ICIW2008: Understanding IRC Bot Behaviors in a Network-centric Attack Detection and Prevention

Gail-Joon Ahn, UNC Charlotte

• motivation
• malicious bots
• surgein attacks
• 1241 bots collected by them in the past year
• 25% not detected by AV tools
• background
• most unknown bots are not detected
• risk-aware detection and prevention
• taxonomy of botnets is available
• approach
• components work individually & in cooperation
• analysis is performed both on and off the internet
• repository system component
• pattern correlation system component
• correlation system
• Traffic analysis
• detect malicious agents
• something else
• something else
• IRC Sandman
• Simulator
• Animations of how it works
• ongoing effort
• bot characteristics
• IRC conversation
• Intel attribution
• building new maps with various knowledge bases