Abstract: Botnet Analytics Appliance

From MilcordWiki

This Technical Report describes the research and development of a botnet detection and mitigation tool specifically designed to detect and analyze the class of botnets that employ fast flux service network infrastructure. Fast-flux botnets exploit a network of compromised machines (zombies) for illegal activities such as spam, phishing and malware delivery using DNS record manipulation techniques. Over the 24-month period of performance (Sept 2007 – 2009), fast flux infrastructures have evolved from nascent to widespread use. As fast flux botnets are an emerging phenomenon, the effort required early research in the problem definition and scope, data collection, modeling, algorithm development, and specification of system architecture. We then developed a series of prototypes, using rapid development and successive refinement methods, of a system that performs data collection, database management, detection and classification, scoring, and monitoring. We tested the prototypes for use in multiple application environments, including commercial cyber threat intelligence systems, government cyber threat intelligence systems, Internet Service Providers, and law enforcement. We developed Application Programming Interfaces (APIs) to enable the integration of our system with customer applications. The primary deliverable is the development of an operational advanced prototype system that is being implemented in government and commercial cyber intelligence systems. The principle features of the developed system, known as Fast Flux Monitor (FFM), are a near real-time detection capability supported by what we believe is the largest known database of entities (IP addresses, domain names, nameservers, hosts, and Internet Service Providers) involved in fast flux botnets, and advanced intelligence analysis capabilities. The intelligence generated by our systems can be used in a range of tactical and strategic cyber defense applications.