Hardware isolation technique for IRC-based botnets detection

摘要

Botnets are widely considered one of the most dangerous threats on the internet due to their modular and adaptive nature which makes them difficult to defend against. In contrast to previous generations of malicious codes, botnets have a command and control (C) infrastucture which allows them to be remotely controlled by their masters. A command and control infrastructure based on Internet Relay Chat protocol (IRC-based C) is one of the most popular C) infrastructures botnet creators use to deploy their botnets' malwares (IRC botnets). In this paper, we propose a novel approach to detect and eliminate IRC botnets. Our approach consists of inserting a reconfigurable hardware isolation layer between the network link and the target. Our reconfigurable hardware is an FPGA System-on-Chip (FPGA SoC) that uses both anomaly-based detection and signature-based detection approaches to identify IRC botnets. Since, unlike other viruses, to be able to freely communicate with their masters, botnets' primary objective is to disable any protection mechanism (firewalls, antivirus applications) found on the target machine; our hardware-based isolation infrastructure presents an improvement over existing software-based solutions.We evaluated our architecture codenamed BotPGA using real-world IRC botnets' non-encrypted network traces. The results show that BotPGA can detect real-world non-encrypted malicious IRC traffic and botnets with high accuracy.