Regardless of how malware enters your network (through innocent web surfing, email attachments, direct exploit, or by attaching your laptop to the wrong wireless network), once a machine within your perimeter is compromised your whole network is under threat. BotHunter helps you quickly identify and isolate these infected machines, and helps you figure out who really owns your computers.
What is BotHunter
BotHunter is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool. These tools generally don't work in helping you rid your network of malware infections. Rather, BotHunter takes a different approach. It is an entirely new network defense algorithm designed to help everyone from network administrators to individual Internet-connected PC users detect whether their systems are running coordination-centric malware (such as botnets, spambots, spyware, Trojan exfiltrators, worms, adware). It is based on an algorithm called
network dialog correlation, developed under the Cyber-TA research program (
http://www.cyber-ta.org), by the Computer Science Laboratory at SRI International.
BotHunter monitors the two-way communication flows between hosts within your internal network and the Internet. It aggressively classifies data exchanges that cross your network boundary as potential dialog steps in the life cycle of an ongoing malware infection. BotHunter employs Snort as a dialog event generation engine, and Snort is heavily modified and customized to conduct this dialog classification process. Dialog events are then fed directly into a separate dialog correlation engine, where BotHunter maps each host's dialog production patterns against an abstract malware infection lifecycle model. When enough evidence is acquired to declare a host infected, BotHunter produces an infection profile to summarize all evidence it has gathered regarding the infection. In short, BotHunter helps you rapidly identify infected machines inside your network that are clearly and helplessly under the control of external malicious hackers.
Dialog correlation is an algorithm that classifies each network traffic exchange that occurs across your network boundary as potential infection sequence steps that occur when a host is infected with malware. Not all network traffic events generate a dialog event. Dialog events are fed directly into a separate dialog correlation engine, where each host's individual dialog production pattern are mapped and scored against an abstract malware infection life cycle model. When the dialog correlation algorithm determines that a host's dialog production patterns maps sufficiently close to the life cycle mode, the host is declared infected, and an infection profile is generated to summarize all evidence regarding the infection.
BotHunter is funded through the Cyber-Threat Analytics research grant from the U.S. Army Research Office, and is free to all end users to help you combat malware infections. In addition, BotHunter includes an auto-update service that allows fielded systems to receive the latest threat intelligence regarding new sources for ad and spyware management, botnet control sites, backdoor and control ports, and malware-related domain name lookups. The update service also publishes new dialog analysis rules to help BotHunter recognize emerging exploits and malware communication patterns. Modern malware defenses need to be adaptive and aware of the latest strategies used by Internet malware, and BotHunter is ready to meet this challenge.
Conceptual Overview
Distinguishing a successful malware infection from the vantage point of the network egress position requires a command of the two-way dialog flow that occurs between a network's internal hosts and the Internet. While many malware infections start with an initial external-to-internal infection, malware may use a wide range of options to infect a host, including indirect host infections through email, direct exploit-based infection, or drive-by infections that are launched from malicious network servers. Furthermore, with the growth in popularity and capability of mobile laptops, direct infection of an internal asset need not necessarily take place behind a well-administered network. Malware may inject itself into a host opportunistically from any Internet access point the hosts happens to associate, or may be executed voluntarily by a victim who inadvertently accesses a Trojan binary, multimedia file, or other infected transmission source. Regardless of how malware enters a host, once established inside the network perimeter the challenge remains to identify the infected machine and remove it from service as quickly as possible.
Capturing the full scope of a malware infection requires an ability to follow a dialog that can span several participants, including the victim host, the infection agent, the source of binary updates, the command and control server, and eventually the propagation targets of the newly infected victim. Traditional network intrusion detection systems (IDSs) typically focus on inward packet flows for signs of malicious point-to-point intrusion attempts. IDSs have the capacity to detect initial incoming intrusion attempts, and the prolific frequency with which they produce such alarms in operational networks is well documented. However, being able to distinguish a successful local host infection from the daily myriad of scans and intrusion attempts is as critical a task as any facet of network defense.
How BotHunter Analyzes Network Flows
BotHunter models an infection sequence as a composition of participants and a loosely ordered sequence of network dialog exchanges:
Infection I = <A, V, E, C, P, V', {D}>
where A = attacker, V = victim, E = egg download location, C = C&C server, P = peer-to-peer coordination points, and V' = the victim's next propagation targets. {D} represents a set of dialog sequences composed of bidirectional flows that cross the egress boundary.
BotHunter's current infection dialog set {D} provides the following detection coverage for your network: