Edinburgh Napier University

  Botnets are networks of malware-infected machines that are controlled by an adversary are the cause of a large number of problems on the internet [1]. They are increasing faster than any other type of malware and have created a huge army of hosts over the internet. By coordinating themselves, they are able to initiate attacks of unprecedented scales [2]. An example of such a Botnet can be made in Python code. This Botnet will be able to generate a simple attack which will steal screenshots taken while the user is entering his confidential information on a bank website. The aim of this project is firstly to detect and analyse this Botnet operation and secondly to make statistics of the Intrusion Detection System detection rate.
Detecting malicious software in the system is generally made by an antivirus which analyses a files signature and compares it to their own database in order to know if a file is infected or not. Other kinds of detection tools such as Host-based IDS (Intrusion Detection System) can be used: they trigger abnormal activity but in reality, they generate many false positive results. The tool "Process monitor" is able to detect every process used by the system in real time, and another tool "Filewatcher", is able to detect any modification of files on the hard drive. These tools aim to recognize whether a program is acting suspiciously within the computer and this activity should be logged by one of these security tools. However, results from the first experiment revealed that the host-based detection remained unfeasible using these tools because of the multiples of processes which are continuously running inside the system causing many false positive errors.
On another hand, the network activity has been monitored in order to detect, using an Intrusion Detection System, the next intrusion or activity of this Botnet on the network. The experiment is going to test the IDS by increasing network activity, and will include attacks to some background traffic generated at different speeds. The aim is to see how the IDS will react to this increasing type of traffic. Results show that the CPU utilisation of the IDS is increasing in function of the network speed. But even if all the attacks have been successfully detected under 80Mb/s, 5% of the packets have been dropped by the IDS and could have contained some malicious activity. This paper concludes that for this experimental setup which uses a 2.0 GHz CPU, to have a secure network with 0% of packet drop by the IDS, the maximum network activity should be of 30Mb/s. Further development in this project could be to experiment with different CPU performances assessing how the IDS will react to an increasing network activity and when it will start dropping packets. It would allow companies to gauge which configuration is needed for their IDS to be totally reliable with 0% dropped packets or semi-reliable with less than 2% dropped packets.