Interviewing Essay Example | Topics and Well Written Essays - 250 words

Interviewing - Essay Example Mumbling into the phone can cast a negative impression upon the employer. Scripted response often gets easily identified and nullifies the chances for success, so response should me made on the spot and should be natural. The biggest key to success in in-person interviews is being yourself. The interviewee should not ask the interviewer not to ask questions about certain things if he/she does not have knowledge about them. Instead, the candidate should maintain a positive approach and be cool, calm and confident. Even if there are certain weaknesses, the candidate should believe that they can be improved with effort. It is important to maintain eye-contact with the employer. Frequent use of body language is recommended, and questions should be listened to with patience (Topic). Confidence, clarity of speech, and originality are three prime requirements of success in both telephone and in-person interviewing. The candidate should practice incorporating each of the three in the response before appearing for either kind of

A History of Bravery and Conflict Essay Example for Free

A History of Bravery and Conflict Essay Although many protest against the SWAT team’s use of force, history shows how vital it is for SWAT teams to wield more power than standard police officers. SWAT officers have captured and killed criminals who could not be stopped by conventional methods. Without them, incidents such as the Texas Tower Massacre might occur with more frequency and with a greater number of casualties. Therefore, the SWAT team ought to be applauded for its power of protection and not hampered in its duties. ? Although many note that specialized weapons and tactics were used as early as the time of the civil war, special SWAT teams were not created until much later. Chris Pizzo cites William E. Fairbain as the creator of the first SWAT team. Fairbain organized his specialized teams, the Shanghai Municipal Police Force, to defend against riots, guerilla attacks and terrorists in the 1920s. Fairbain’s men were the first police group to use automatic weapons, carbines and high-powered rifles. They also used body armor, armed motorcycles, and chemicals to repel attackers. They countered snipers, used martial arts, and excelled at hand-to-hand combat. While Fairbain’s men originally worked in Shanghai, they brought their methods back to the United States (Pizzo, 2007). In Los Angeles, the need for teams with specialized weapons and tactics was made evident in 1965, when Marquette Frye, a black man, was arrested for driving while intoxicated. His mother tried to stop the arrest, and drew a crowd. The event sparked anger and rioting against policemen in Los Angeles. According to Lee W. Minikus, the rioters threw rocks and gigantic pieces of concrete at patrol officers. The officers were armed only with eleven shotguns – one per car, and batons. After being attacked, they used their batons on the rioters to defend themselves. According to Minikus, â€Å"They were not rioters, as far as I’m concerned, they were gangsters. † The officer’s neighbors, some white, some Latino, defended his wife and children, holding rifles on their front porches. The riots left 25 blacks and nine whites dead. Meanwhile, more than 1,000 others were injured. Rioters burnt businesses to ash and damaged more than 600 properties. Ironically, Minikus and Marquette remained friends after the incident (Reitman Landsberg, 2005). In the summer of 1966, America’s need for SWAT teams became even clearer when a tragedy struck Texas. A disturbed engineering student and former marine, Charles Whitman, killed his wife and parents, then climbed to a tower on the University of Austin’s campus and began shooting down students. Whitman allowed others to get close enough to aid the wounded victims, and then shot the would-be rescuers as well. He even shot an eight months pregnant woman in the stomach, killing her baby. When police arrived on the scene, they had to plan to reach Whitman or to help the victims. Some tried to bring him down with an airplane, but were repelled by his gunfire. Eventually, the officers were able to bring Whitman down by using an underground tunnel. When they reached Whitman, he fired on them. They returned fire and finally ended Whitman’s attack (Snow, 1996). The tower massacre lead police to the realization that they needed to be more prepared for such attacks. Meanwhile, after the Watts riots, several snipers shot innocent civilians and police were not able to respond efficiently to such disasters. The Los Angeles Police Department was the first to find a way to respond (LAPD, 2008). Officer John Nelson, supported by inspector Darryl Gates, came up with a special weapons and tactics squad, which would enlist a small group of extremely disciplined officers to handle the most challenging and unusual problems faced by the force. The original LAPD SWAT team consisted of fifteen men, who had both police and military experience. They operated once a month, or when they were actually needed. By the 1970s, however, SWAT teams operated on a full-time basis in larger cities. In 1971, they officially adopted the name of SWAT (Snow, 1996).

Analysis of Botnet Security Threats

Analysis of Botnet Security Threats CHAPTER 1 INTRODUCTION 1.1 Introduction During the last few decades, we have seen the dramatically rise of the Internet and its applications to the point which they have become a critical part of our lives. Internet security in that way has become more and more important to those who use the Internet for work, business, entertainment or education. Most of the attacks and malicious activities on the Internet are carried out by malicious applications such as Malware, which includes viruses, trojan, worms, and botnets. Botnets become a main source of most of the malicious activities such as scanning, distributed denial-of-service (DDoS) activities, and malicious activities happen across the Internet. 1.2 Botnet Largest Security Threat A bot is a software code, or a malware that runs automatically on a compromised machine without the users permission. The bot code is usually written by some criminal groups. The term â€Å"bot† refers to the compromised computers in the network. A botnet is essentially a network of bots that are under the control of an attacker (BotMaster). Figure 1.1 illustrates a typical structure of a botnet. A bot usually take advantage of sophisticated malware techniques. As an example, a bot use some techniques like keylogger to record user private information like password and hide its existence in the system. More importantly, a bot can distribute itself on the internet to increase its scale to form a bot army. Recently, attackers use compromised Web servers to contaminate those who visit the websites through drive-by download [6]. Currently, a botnet contains thousands of bots, but there is some cases that botnet contain several millions of bots [7]. Actually bots differentiate themselves from other kind of worms by their ability to receive commands from attacker remotely [32]. Attacker or better call it botherder control bots through different protocols and structures. The Internet Relay Chat (IRC) protocol is the earliest and still the most commonly used CC channel at present. HTTP is also used because Http protocol is permitted in most networks. Centralized structure botnets was very successful in the past but now botherders use decentralized structure to avoid single point of failure problem. Unlike previous malware such as worms, which are used probably for entertaining, botnets are used for real financial abuse. Actually Botnets can cause many problems as some of them listed below: i. Click fraud. A botmaster can easily profit by forcing the bots to click on advertisement for the purpose of personal or commercial abuse. ii. Spam production. Majority of the email on the internet is spam. iii. DDoS attacks. A bot army can be commanded to begin a distributed denial-of-service attack against any machine. iv. Phishing. Botnets are widely used to host malicious phishing sites. Criminals usually send spam messages to deceive users to visit their forged web sites, so that they can obtain users critical information such as usernames, passwords. 1.3 Botnet in-Depth Nowadays, the most serious manifestation of advanced malware is Botnet. To make distinction between Botnet and other kinds of malware, the concepts of Botnet have to understand. For a better understanding of Botnet, two important terms, Bot and BotMaster have been defined from another point of views. Bot Bot is actually short for robot which is also called as Zombie. It is a new type of malware [24] installed into a compromised computer which can be controlled remotely by BotMaster for executing some orders through the received commands. After the Bot code has been installed into the compromised computers, the computer becomes a Bot or Zombie [25]. Contrary to existing malware such as virus and worm which their main activities focus on attacking the infecting host, bots can receive commands from BotMaster and are used in distributed attack platform. BotMaster BotMaster is also known as BotHerder, is a person or a group of person which control remote Bots. Botnets- Botnets are networks consisting of large number of Bots. Botnets are created by the BotMaster to setup a private communication infrastructure which can be used for malicious activities such as Distributed Denial-of-Service (DDoS), sending large amount of SPAM or phishing mails, and other nefarious purpose [26, 27, 28]. Bots infect a persons computer in many ways. Bots usually disseminate themselves across the Internet by looking for vulnerable and unprotected computers to infect. When they find an unprotected computer, they infect it and then send a report to the BotMaster. The Bot stay hidden until they are announced by their BotMaster to perform an attack or task. Other ways in which attackers use to infect a computer in the Internet with Bot include sending email and using malicious websites, but common way is searching the Internet to look for vulnerable and unprotected computers [29]. The activities associated with Botnet can be classified into three parts: (1) Searching searching for vulnerable and unprotected computers. (2) Dissemination the Bot code is distributed to the computers (targets), so the targets become Bots. (3) sign-on the Bots connect to BotMaster and become ready to receive command and control traffic. The main difference between Botnet and other kind of malwares is the existence of Command-and-Control (CC) infrastructure. The CC allows Bots to receive commands and malicious capabilities, as devoted by BotMaster. BotMaster must ensure that their CC infrastructure is sufficiently robust to manage thousands of distributed Bots across the globe, as well as resisting any attempts to shutdown the Botnets. However, detection and mitigation techniques against Botnets have been increased [30,31]. Recently, attackers are also continually improving their approaches to protect their Botnets. The first generation of Botnets utilized the IRC (Internet Relay Chat) channels as their Common-and-Control (CC) centers. The centralized CC mechanism of such Botnet has made them vulnerable to being detected and disabled. Therefore, new generation of Botnet which can hide their CC communication have emerged, Peer-to-Peer (P2P) based Botnets. The P2P Botnets do not experience from a single point of failur e, because they do not have centralized CC servers [35]. Attackers have accordingly developed a range of strategies and techniques to protect their CC infrastructure. Therefore, considering the CC function gives better understanding of Botnet and help defenders to design proper detection or mitigation techniques. According to the CC channel we categorize Botnets into three different topologies: a) Centralized; b) Decentralized and c) Hybrid. In Section 1.1.4, these topologies have been analyzed and completely considered the protocols that are currently being used in each model. 1.4 Botnet Topologies According to the Command-and-Control(CC) channel, Botnet topology is categorized into three different models, the Centralized model, the Decentralized model and Hybrid model. 1.4.1 Centralized Model The oldest type of topology is the centralized model. In this model, one central point is responsible for exchanging commands and data between the BotMaster and Bots. In this model, BotMaster chooses a host (usually high bandwidth computer) to be the central point (Command-and-Control) server of all the Bots. The CC server runs certain network services such as IRC or HTTP. The main advantage of this model is small message latency which cause BotMaster easily arranges Botnet and launch attacks. Since all connections happen through the CC server, therefore, the CC is a critical point in this model. In other words, CC server is the weak point in this model. If somebody manages to discover and eliminates the CC server, the entire Botnet will be worthless and ineffective. Thus, it becomes the main drawback of this model. A lot of modern centralized Botnets employed a list of IP addresses of alternative CC servers, which will be used in case a CC server discovered and has been taken offline. Since IRC and HTTP are two common protocols that CC server uses for communication, we consider Botnets in this model based on IRC and HTTP. Figure 1.2 shows the basic communication architecture for a Centralized model. There are two central points that forward commands and data between the BotMaster and his Bots. 1.4.1.1 Botnets based on IRC The IRC is a type of real-time Internet text messaging or synchronous conferencing [36]. IRC protocol is based on the Client Server model that can be used on many computers in distributed networks. Some advantages which made IRC protocol widely being used in remote communication for Botnets are: (i) low latency communication; (ii) anonymous real-time communication; (iii) ability of Group (many-to-many) and Private (one-to-one) communication; (iv) simple to setup and (v) simple commands. The basic commands are connect to servers, join channels and post messages in the channels; (vi) very flexibility in communication. Therefore IRC protocol is still the most popular protocol being used in Botnet communication. In this model, BotMasters can command all of their Bots or command a few of the Bots using one-to-one communication. The CC server runs IRC service that is the same with other standard IRC service. Most of the time BotMaster creates a channel on the IRC server that all the bots can connect, which instruct each connected bot to do the BotMasters commands. Figure 1.3 showed that there is one central IRC server that forwards commands and data between the BotMaster and his Bots. Puri [38] presented the procedures and mechanism of Botnet based on IRC, as shown in Figure. 1.4. Bots infection and control process [38]: i. The attacker tries to infect the targets with Bots. ii. After the Bot is installed on target machine, it will try to connect to IRC server. In this while a random nickname will be generate that show the bot in attackers private channel. iii. Request to the DNS server, dynamic mapping IRC servers IP address. iv. The Bot will join the private IRC channel set up by the attacker and wait for instructions from the attacker. Most of these private IRC channel is set as the encrypted mode. v. Attacker sends attack instruction in private IRC channel. vi. The attacker tries to connect to private IRC channel and send the authentication password. vii. Bots receive instructions and launch attacks such as DDoS attacks. 1.4.1.2 Botnet based on HTTP The HTTP protocol is an additional well-known protocol used by Botnets. Because IRC protocol within Botnets became well-known, internet security researchers gave more consideration to monitoring IRC traffic to detect Botnet. Consequently, attackers started to use HTTP protocol as a Command-and-Control communication channel to make Botnets become more difficult to detect. The main advantage of using the HTTP protocol is hiding Botnets traffics in normal web traffics, so it can easily passes firewalls and avoid IDS detection. Usually firewalls block incoming and outgoing traffic to not needed ports, which usually include the IRC port. 1.4.2 Decentralized model Due to major disadvantage of Centralized model-Central Command-and-Control (CC)-attackers tried to build another Botnet communication topology that is harder to discover and to destroy. Hence, they decided to find a model in which the communication system does not heavily depending on few selected servers and even discovering and destroying a number of Bots. As a result, attackers take advantage of Peer-to-Peer (P2P) communication as a Command-and-Control (CC) pattern which is much harder to shut down in the network. The P2P based CC model will be used considerably in Botnets in the future, and definitely Botnets that use P2P based CC model impose much bigger challenge for defense of networks. In the P2P model, as shown in Fig. 1.6, there is no Centralized point for communication. Each Bot have some connections to the other Bots of the same Botnet and Bots act as both Clients and servers. A new Bot must know some addresses of the Botnet to connect there. If Bots in the Botnet are taken offline, the Botnet can still continue to operate under the control of BotMaster. P2P Botnets aim at removing or hiding the central point of failure which is the main weakness and vulnerability of Centralized model. Some P2P Botnets operate to a certain extent decentralized and some completely decentralized. Those Botnets that are completely decentralized allow a BotMaster to insert a command into any Bots. Since P2P Botnets usually allow commands to be injected at any node in the network, the authentication of commands become essential to prevent other nodes from injecting incorrect commands. For a better understanding in this model, some characteristics and important features of famous P2P Botnets have been mentioned: Slapper: Allows the routing of commands to distinct nodes. Uses Public key and private key cryptography to authenticate commands. BotMasters sign commands with private key and only those nodes which has corresponding public key can verify the commands [42]. Two important weak points are: (a) its list of known Bots contains all (or almost all) of the Botnet. Thus, one single captured Bot would expose the entire Botnet to defenders [42] (b) its sophisticated communication mechanism produces lot traffic, making it vulnerable to monitoring via network flow analysis. Sinit: This Bot uses random searching to discove other Bots to communicate with. It can results in an easy detection due to the extensive probing traffic [34]. Nugache: Its weakness is based on its reliance on a seed list of 22 IP addresses during its bootstrap process [47]. Phatbot: Uses Gnutella cache server for its bootstrap process which can be easily shutdown. Also its WASTE P2P protocol has a scalability problem across a long network [48]. Strom worm: it uses a P2p overnet protocl to control compromised hosts. The communication protocol for this Bot can be classified into five steps, as describes below :[37] i. Connect to Overnet Bots try to join Overnet network. Each Bot initially has hard-coded binary files which is included the IP addresses of P2P-based Botnet nodes. ii. Search and Download Secondary Injection URL Bot uses hard-coded keys to explore for and download the URL on the Overnet network [37]. iii. Decrypt Secondary Injection URL compromised hosts take advantages of a key(hard coded) to decrypt the URL. iv. Download Secondary Injection compromised hosts attempt to download the second injection from a server(probably web server). It could be infected files or updated files or list of the P2P nodes [37]. 