dangerous.
How shall we evaluate the beneficial botnet?

25. 3. Experiment(2/18)
• Pseudo
Gameover
ZeuS
• Does Not
Do Bad
Things
#siguccs18

26. #siguccs18
3. Experiment(3/18)

27. #siguccs18
3. Experiment(4/18)
3.1 Script and results of Agent Bots(1/5)

28. 3. Experiment(5/18)
3.1 Script and results of Agent Bots(2/5)
• Class
page
#siguccs18
UDP,
Not NTP,
Not DNS
Host-list
Domain-list

29. #siguccs18
3. Experiment(6/18)
3.1 Script and results of Agent Bots(3/5)

30. • Object page
#siguccs18
3. Experiment(7/18)
3.1 Script and results of Agent Bots(4/5)
Results

31. • A Part of the results
– cmd=get repeating, date="2018/04/14 17:03:19 +0900", no=3299,
if=1, smac="bc:5c:4c:5d:1c:cd", dmac="b8:27:eb:cb:d6:38",
prtcl=udp, sip="192.168.13.160", dip="192.168.2.100", sp=34724,
dp=33331,
sha1payload="9dac7a7beb944a7193847a3d0fbcc370d13a5838",
payloadLength=46, payload=broadcast id=3394824 ttl=3
cmd="message test".....
3. Experiment(8/18)
3.1 Script and results of Agent Bots(5/5)
#siguccs18

32. #siguccs18
3. Experiment(9/18)
3.2 Script and results of Analyzing Bots(1/10)

33. #siguccs18
3. Experiment(10/18)
3.2 Script and results of Analyzing Bots(2/10)
Find Out pairs of Packets
Satisfying
- different LAN
- same SHA1
- Near Time
Among
- All pair of Packets
(from Agent Bots)

34. 3. Experiment(11/18)
3.2 Script and results of Analyzing Bots(3/10)
Define Arrays,
Prepare URLs of Object Pages of Agent Bots
…

35. 3. Experiment(12/18)
3.2 Script and results of Analyzing Bots(4/10)
Choose Packet Info,
Read CSV into the Table,
Get Vectors of
date, sip, dip,
smac, dmac,
payload, sha1,
LAN-ID
For R processor
For each LAN,

36. 3. Experiment(13/18)
3.2 Script and results of Analyzing Bots(5/10)
Prepare the Data Frame
of the Packet Information
In this LAN
For R
and combine the Data Frame
Of All LAN

37. 3. Experiment(14/18)
3.2 Script and results of Analyzing Bots(6/10)
Find Out pairs of Packets
Satisfying
- different LAN
- same SHA1
- Near Time
Among
- All pair of Packets
(from Agent Bots)
Write the Results to the Wiki.
Results

38. • A part of the Object page of the Analyzing Bot
– Possible P2P communication Between LAN-1 and LAN-2
• lan1= 0 ,date= 2018/04/14 17:06:50 +0900 ,
smac= b8:27:eb:cb:d6:38 ,dmac= bc:5c:4c:5d:1c:cd ,
sip= 192.168.2.100 ,dip= 192.168.13.160 ,
lan2= 1 ,date= 2018/04/14 17:06:51 +0900 ,
smac= bc:5c:4c:5d:1a:c9 ,dmac= b8:27:eb:2f:33:cd ,
sip= 192.168.13.210 ,dip= 192.168.2.102 ,
sha1payload=
f14db4dae7a139cde5185267b8d353498850f22b ,
payload= broadcast id
3. Experiment(15/18)
3.2 Script and results of Analyzing Bots(7/10)

39. 3. Experiment(16/18)
3.2 Script and results of Analyzing Bots(8/10)
#siguccs18

