Towards Practical Framework for Collecting and Analyzing Network-Centric Attacks

Since nearly the beginning of the Internet, malware has been a significant deterrent to productivity for end-users, both personal and business related. A particular malware, known as a hot, can create networks of compromised machines called botnets, which are some of the most threatening adversaries over the Internet due in large part to the difficulty of identifying botnet traffic patterns. We have witnessed that existing signature-based detection and protection methods are ineffective, when used alone, in dealing with new unknown bots. In this paper, we introduce a risk-aware network-centric management framework to detect and prevent targeted botnet attacks as well as propagation attempts within the network. As the first step in that direction we focus on learning more information about the bots by identifying malicious characteristics through the network traffic. Once we have their characteristics we then decide whether or not those characteristics present a significant risk to the network that is being protected by our architecture. Using risk as a factor in the decision process helps identify the bots more systematically. We present two scenarios that describe the risk-aware process and show that our framework shows great promise.