1.4.3 Hybrid model The Bots in the Hybrid Botnet are categorized into two groups: 1) Servant Bots Bots in the first group are called as servant Bots, because they behave as both clients and servers, which have static, routable IP addresses and are accessible from the entire Internet. 2) Client Bots Bots in the second group is called as client Bots since they do not accept incoming connections. This group contains the remaining Bots, including:- (a) Bots with dynamically designated IP addresses; (b) Bots with Non-routable IP addresses; and (c) Bots behind firewalls which they cannot be connected from the global Internet. 1.5 Background of the Problem Botnets which are controlled remotely by BotMasters can launch huge denial of service attacks, several infiltration attacks, can be used to spread spam and also conduct malicious activities [115]. While bot army activity has, so far, been limited to criminal activity, their potential for causing large- scale damage to the entire internet is immeasurable [115]. Therefore, Botnets are one of the most dangerous types of network-based attack today because they involve the use of very large, synchronized groups of hosts for their malicious activities. Botnets obtain their power by size, both in their increasing bandwidth and in their reach. As mentioned before Botnets can cause severe network disruptions through huge denial- of-service attacks, and the danger of this interruption can charge enterprises big sums in extortion fees. Botnets are also used to harvest personal, corporate, or government sensitive information for sale on a blooming organized crime market. 1.6 Statement of the Problem Recently, botnets are using new type of command-and-control(CC) communication which is totally decentralized. They utilize peer-to-peer style communication. Tracking the starting point and activity of this botnet is much more complicated due to the Peer-to-Peer communication infrastructure. Combating botnets is usually an issue of discovering their weakness: their central position of command, or CC server. This is typically an IRC network that all bots connect to central point, however with the use of P2P method; we cannot find any central point of command. In the P2P networks each bots in searching to connect other peers which can receive or broadcast commands through network. Therefore, an accurate detection and fighting method is required to prevent or stop such dangerous networks. 1.7 Research Questions a. What are the main differences between centralized and decentralized botnets? b. What is the best and efficient general extensible solution for detecting non-specific Peer-to- Peer botnets? 1.8 Objectives of the Study i. To develop a network-based framework for Peer-to-Peer botnets detection by common behavior in network communication. ii. To study the behavior of bots and recognizing behavioral similarities across multiple bots in order to develop mentioned framework. 1.9 Scope of the Study The project scope is limited to developing some algorithms pertaining to our proposed framework. This algorithms are using for decreasing traffics by filtering it, classifying intended traffics, monitoring traffics and the detection of malicious activities. 1.10 Significance of the study Peer-to-Peer botnets are one of the most sophisticated types of cyber crime today. They give the full control of many computers around to world to exploit them for malicious activities purpose such as spread of virus and worm, spam distribution and DDoS attack. Therefore, studying the behavior of P2P botnets and develop a technique that can detect them is important and high-demanded. 1.11 Summary Understanding the Botnet Command-and-Control(CC) is a critical part in recognizing how to best protect against the overall botnet threat. The CC channels utilized by the Botnets will often show the type and degree of actions an enterprise can follow in either blocking or shutting down a botnet, and the probability of success. It is also obvious that attackers have been trying for years to move away from Centralized CC channels, and are achieving some success using Decentralized(P2P) CC channels over the last 5 or so years. Therefore in this chapter we have defined a classification for better understanding of Botnets CC channels, which is included Centralized, Decentralized, and Hybrid model and tried to evaluate recognized protocols in each of them. Understanding the communication topologies in Botnets is essential to precisely identify, detect and mitigate the ever-increasing Botnets threats. CHAPTER 2 LITERATURE REVIEW 2.1 Introduction Before majority of botnets was using IRC (Internet Relay Chat) as a communication protocol for Command and Control(CC) mechanism. Therefore, many researches tried to develop botnet detection scheme which was based on analysis of IRC traffic [50]. As a result, attackers decided to develop more sophisticated botnets, such as Storm worm and Nugache toward the utilization of P2P networks for CC infrastructures. In response to this movement, researches have proposed various models of botnets detection that are based on P2P infrastructure [5]. One key advantage of both IRC and HTTP Botnet is the use of central Command and Control. This characteristic provides the attacker with very well-organized communication. However, the assets also considers as a main disadvantage to the attacker [8]. The threat of the Botnet can be decreased and possibly omitted if the central CC is taken over or taken down [8]. The method that is starting to come out is P2P structure for Botnet interaction. There is not any centralized centre for P2P botnets. Any nodes in P2P botnet behave as client and server as well. If any point in the network is shut down the botnet still can continue its operation. The storm botnet is one of the main and recognized recent P2P botnets. It customized the overnet P2P file-sharing application which is based on the Kademlia distributed hash table algorithm [55] and exploit it for its CC infrastructure. Recently many researchers specially in the anti-virus community and electronic media concentrated on storm worm [56,57]. 