40. • A part of the Object page of the Analyzing Bot
– Possible P2P communication Between LAN-2 and LAN-5
• lan1= 1 ,date= 2018/04/14 17:03:18 +0900 ,
smac= b8:27:eb:2f:33:cd ,dmac= bc:5c:4c:5d:1a:c9 ,
sip= 192.168.2.102 ,dip= 192.168.13.150 ,
lan2= 4 ,date= 2018/04/14 17:03:17 +0900 ,
smac= bc:5c:4c:5d:1a:bf ,dmac= b8:27:eb:3a:6b:fa ,
sip= 192.168.13.160 ,dip= 192.168.2.102 ,
sha1payload=
9dac7a7beb944a7193847a3d0fbcc370d13a5838 ,
payload= broadcast id
3. Experiment(17/18)
3.2 Script and results of Analyzing Bots(9/10)

41. 3. Experiment(18/18)
3.2 Script and results of Analyzing Bots(10/10)
#siguccs18

42. • A group of Agents of Distributed IDS.
• agents + transceivers + monitors
• An agent of the AAFID is similar to our agent bot
– both of them are controlled by commands and
collect traffic data.
• A monitor and a transceiver of the AAFID is similar
to our analyzing bot
– both of them are collecting data from agents,
transceivers, other monitors or agent bots, and
analyzing the data.
4. Related Work(1/5)
4.1 Autonomous Agents for Intrusion Detection (AAFID)
#siguccs18
(Purdue University)

43. • An agent of the AAFID is installed in a client host
– while our agent bot is placed between LAN and
its router or NAT router.
• The manager of our beneficial botnet
– does not need to install our agent bot to each client
host.
4. Related Work(2/5)
4.1 Autonomous Agents for Intrusion Detection (AAFID)
#siguccs18
(Purdue University)

44. • A monitor or a transceiver of the AAFID
– is not controlled by the script in a wiki page
– while our agent bots And the analyzing bot is
controlled by the script in a wiki page.
• Communication mechanism is not specified in
the AAFID architecture
– while our beneficial botnet uses wiki API.
#siguccs18
4. Related Work(3/5)
4.1 Autonomous Agents for Intrusion Detection (AAFID)
(Purdue University)

45. • The action of an agent bot of our
beneficial bot
– can be seen as the man-in-the-middle
attack.
• Many communications in the sub-
LAN
– can be controlled by the agent bot.
• We have to be careful
– so that the agent bot does not to go
to the dark side.
4. Related Work(4/5)
4.2 Man in the Middle Attack
#siguccs18

46. • Consist of
– agent programs at the devices, such as
PCs(KASEYA) or wi-fi access points(UNIFAS),
– a web site to manage them,
– as in our beneficial botnet.
• Their devices
– can also communicate with the web site over a
NAT as in our agent bots.
• However, they
– use a specialized web server,
– whereas our beneficial botnet uses a web site
with common wiki software.
4. Related Work(5/5)
4.3 KASEYA and UNIFAS
#siguccs18

47. • Get Flow Information of Network,
Find out similar communication
between hosts, discriminate
communication which seems
between malicious bots.
• Similar to our beneficial botnet
– Finding out similar communication
between hosts.
• Different to our beneficial botnet
– It uses flow information of network.
4. Related Work(6/6)
BotMiner
#siguccs18

48. • Beneficial Botnet
– P2P communication by malware can be detected
– The use of DGA algorithm can be also detected.
– Ability to cope with new technology of new botnets by
rewriting the scripts.
– Currently, very slow.
• have to improve the speed for real use of our beneficial
botnet.
– We also have to improve the security of our beneficial
botnet.
5. Conclusion
#siguccs18
Agent bot
NAT/Router
Sub-LAN

49. Acknowledgements
• A part of this research was supported by JSPS KAKENHI
Grant Number JP16K00197.
• Pcap4J, community of R.
• Students who helped us to conduct the experiment in this
paper.
#siguccs18

50. • An Eye for an Eye
• A Tooth for a Tooth
• A Bot for a Bot
• A Botnet for a Botnet
#siguccs18
Vs.
Vs.
Vs.
Vs.

51. Beneficial Botnet
#siguccs18