A Scalable Architecture for Persistent Botnet Tracking

The botnet phenomenon has recently garnered attention throughout both academia and industry. Unfortunately, botnets are still a mystery. In fact, today, very little is known about even the most basic botnet properties, such as size, growth, or demographics. The primary reason for this lack of knowledge is the fact that the existing approaches for measuring such properties are simply inadequate; honeypots [30], even those with advanced virtualization [40], cannot scale to the task of botnet tracking, while silent drones do not offer the dynamism necessary to persistently track botnets. Furthermore, both of these techniques provide only one, internal, view of the botnet. As we will demonstrate, this single view will often fail to provide relevant information on botnet size or diversity. Indeed, the fog has yet to clear. In order to gain a firm understanding of botnet dynamics, we have developed a lightweight infrastructure that overcomes many of the problems of prior approaches. Our infrastructure follows the entire life cycle of the botnet, beginning with the capture of botnet executables from various Internet vantage points. We apply novel techniques to automatically learn the network properties (or so-called “dialects”) of the bot binary, and we subsequently transfer this information to a specialized robot. Similar, in spirit, to the aforementioned drone, our scalable robot joins live botnets and offers an insider’s view of the malicious network. However, the similarities end here. Unlike a drone, the robot offers real-time responsiveness previously available only with high-interaction honeypots, thus avoiding botmaster scrutiny by intelligently acknowledging botmasters’ commands. Moreover, unlike lightweight tracking systems of the past, our approach allows for long term tracking of the migratory botnet – a salient variety of botnet which, at present, remains conspicuously under-documented.