2.2 Background and History A peer-to-peer network is a network of computers that any computer in the network can behave as both a client and a server. Some explanation of peer-to-peer networks does not need any form of centralized coordination. This definition is more comfortable because the attacker may be interested in hybrid architectures [8]. 2.2.1 History The table 2.1 shows a summary of some well-known bots and P2P protocols. The range of time from the first bots, EggDrop, until the Storm Worm P2P bot is newly released. The first non-malicious bot was EggDrop that came up many years ago, and we know it as one of the first IRC bots that came to market. GTBot that have many other categories is another well-known malicious bot, that its variants are IRC client, mIRC.exe[61]. After a while, P2P protocols have been used for Botnet activities. Napster is one of the first bot that used P2P as its communication. Napster built an platform that permit all bots can find each other and share files with each other in the network. In this bot, file sharing has been done in the centralized server that we can say it was not completely a P2P botnet. Therefore, all bots have to upload an index of their files to the centralized server and also if they are looking for other files among all bots, have to search in centralized server. If it can find any file that looking for, then can directly connect to that bot and download what they want. Nowadays, because Napster has been shutdown as their service recognized as illegal service, many other P2P service focusing on avoiding such finding. After few years after Napster, Gnutella protocol came up as the first completely P2P services. Actually after Gnutellas , as shown in Table 2.1, many other P2P protocols have been released, such as Kademilia and Chord. This two new p2p service are using distributed hash table as a method for finding information in the peer-to-peer networks. Agobot is another malicious P2P bot that came up recently and become widespread because of good design and modular code base [61]. Nowadays many researchers are concentrating on P2P bots and there is an anticipation that P2P bots will reach to the stage that Centralized botnets will not been used any more in the future. Table 2.1: P2P based Botnets 2.3 Peers-to-Peer Overlay Networks Overlay networks are categorized into two categories: Structured and Unstructured. All nodes in first category can connect to most X peers regarding some conditions for identification of nodes that those peers want to connect. However in unstructured type there is not any specified limit for the number of peers that they can connect, in spite of the fact that there is not any condition for connecting to other peers. Overnet is a good example of structured p2p networks and Chorf is a good example of unstructured P2P networks. 2.3.1 Brief overview of Overnet One of the popular file sharing networks is Overnet that use for their design use distributed hash table (DHT) algorithm that called Kademlia[55]. Each node produces a 128-bit id for joining the network and also use for sending to other node for introducing itself. Actually each node in the network saves the information about other nodes in order to route query messages. 2.3.2 Brief overview of Gnutella Gnutellas is a unstructured file sharing network. In this network, when a node like n want to connect to a node like m, use a ping message to inform the other node for its presence. As long as node m received ping message, then send it back to other nodes in its neighbor and also send a Pong message to the sender of ping message that was node n. this transaction among node let them to learn about each other. 2.4 Botnet Detection In particular, to compare existing botnet detection techniques, different methods are described and then disadvantages of each method are mentioned respectively. 2.4.1 Honeypot-based tracking Honeypot can be used to collect bots for analyzing its behavior and signatures and also for tracking botnets. But using honeypots have several limitations. The most important limitation is because of limited scale of exploited activities that can track. And also it cannot capture the bots that use the method of propagation other than scanning, such as spam. And finally it can only give report for infection machines that are anticipated and put in the network as trap system. So it means that it can not give a report for those computers that are infected with bot in the network but are not devoted as trap machines. So we can come to this conclusion that generally in this technique we have to wait until one bot in the network infect our system and then we can track or analyze the machine. 2.4.2 Intrusion detection systems Intrusion detection techniques can be categorized into two categories: host-based and network-based solution. Host-based techniques are used for recognizing malware binaries such as viruses. A good example of this type is anti-virus detection systems. However, we know that anti-virus are good for just virus detection. The most important disadvantages of anti-virus are that bots can easily evade the detection technique by changing their signatures easily, because the detection system cannot update their databases consistency. And also bots can disable any anti-virus tools in the system to protect themselves from detection. Network- based intrusion detection system is another method for detection that is used in the field of botnet detection. Snort[67] and Bro[68] are the two well-known signature based detection system that are used currently. They use a database as signatures of famous malicious activities to detect botnets or any other malware. Actually if our objective is using this technique for botnet detection, we have to keep updating the database and recognizing all malware quickly to make a signature of it and add to our database. For solving this solving this problem recently researchers are using anomaly based IDS that can detect malicious activities based on behavior of malware or detection techniques. 