Challenges in Botnet Forensics

There are some limitations in different phases on Botnet Forensics. We will highlight the gap in each phase.

1. Collection Phase –

There should be an effective mechanism to identify the attack features from packet captures and capture the bot traffic in real-time, transmitted through a high-speed network.

2. Identification Phase –

This phase has the following limitations:

• There is a need to identify the attacks simultaneously to trigger the forensic process.
• Identification of the type of attack should be possible in real-time.
• There should be an efficient technique to identify a centralized botnets.
• Malicious network events must be identified.

3. Analysis Phase –

This phase has some limitations like:

• The deep analysis of IRC traffic is still a challenge.
• Machine Learning technique is required to improve the algorithms.
• It is hard to detect the traffic flow, in the case of Waledac traffic and P2P traffic.
• The information must be considered from various hosts from a compromised network for reconnaissance.
• Attack information and alerts must be taken from a combination of security sensors as no single security tool can give comprehensive alert information.

Botnet forensics is a proactive and reactive investigation on Botnet. However, this study is based on prior research reactive investigation. this article focuses on the different classifications of botnet forensics, its framework, and its challenges.   

References –

• https://en.wikipedia.org/wiki/Botnet
• Researchgate

Botnets are the programs that are executed by a malicious programmer known as a botmaster or botherder. Botherder sends the infection or viruses to the feeble user’s computer whose payload is a malicious application. It connects through the command and control server. Spammer purchase the services from the botherder and botherder then itself issues the updated command. Botnet forensic deals post mortem activities on botnet attacks and its associated vulnerabilities. Botnet forensics is of utmost importance nowadays, as it assists and prevents the organization from the outside and the inside network attacks.

In this article, we will cover the following topics:

• What is Botnet Forensics?
• Classification of Botnet Forensics.
• Botnet Forensics Framework.
• Challenges in Botnet Forensics Framework.

Let’s get started and cover each of these sections in detail.

What is Botnet Forensics?

Botnet forensics is the science that determines the scope of the breach and applies the methodology to find out the type of the infection. It is an investigation of the botnet attacks that includes a collection of activities like collection, identification, detection, acquisition, and attribution. The prime objective of botnet forensics is to measure the level of intrusions, investigate the intrusions, and provide information to recover from an intrusion so as to strengthen system security. The available information from the Botnet Forensics can be used to:

• Strengthen security tools.
• Understanding the modus of Operandi.
• In the future can be used to prevent a potential threat to network security.

Botnet forensics not only ensures network security but also facilitates law enforcement.