ADVANCED HYBRID BOTNET IMPLEMENTAION FOR SECURED DATA COMMUNICATION IN P2P ARCHITECTURE USING ENCRYPTION PROCESS

Project Guide
M.SILAMBARASAN

Project Members
ANUP UPADHYAY(50608104010) AMIT OHDAR(50608104005)

Abstract
Botnets have recently been identified as one of the most important threats to the security of the Internet. Traditionally, botnets organize themselves in a hierarchical manner with a central command and control location. This location can be statically defined in the bot, or it can be dynamically defined based on a directory server. Presently, the centralized characteristic of botnets is useful to security professionals because it offers a central point of failure for the botnet. In the near future, we believe attackers will move to more resilient architectures. In particular, one class of botnet structure that has entered initial stages of development is peer-to-peer based architectures. . In this paper, we present the design of an advanced hybrid peer-to-peer botnet. Compared with current botnets, the proposed botnet is harder to be shut down, monitored, and hijacked. It provides robust network connectivity, individualized encryption and control traffic dispersion, limited botnet exposure by each bot, and easy monitoring and recovery by its botmaster. In the end, we suggest and analyze several possible defenses against this advanced botnet.

1. Introduction
One of the most significant threats to the Internet today is the threat of botnets, which are networks of compromised machines under the control of an attacker. It is difficult to measure the extent of damage caused on the Internet by botnets, but it is widely accepted that the damage done is significant. Further, the potential for orders of magnitude more damage exists in the future. In the last several years, Internet malware attacks have evolved into better-organized and more profit-centered endeavors. E-mail spam, extortion through denial-ofservice attacks and click fraud represent a few examples of this emerging trend. Botnets are a root cause of these problems. A botnet consists of a network of Compromised computers (bots) connected to the Internet that is controlled by a remote attacker (botmaster). Since a botmaster could scatter attack tasks over hundreds or even tens of thousands of computers distributed across the Internet, the enormous cumulative bandwidth and large number of attack sources make botnet-based attacks extremely dangerous and hard to defend against. Compared to other Internet malware, the unique feature of a botnet lies in its control communication network. Most botnets that have appeared until now have had a common centralized architecture. That is, bots in the botnet connect directly to some special hosts (called command-and-control servers, or C&C servers). These C&C servers receive commands from their botmaster and forward them to the other bots in the network. From now on, we will call a botnet with such control communication architecture a C&C botnet.. Arrows represent the directions of network connections. As botnet-based attacks become popular and dangerous, security researchers have studied how to detect, monitor, and defend against them. Most of the current research has focused upon the C&C botnets that have appeared in the past, especially Internet Relay Chat (IRC) - based botnets. It is necessary to conduct such research in order to deal with the threat we are facing today. However, it is equally important to conduct research on advanced botnet designs that could be developed by attackers in the near future. Otherwise, we will remain susceptible to the next generation of Internet malware attacks. From a botmasters perspective, the C&C servers are the fundamental weak points in current botnet architectures. First, a botmaster will lose control of her botnet once the limited number of C&C servers is shut down by defenders. Second, defenders could easily obtain the identities (e.g., IP addresses) of all C&C servers based on their service traffic to a large number of bots, or simply from one single captured bot (which contains the list of C&C servers). Third, an entire botnet may be exposed once a C&C server in the botnet is hijacked or captured by defenders. As network security practitioners put more resources and effort into defending against botnet attacks, hackers will develop and deploy the next generation of botnets with different control architecture.

Existing System
As network security practitioners put more resources and effort in to defending against botnet attacks, hackers will develop and deploy the next generation of botnets with different control architecture. In the last several years botnets there is no security for data transmission. Nevertheless, simply migrating available p2p protocols will not generate a sound botnet and the p2p designs used by several botnets in the past are not mature and have many weaknesses. Major disadvantages in existing system:
Its underlying WASTE P2P protocol is not scalable across a large network The existing slapper fails to implement encryption and command authentication, enabling it to be easily hijacked by others. Hackers can easily attack the sensor node Less security

Proposed System

P2P botnet are classified into two groups. The first group contains bots that have static non-private IP addresses and are accessible from the global internet; bots in the first group are called servent bots since they behave as both clients and servers. The second group of bots is called client bots since they will not accept incoming connections. Considering the problems encountered by C&C botnets and previous P2P botnets, the design of an advanced botnet, from our understanding, should consider the features. Features of proposed system:

The botnet requires no bootstrap procedure. The botnet communicates via the peer list contained in each bot. However, unlike Slapper, each bot has a fixed and limited size peer list and does not reveal its peer list to other bots. In this way, when a bot is captured by defenders, only the limited number of bots in its peer list is exposed. A botmaster could easily monitor the entire botnet by issuing a report command. This command instructs all (or partial) bots to report to a compromised machine (which is called a sensor host) that is controlled by the botmaster. The IP address of the sensor host, which is specified in the report command, will change every time a report command is issued to prevent defenders from capturing or blocking the sensor host beforehand. After collecting information about the botnet through the above report command, a botmaster, if she thinks necessary, could issue an update command to actively let all bots contact a sensor host to update their peer lists. This effectively updates the botnet topology such that it has a balanced and robust connectivity, and/or reconnects a broken botnet. Only bots with static global IP addresses that are accessible from the Internet are candidates for being in peer lists. This design ensures that the peer list in each bot has a long lifetime. Each servent bot listens on a self-determined service port for incoming connections from other bots and uses a self-generated symmetric encryption key for incoming traffic.