2.4.3 Bothunter : Dialog correlation-based Botnet detection This technique developed an evidence-trail approach for detecting successful bot infection with patterns during communication for infection process. In this strategy, bot infection pattern are modeled to use for recognizing the whole process of infection of botnet in the network. All behavior that occur the bot infection such as target scanning, CC establishment, binary downloading and outbound propagation have to model by this method. This method gathers an evidence-trail of connected infection process for each internal machine and then tries to look for a threshold combination of sequences that will convince the condition for bot infection [32]. The BotHunter use snort with adding two anomaly-detection components to it that are SLADE (Statistical payLoad Anomaly Detection Engine) and SCADE (Statistical scan Anomaly Detection Engine). SCADE produce internal and external scan detection warnings that are weighted for criticality toward malware scanning patterns. SLADE perform a byte-distribution payload anomaly detection of incoming packets, providing a matching non-signature approach in inbound exploit detection [32 ]. Slade use an n-gram payload examination of traffics that have typical malware intrusions. SCADE execute some port scan analysis for incoming and outgoing traffics. Actually BotHunter has a link between scan and alarm intrusion that shows a host has been infected. When a adequate sequence of alerts is established to match BotHunters infection dialog model, a comprehensive report is created to get all the related events participants that have a rule in infection dialog [32]. This method provides some important features: i. This technique concentrates on malware detection by IDS-driven dialog correlation. This model shows an essential network processes that occur during a successful bot infection. ii. This technique has one IDS-independent dialog correlation engine and three bot-specific sensors. This technique can automatically produce a report of whole detection of bot, as well as the infection of agent, identification of the computer that has been infected and source of Command and Control centre. 2.4.3.1 Bot infection sequences Actually understanding bot infection life processes is a challenging work for protection of network in the future. The major work in this area is differentiating between successful bot infection and background exploit attempt. For reaching to this point analysis of two-way dialog flow between internal hosts and external hosts (internet) is needed. In a good design network which uses filtering at gateway, the threats of direct exploitations are limited. However, contemporary malware families are highly flexible in their ability to attack vulnerable hosts through email attachments, infected P2P media, and drive-by download infections [32]. 2.4.3.2 Modeling the infection dialog process The bot distribution model can conclude by an analysis of external communication traffics that shows the behavior of relevant botnet. Incoming scan and utilize alarms are not enough to state a winning malware infection, as are assumed that a stable stream of scan and exploit signals will be observed from the way out monitor [32]. Figure 2.1 shows the process of bot infection in BotHunter that used for evaluating network flows through eight stages. This model is almost similar with the model that Rajab et al. presented for IRC detection model. The model that they proposed has early initial scanning that is a preceding consideration happen in form of IP exchange and pointing vulnerable ports. Actually figure 2.1 is not aimed for a strict ordering of infection events that happen during bot infection. The important issue here is that bot dialog processes analysis have to be strong to the absence of some dialog events and must not need strong sequencing on the order in bound dialog is conducted. One solution to solve the problem of sequence order and event is to use a weighted event threshold system that take smallest essential sparse sequences of events under which bot profile statement can be initiated [32]. For instance, it is possible put weighting and threshold system for the look of each event in a way that a smallest set of event is important prior of bot detection. 2.4.3.3 Design and implementation More attention devoted for designing a passive network monitoring system in this part which be able of identifying the bidirectional warning signs when internal hosts are infected with b Analysis of Botnet Security Threats Analysis of Botnet Security Threats CHAPTER 1 INTRODUCTION 1.1 Introduction During the last few decades, we have seen the dramatically rise of the Internet and its applications to the point which they have become a critical part of our lives. Internet security in that way has become more and more important to those who use the Internet for work, business, entertainment or education. Most of the attacks and malicious activities on the Internet are carried out by malicious applications such as Malware, which includes viruses, trojan, worms, and botnets. Botnets become a main source of most of the malicious activities such as scanning, distributed denial-of-service (DDoS) activities, and malicious activities happen across the Internet. 1.2 Botnet Largest Security Threat A bot is a software code, or a malware that runs automatically on a compromised machine without the users permission. The bot code is usually written by some criminal groups. The term â€Å"bot† refers to the compromised computers in the network. A botnet is essentially a network of bots that are under the control of an attacker (BotMaster). Figure 1.1 illustrates a typical structure of a botnet. A bot usually take advantage of sophisticated malware techniques. As an example, a bot use some techniques like keylogger to record user private information like password and hide its existence in the system. More importantly, a bot can distribute itself on the internet to increase its scale to form a bot army. Recently, attackers use compromised Web servers to contaminate those who visit the websites through drive-by download [6]. Currently, a botnet contains thousands of bots, but there is some cases that botnet contain several millions of bots [7]. Actually bots differentiate themselves from other kind of worms by their ability to receive commands from attacker remotely [32]. Attacker or better call it botherder control bots through different protocols and structures. The Internet Relay Chat (IRC) protocol is the earliest and still the most commonly used CC channel at present. HTTP is also used because Http protocol is permitted in most networks. Centralized structure botnets was very successful in the past but now botherders use decentralized structure to avoid single point of failure problem. Unlike previous malware such as worms, which are used probably for entertaining, botnets are used for real financial abuse. Actually Botnets can cause many problems as some of them listed below: i. Click fraud. A botmaster can easily profit by forcing the bots to click on advertisement for the purpose of personal or commercial abuse. ii. Spam production. Majority of the email on the internet is spam. iii. DDoS attacks. A bot army can be commanded to begin a distributed denial-of-service attack against any machine. iv. Phishing. Botnets are widely used to host malicious phishing sites. Criminals usually send spam messages to deceive users to visit their forged web sites, so that they can obtain users critical information such as usernames, passwords. 