This project aims to create a systematic framework with novel approaches and techniques to defend against current and next generation botnets. A botnet is a network of compromised computers (bots) that are under the control of an attacker (botmaster) through some command & control (C&C) channel. In recent years, botnets have distinguished themselves from previous generation malware as the primary platform and root-cause for most Internet attacks and illegal activities. With the magnitude and the potency of attacks afforded by their combined bandwidth and processing power, botnets are now considered as the greatest single threat to Internet security. As botnets involve both host-level and network-level activities, a systematic defensive framework should consider both host- and network-level information. We can achieve better defense by utilizing host-network coordination, community-based intelligence, and a cross-layer view, instead of relying on a single (or a set of separate) host- or network-level information source(s).
This project establishes a host-network coordination- and correlation-based framework for systematic botnet defense in depth. It addresses three major questions covering detection, prevention, and attribution of botnets: How to detect the existence of botnets in an efficient, accurate, robust, fast, and automatic way? How to prevent botnets from penetrating into a protected network? Where does the command and control (C&C) actually originate from? The methodology and techniques proposed in the project can have a profound impact on future malware defense in terms of improving its effectiveness, efficiency, and robustness.