Field
Embodiments of the present invention generally relate to the field of network security. More particularly, embodiments of the present invention relate to identification of suspicious network traffic indicative of a Botnet and/or an Advanced Persistent Threat (APT) based on characteristics of the traffic (e.g., the protocol used, the source or destination port and/or the source or destination address).
Description of the Related Art
Existing web-based applications/solutions allow users to visit a website using a variety of web browsers, e.g., Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari, etc., that may be installed on a variety of devices, e.g., computer, laptop, mobile phones, tablets, PDAs, etc., that may run different operating systems, e.g., Windows, Mac, Unix, Linux, Android, etc. Meanwhile, each browser or operating system can have different versions.
A Web robot (also referred to as an “Internet bot” or simply a “bot”) is a type of malware (malicious software) that allows an attacker to control an infected computer system. A botnet is a network of computing devices, which are typically made up of devices infected with malicious bots that may stretch across the globe. Command-and-control servers (C&C or C2 servers), on the other hand, are servers that are used by the botnet originator (referred to as a “bot herder” or “bot master”) to maintain communications with the infected computing devices within a given network. The bot master typically administers and controls the infected computing devices remotely via the C2 server, which is used to send instructions to zombie computing devices, typically via Hypertext Transfer Protocol (HTTP), instant messaging (IM) protocols, peer-to-peer (P2P) and/or social networks. Once a malicious bot has infected a computer, it may gather confidential information (e.g., login credentials, credit card information, and the like) and communicate that information back to a C2 server. Bots may also propagate themselves to other computer systems within a home or enterprise network, for example, by exploiting vulnerabilities and weak passwords and can also perform other functions responsive to receipt of remote C2 server commands.
Advanced Persistent Threats (APTs) are network attacks in which an unauthorized person gains access to a network or computer system. APTs are often directed at targets including businesses and politicians. APTs are generally slow, deliberate, and secret in action or character and hence require a prolonged duration of operation in order to be successful. Both botnets and APTs have now become significant threats to personal and corporate security. As such, accurate and efficient detection of botnets and APTs is of increasing importance.
There is an ever growing volume of malware, making it challenging for Anti Virus (AV) engines to detect them within a reasonable time. Malware, at times, exhibit benign behavior so as to evade sandbox detection. Therefore, even sophisticated Intrusion Prevention Systems (IPSs) that provide security at the network level, are not able to fully detect and/or block encrypted traffic used by botnets and/or APTs.