1.3 Botnet in-Depth Nowadays, the most serious manifestation of advanced malware is Botnet. To make distinction between Botnet and other kinds of malware, the concepts of Botnet have to understand. For a better understanding of Botnet, two important terms, Bot and BotMaster have been defined from another point of views. Bot Bot is actually short for robot which is also called as Zombie. It is a new type of malware [24] installed into a compromised computer which can be controlled remotely by BotMaster for executing some orders through the received commands. After the Bot code has been installed into the compromised computers, the computer becomes a Bot or Zombie [25]. Contrary to existing malware such as virus and worm which their main activities focus on attacking the infecting host, bots can receive commands from BotMaster and are used in distributed attack platform. BotMaster BotMaster is also known as BotHerder, is a person or a group of person which control remote Bots. Botnets- Botnets are networks consisting of large number of Bots. Botnets are created by the BotMaster to setup a private communication infrastructure which can be used for malicious activities such as Distributed Denial-of-Service (DDoS), sending large amount of SPAM or phishing mails, and other nefarious purpose [26, 27, 28]. Bots infect a persons computer in many ways. Bots usually disseminate themselves across the Internet by looking for vulnerable and unprotected computers to infect. When they find an unprotected computer, they infect it and then send a report to the BotMaster. The Bot stay hidden until they are announced by their BotMaster to perform an attack or task. Other ways in which attackers use to infect a computer in the Internet with Bot include sending email and using malicious websites, but common way is searching the Internet to look for vulnerable and unprotected computers [29]. The activities associated with Botnet can be classified into three parts: (1) Searching searching for vulnerable and unprotected computers. (2) Dissemination the Bot code is distributed to the computers (targets), so the targets become Bots. (3) sign-on the Bots connect to BotMaster and become ready to receive command and control traffic. The main difference between Botnet and other kind of malwares is the existence of Command-and-Control (CC) infrastructure. The CC allows Bots to receive commands and malicious capabilities, as devoted by BotMaster. BotMaster must ensure that their CC infrastructure is sufficiently robust to manage thousands of distributed Bots across the globe, as well as resisting any attempts to shutdown the Botnets. However, detection and mitigation techniques against Botnets have been increased [30,31]. Recently, attackers are also continually improving their approaches to protect their Botnets. The first generation of Botnets utilized the IRC (Internet Relay Chat) channels as their Common-and-Control (CC) centers. The centralized CC mechanism of such Botnet has made them vulnerable to being detected and disabled. Therefore, new generation of Botnet which can hide their CC communication have emerged, Peer-to-Peer (P2P) based Botnets. The P2P Botnets do not experience from a single point of failur e, because they do not have centralized CC servers [35]. Attackers have accordingly developed a range of strategies and techniques to protect their CC infrastructure. Therefore, considering the CC function gives better understanding of Botnet and help defenders to design proper detection or mitigation techniques. According to the CC channel we categorize Botnets into three different topologies: a) Centralized; b) Decentralized and c) Hybrid. In Section 1.1.4, these topologies have been analyzed and completely considered the protocols that are currently being used in each model. 1.4 Botnet Topologies According to the Command-and-Control(CC) channel, Botnet topology is categorized into three different models, the Centralized model, the Decentralized model and Hybrid model. 1.4.1 Centralized Model The oldest type of topology is the centralized model. In this model, one central point is responsible for exchanging commands and data between the BotMaster and Bots. In this model, BotMaster chooses a host (usually high bandwidth computer) to be the central point (Command-and-Control) server of all the Bots. The CC server runs certain network services such as IRC or HTTP. The main advantage of this model is small message latency which cause BotMaster easily arranges Botnet and launch attacks. Since all connections happen through the CC server, therefore, the CC is a critical point in this model. In other words, CC server is the weak point in this model. If somebody manages to discover and eliminates the CC server, the entire Botnet will be worthless and ineffective. Thus, it becomes the main drawback of this model. A lot of modern centralized Botnets employed a list of IP addresses of alternative CC servers, which will be used in case a CC server discovered and has been taken offline. Since IRC and HTTP are two common protocols that CC server uses for communication, we consider Botnets in this model based on IRC and HTTP. Figure 1.2 shows the basic communication architecture for a Centralized model. There are two central points that forward commands and data between the BotMaster and his Bots. 1.4.1.1 Botnets based on IRC The IRC is a type of real-time Internet text messaging or synchronous conferencing [36]. IRC protocol is based on the Client Server model that can be used on many computers in distributed networks. Some advantages which made IRC protocol widely being used in remote communication for Botnets are: (i) low latency communication; (ii) anonymous real-time communication; (iii) ability of Group (many-to-many) and Private (one-to-one) communication; (iv) simple to setup and (v) simple commands. The basic commands are connect to servers, join channels and post messages in the channels; (vi) very flexibility in communication. Therefore IRC protocol is still the most popular protocol being used in Botnet communication. In this model, BotMasters can command all of their Bots or command a few of the Bots using one-to-one communication. The CC server runs IRC service that is the same with other standard IRC service. Most of the time BotMaster creates a channel on the IRC server that all the bots can connect, which instruct each connected bot to do the BotMasters commands. Figure 1.3 showed that there is one central IRC server that forwards commands and data between the BotMaster and his Bots. Puri [38] presented the procedures and mechanism of Botnet based on IRC, as shown in Figure. 