Despite existing security efforts, computer networks are susceptible to attack and compromise. One type of network attack, referred to as a “botnet” attack, is an example of a highly distributed, stealth cyber-attack. A botnet is a large collection of computers on the Internet, usually infected with a particular piece of malware, that are used to perform large-scale, coordinated cyber attacks. Each member of the botnet (a malware infected node) receives and acts on instructions from a command-and-control system. These instructions may be to further propagate the botnet's malware, to scan websites for particular vulnerabilities, to perform denial of service attacks, or any other nefarious action on the Internet that is more effective when it is performed by hundreds or thousands of otherwise-innocent computers.
Botnets and other large-scale malicious behaviors present a pervasive and evolving threat to cyber security. Stealth botnets and distributed, stealthy cyber attacks present a particular challenge to cyber defense because their malicious behavior is difficult to detect. Botnets and botnet attacks are responsible for substantial economic damage and present a serious risk to critical Internet-connected systems. Distributed denial-of-service attacks can cause Internet services or Internet-connected networks to become unavailable. Many botnets are used to scan for security vulnerabilities in Internet services, such as websites, and Internet-connected computers.
Detecting and neutralizing botnets is an active area of security research. Many techniques to detect botnets and individual nodes participating in a botnet already exist. Some techniques for detecting botnets or a node's participation in an individual botnet are specific to a particular botnet; the techniques look for a particular piece of malware on the node, look for certain types of network traffic, or subvert the botnet's command and control system. More robust techniques apply pattern analysis to network traffic. These techniques analyze the pattern of network connections from one or many potential botnet nodes to differentiate “botnet-like” behavior from normal user behavior.
Stealth botnets present a particular challenge to cyber defense because their malicious behavior is distributed in time and space. A stealth botnet consists of many nodes, each of which acts infrequently. For example, perhaps the purpose of a botnet is to perform a denial-of-service attack on a website by flooding the website's server with connections. A conventional botnet would have each node make many connections to that server in quick succession. A stealth botnet would have each node connect to the server only infrequently, increasing the number of botnet nodes necessary to launch an attack but decreasing the likelihood that the botnet nodes will be detected. Detecting the actions of stealth botnets requires advanced algorithms and large volumes of data.
State-of-the-art and next-generation cyber security algorithms are being developed for detecting and preventing stealthy and distributed cyber attacks. Effectively using these algorithms, however, raises significant burdens and challenges on existing network infrastructure.