Collecting and Analyzing Bots in a Systematic Honeynet-based Testbed Environment

Networks of compromised machines called botnets are one of the most threatening adversaries over the Internet due in large part to the difficulty of identifying botnet traffic patterns. We have witnessed that existing signature-based detection and protection methods are ineffective in dealing with new unknown bots. By slightly modifying the code of an existing bot, bot commanders can bypass most signature based mechanisms. We believe that by analyzing bot traffic for malicious patterns, it is possible to develop a taxonomy of bot characteristics and in turn use these characteristics to develop risks which will ultimately be used in the decision making process of allowing or blocking traffic. In this paper, we introduce our Honeynet-based Bot Analysis Architecture which is the first step towards our Risk-Aware Network-centric Malware Detection and Prevention Framework. We discuss our current architecture and how it could be realized towards identifying unknown bots and other malware. In addition, we discuss our results and lessons learned from this work. Index Terms – Network Security, Botnet Analysis, Honeynet