6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Evan Dembskey and Elmarie Biermann<br />
Darknets are most useful as global resource for sites and groups working against botnets on an<br />
Internet-wide basis (Schiller, Binkley & Harley 2007). A honeypot is a decoy system set up to attract<br />
attackers and study their methods and capabilities. A honeynet is usually defined as consisting of a<br />
number of honeypots in a network, offering the attacker real systems, applications, and services to<br />
work on and monitored transparently by a Layer 2 bridging device (honeywall). A static honeynet can<br />
quickly be spotted and blacklisted by attackers, but distributed honeynets attempt to address that<br />
issue and are likely to capture richer, more varied data (Schiller, Binkley & Harley 2007). In contrast to<br />
honeynets, darknets do not advertise themselves.<br />
Botnets, the malware we are interested in, are difficult to combat for the following reasons (Bailey et<br />
al. 2009):<br />
All aspects of the botnet’s life-cycle are all evolving constantly.<br />
Each detection technique comes with its own set of tradeoffs with respect to false positives and<br />
false negatives.<br />
Different types of networks approach the botnet problem with differing goals, with different<br />
visibility into the botnet behaviours, and different sources of data with which to uncover those<br />
behaviours.<br />
A successful solution for combating botnets will need to cope with each of these realities and their<br />
complex interactions with each other.<br />
4. Software agents<br />
A software agent is a program that autonomously acquires, manipulates, distributes and maintains<br />
information on behalf of some entity. We reject the trend of labeling software utilities such as<br />
aggregators and download managers as SA; we base our definition on the properties of the software.<br />
The literature defines a large number of agent properties. Not all properties are found in all agents,<br />
but an in order to be termed Agent software must satisfy some minimum set of these properties. Bigus<br />
and Bigus (Bigus, Bigus 2001) suggest that these are autonomy, intelligence and mobility. These<br />
properties are defined as follows:<br />
Autonomy - The autonomous agent exercises control over its own actions and has some degree<br />
of control over its internal state. It displays judgment when faced with a situation requiring a<br />
decision, and makes a decision without direct external intervention.<br />
Intelligence - This does not imply self-awareness, but the ability to behave rationally and pursue a<br />
goal in a logical and rational manner. Intelligence varies between simple coded logic and complex<br />
AI-based methods such as inferencing and learning.<br />
Mobility- Mobility is the degree to which agents move through the network. Some may be static<br />
while others may migrate as the need arises. The decision to move should be made by the agent<br />
(Murch, Johnson 1999), thus ensuring the agent has the property of autonomy.<br />
From these properties we can judge that SA have potential applications in dealing with tasks that are<br />
ill-defined or less structured. It is also apparent that SA interact with their task environments locally;<br />
the implication of this is that the same agent can exhibit different behaviour in different environments<br />
(Liu 2001). Padgham & Winikoff ((Padgham, Winikoff 2004)) provide a list of reasons why agents are<br />
useful, including loose coupling, decentralisation, persistence, better functioning in open and complex<br />
systems and reactiveness as well as proactivness. The use of SA to combat botnets is not<br />
unprecedented. It had already been suggested that AF.MIL should be purposely made part of a<br />
botnet ((Williams 2008)). Some researchers see botnets as types of SA ((Bigus, Bigus 2001)). Other<br />
researchers ((Stytz, Banks 2008)) have begun to work on the problem of implementing such an<br />
approach.<br />
5. Proposed system<br />
Vulnerabilities are introduced in software deliberately or accidently during development, or via<br />
software or configuration changes during operation. Botnets are not typically introduced during<br />
software development and thus require later introduction, and usually unintentionally. Possible vectors<br />
of infection are viruses, worms and Trojans. These may be introduced via email, download, drive-by<br />
download, network worm or some external storage device. According to (Cruz 2008) the majority of<br />
infections occur due to downloads (53%) and infection via other malware (43%). Email and<br />
removable drives account for 22% of infections. Instant Messaging, vulnerabilities, P2P, iFrame<br />
301