System Architecture
System design:

System Architecture

6. Modules
Network Construction Sensor Node construction Dynamic Data Transfer Peer ID Encryption Registration Verification

Network Construction
Network is nothing but a collection of computers. In our project we are going to create network with the following two things. i.Peers ii. Sensor Nodes. We are going to create a group of sensor nodes and group of peers. Here the peers are act as client and the sensor nodes are act as server. Here server will dynamically changed. To protect from hacking.

Sensor Node construction

This is the main part of the Botnet project. Here the sensor nodes will act as a server we are going to create many sensor nodes in our network. Here each sensor node will act as a server for some time. For this a sensor node will surrender all of its data o another sensor node after a certain time and delete the data in its memory after surrender the data to the next node.

Dynamic Data Transfer

In this project we are going to protect our server by changing the server and its data in a dynamic manner. To achieve this concept we are using sensor node networks as said above. Here the main concept is change the server in a dynamic way for make the hacker confused if we change the server dynamically means the hackers can find which is the server. While changing the server we are going to change the date for from old sensor node to the current sensor node. After transfer all the data the old sensor node will delete all of its data immediately.

Peer ID Encryption
The sensor node will have all the Peer ID of its network. To find weather any system which is not in the network is accessing the sensor node means it check the Peer ID and if its a hackers ID means it immediately disconnect the connection. Here the sensor node will encrypt all the ID of its peers to prevent from the hackers if the ID are encrypted the means broke it.

Registration Verification
When ever a sensor node receives a request from the peer means it immediately check the Peer is already registered in the network or not, if it is registered means its ID will be in its server if the id is not in the server it immediately refuse the request. Here the ID are encrypted so no one can find the ID in the network.

DFD for the relationship between the bots, a controller, the master and the potential target

Dataflow diagram for the botnet analysis system

Use Case Diagram

Request dynamically change to any one server Client Server1

Login Master Sessor server client2 Request to server Server2

Data Transfer to any one server another servers are down

Response to client

Server3

Response Change from any one Server

Sequence Diagram
Client1 Client2 Master Senssor Server Server1 Server2 Server3 1: Login Request and Response Dynamically change to Any one server 2: Requset to server 3: Requset to server

4: Requset to Server 5: Request to server Any one server working state another Servers are done

6: Response from server

7: Response to client 8: Response from server 9: Response from server

10: login

11: 12: Request to server

13: Request to server 14: Request to Server

15: Response to clinet

16: Response to client 17: Response to client 18: Response to client

Collabration Diagram
Client2 10: login 11: 17: Response to client 1: Login 2: Requset to server Master Senssor Server

7: Response to client 9: Response from server 18: Response to client 8: Response from server 16: Response to client

Client1

12: Request to server 3: Requset to server 13: Request to server 4: Requset to Server Server1

6: Response from server 15: Response to clinet

14: Request to Server 5: Request to server

Server2

Server3

Login

Requset to Master server

Requset to dynamically change to Any one server

Response to Dyanmically change from any one server

Response to Master Server

Response to client

Logout

Network construction
Ip address Peer generated with ID

Registering module

Dynamically server change

System Specification: Software specifications:

Platform Front End Back End
Processor RAM HDD

:Windows Xp : Java JDK1.3, java swing :MS SQL server

:Pentium II 266 MHz : 64 MB : 2.1 GB

Hardware specifications:

CONCLUSION
Compared with current botnets, the proposed one is harder to be monitored, and much harder to be shut down. It provides robust network connectivity, individualized encryption and control traffic dispersion, limited botnet exposure by each captured bot, and easy monitoring and recovery by its botmaster. To be well prepared for future botnet attacks, we should study advanced botnet attack techniques that could be developed by attackers in the near future.

REFERENCES

CNN Technology News: Expert: Botnets no. 1 emerging Internet threat. www.cnn. com/2006/TECH/internet/01/31/furst/ (January 2006) 2. Washington Post Technology news: The botnet trackers. www.washingtonpost. com/wp-dyn/content/article/2006/02/16/AR2006021601388.html (February2006) 3. New York Times Technology news: Attack of the zombie computers is growing threat. www.nytimes.com/2007/01/07/technology/07net.html (January 2007) 4. Dagon, D., Gu, G., Lee, C., Lee, W.: A taxonomy of botnets. In: Proc. Computer Security Applications Conference (ACSAC). (December 2007) 325339 5. Vogt, R., Aycock, J., M. J. Jacobson, J.: Army of botnets. In: Proc. 14th Annual Network and Distributed System Security Symposium (NDSS). (March 2007) 6. Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: Proc. Conference on Applications, technologies, architectures, and protocols for computer communications. (October 2006) 7. Lanelli, N., Hackworth, A.: Botnets as a vehicle for online crime. www.cert.org/ archive/pdf/Botnets.pdf (December 2005) 8. R. Vogt, J. Aycock, and M. Jacobson, Army of Botnets, Proc. 14th Ann. Network and Distributed System Security Symp. (NDSS 07), Feb. 2007. 9. [22] E.K. Lua, J. Crowcroft, M. Pias, R. Sharma, and S. Lim, A Survey and Comparison of Peer-to-Peer Overlay Network Schemes, IEEE Comm. Surveys and Tutorials, vol. 7, no. 2, 2005. 10. N. Provos, A Virtual Honeypot Framework, Proc. 13th Conf.USENIX Security Symp. (SSYM 04), Aug. 2004.