In recent years, the reliance on the Internet has introduced numerous challenges to the protection of the privacy, integrity and security of user data. Services, such as banking, commerce, government, education, and more are accessible through the Internet. Thus, such services are vulnerable to malicious activities. One of the most common security threats carrying out malicious activities on the Internet is malicious software, or malware. Malware can range from viruses to Trojans.
The propagation and control over malware can be achieved by means of a malware bot (also known as a bot). A bot is a computer infected with malware having the ability to communicate with an attacker through a Command and Control (CnC) server. A botnet is usually a large collection of computers that are infected with a specific malware and can communicate with the same CnC server or servers. An owner of a computer is usually not aware that the computer is a bot or part of a botnet.
Recent security reports acknowledge that botnets pose one of the main threats to the Internet, including its infrastructure and websites. Obviously, on-lines services accessible through the internet are also affected by malicious activities executed by botnets.
As attacks executed by botnets have become complex, existing security solutions are inefficient in detecting botnets. Specifically, most security solutions attempt to scan computers for the existence of malware or to detect communications between a botnet and a CnC server. The malware scan is limited to analyzing binary executable files to determine if a malware signature is contained therein. Such a scan is limited to known malware signatures. Furthermore, because there is a virtually infinite number of ways that a binary botnet file can be implemented, such a scan is very limited in what can be detected.
Any attempts to detect messages directed to CnC servers is also error-prone, as such messages are usually encoded. In addition, the location (e.g., an IP address or a domain name) of a CnC server is usually hidden or unknown. Attackers typically hide CnC servers using techniques such as fast-flux, double fast-flux, and a domain generation algorithm (DGA). For example, a fast-flux technique uses many IP addresses associated with a single fully qualified domain name and swaps the IP addresses at a high frequency. Therefore, the IP address (location) of a CnC server cannot be traced. Similarly, the fast-flux, a DGA technique, periodically generates many domain names that can be used to access CnC servers.
More complex techniques require indirect communication between a botnet and CnC servers. Such techniques use user-generated content (UGC) websites to send messages between CnC servers and botnets. The indirect communication techniques are difficult to because, when used, there is no visible IP address or domain name that is accessed, and there is no direct link that can be tracked.
Other security solutions for detection of botnets are anomaly-based. Such solutions typically implement unsupervised machine learning methods designed to detect traffic anomalies that can indicate the existence of malicious activity within the network. However, such solutions suffer from a high false-positive rate, because each detected anomaly (or deviation from classified traffic pattern) triggers an alert. As such, even legitimate alerts are often ignored.
The complexity of botnet detection is magnified when trying to identify botnets residing in a cloud-computing infrastructure. On such infrastructures, virtual machines (VMs) can be compromised to execute malware bots, thereby forming a botnet. In addition to the challenges noted above, the complexity of “cloud-based botnets” detection results from the fact that VMs can be executed or halted. Thus, their operation cannot be accurately profiled to identify anomalies. In addition, the solutions discussed above are not scalable and, thus, cannot be effectively implemented in a cloud-computing infrastructure.
It would therefore be advantageous to provide a solution that would overcome the deficiencies noted above by detecting bots and botnets operable in cloud-computing infrastructures.