SBIR-STTR Award

A botnet is a network of robots or "bots" installed surreptitiously on computer hosts and controller to do the attacker's bidding via remote command and control systems. Most bots employ stealth methods to hide communications and bot installation. Detecting a botnet by examining network traffic is extremely difficult since botnets frequently mask their existence by using multiple host proxies and network connections, different protocols, and encryption. The "weak link" in the botnet architecture component is the host-based bot component itself. While the bot may employ obfuscation or software protection mechanisms, ultimately it must become unobfuscated and unpacked in order to execute, and it leaves behind telltale evidence of its existence. Detection and forensics of the host based bot is the basis of this proposal. Current bot and botnet detection methods rely mostly on static signatures of known bots. HBGary proposes the Enterprise Botnet Detection System (EBDS) which will overcome the stealthy nature of advanced bots, detect and assess previously unknown bots, and provide remote forensics technologies to mitigate future botnet attacks.

Since botnets have both host and network components, detection must occur from both hosts and the network. A problem is that network management systems have no visibility of hosts, and host detection systems have no visibility of the network. Network management systems generate mountains of data that overwhelm network security administrators. Many host-based products use signatures to detect viruses and spyware, but stealthy malicious bots are not being detected. More flexible behavioral based host detection systems are emerging, but these products require frequent modification, have variable accuracy performance, and are limited to endpoint awareness, so they do not add to enterprise-level awareness. HBGary intends to develop a botnet detection system that automatically collects host and network evidence from all over the enterprise and reasons over that evidence as would a subject matter expert to determine if botnets are present. Essentially, the system will automate the analysis and conclusions of subject matter experts. The system will instruct the security response team operator on what actions to perform. The system will also provide a human analyst the ability to "drill down" to forensically analyze the threat.