1.4. Bots infection and control process [38]: i. The attacker tries to infect the targets with Bots. ii. After the Bot is installed on target machine, it will try to connect to IRC server. In this while a random nickname will be generate that show the bot in attackers private channel. iii. Request to the DNS server, dynamic mapping IRC servers IP address. iv. The Bot will join the private IRC channel set up by the attacker and wait for instructions from the attacker. Most of these private IRC channel is set as the encrypted mode. v. Attacker sends attack instruction in private IRC channel. vi. The attacker tries to connect to private IRC channel and send the authentication password. vii. Bots receive instructions and launch attacks such as DDoS attacks. 1.4.1.2 Botnet based on HTTP The HTTP protocol is an additional well-known protocol used by Botnets. Because IRC protocol within Botnets became well-known, internet security researchers gave more consideration to monitoring IRC traffic to detect Botnet. Consequently, attackers started to use HTTP protocol as a Command-and-Control communication channel to make Botnets become more difficult to detect. The main advantage of using the HTTP protocol is hiding Botnets traffics in normal web traffics, so it can easily passes firewalls and avoid IDS detection. Usually firewalls block incoming and outgoing traffic to not needed ports, which usually include the IRC port. 1.4.2 Decentralized model Due to major disadvantage of Centralized model-Central Command-and-Control (CC)-attackers tried to build another Botnet communication topology that is harder to discover and to destroy. Hence, they decided to find a model in which the communication system does not heavily depending on few selected servers and even discovering and destroying a number of Bots. As a result, attackers take advantage of Peer-to-Peer (P2P) communication as a Command-and-Control (CC) pattern which is much harder to shut down in the network. The P2P based CC model will be used considerably in Botnets in the future, and definitely Botnets that use P2P based CC model impose much bigger challenge for defense of networks. In the P2P model, as shown in Fig. 1.6, there is no Centralized point for communication. Each Bot have some connections to the other Bots of the same Botnet and Bots act as both Clients and servers. A new Bot must know some addresses of the Botnet to connect there. If Bots in the Botnet are taken offline, the Botnet can still continue to operate under the control of BotMaster. P2P Botnets aim at removing or hiding the central point of failure which is the main weakness and vulnerability of Centralized model. Some P2P Botnets operate to a certain extent decentralized and some completely decentralized. Those Botnets that are completely decentralized allow a BotMaster to insert a command into any Bots. Since P2P Botnets usually allow commands to be injected at any node in the network, the authentication of commands become essential to prevent other nodes from injecting incorrect commands. For a better understanding in this model, some characteristics and important features of famous P2P Botnets have been mentioned: Slapper: Allows the routing of commands to distinct nodes. Uses Public key and private key cryptography to authenticate commands. BotMasters sign commands with private key and only those nodes which has corresponding public key can verify the commands [42]. Two important weak points are: (a) its list of known Bots contains all (or almost all) of the Botnet. Thus, one single captured Bot would expose the entire Botnet to defenders [42] (b) its sophisticated communication mechanism produces lot traffic, making it vulnerable to monitoring via network flow analysis. Sinit: This Bot uses random searching to discove other Bots to communicate with. It can results in an easy detection due to the extensive probing traffic [34]. Nugache: Its weakness is based on its reliance on a seed list of 22 IP addresses during its bootstrap process [47]. Phatbot: Uses Gnutella cache server for its bootstrap process which can be easily shutdown. Also its WASTE P2P protocol has a scalability problem across a long network [48]. Strom worm: it uses a P2p overnet protocl to control compromised hosts. The communication protocol for this Bot can be classified into five steps, as describes below :[37] i. Connect to Overnet Bots try to join Overnet network. Each Bot initially has hard-coded binary files which is included the IP addresses of P2P-based Botnet nodes. ii. Search and Download Secondary Injection URL Bot uses hard-coded keys to explore for and download the URL on the Overnet network [37]. iii. Decrypt Secondary Injection URL compromised hosts take advantages of a key(hard coded) to decrypt the URL. iv. Download Secondary Injection compromised hosts attempt to download the second injection from a server(probably web server). It could be infected files or updated files or list of the P2P nodes [37]. 1.4.3 Hybrid model The Bots in the Hybrid Botnet are categorized into two groups: 1) Servant Bots Bots in the first group are called as servant Bots, because they behave as both clients and servers, which have static, routable IP addresses and are accessible from the entire Internet. 2) Client Bots Bots in the second group is called as client Bots since they do not accept incoming connections. This group contains the remaining Bots, including:- (a) Bots with dynamically designated IP addresses; (b) Bots with Non-routable IP addresses; and (c) Bots behind firewalls which they cannot be connected from the global Internet. 1.5 Background of the Problem Botnets which are controlled remotely by BotMasters can launch huge denial of service attacks, several infiltration attacks, can be used to spread spam and also conduct malicious activities [115]. While bot army activity has, so far, been limited to criminal activity, their potential for causing large- scale damage to the entire internet is immeasurable [115]. Therefore, Botnets are one of the most dangerous types of network-based attack today because they involve the use of very large, synchronized groups of hosts for their malicious activities. Botnets obtain their power by size, both in their increasing bandwidth and in their reach. As mentioned before Botnets can cause severe network disruptions through huge denial- of-service attacks, and the danger of this interruption can charge enterprises big sums in extortion fees. Botnets are also used to harvest personal, corporate, or government sensitive information for sale on a blooming organized crime market. 1.6 Statement of the Problem Recently, botnets are using new type of command-and-control(CC) communication which is totally decentralized. They utilize peer-to-peer style communication. Tracking the starting point and activity of this botnet is much more complicated due to the Peer-to-Peer communication infrastructure. Combating botnets is usually an issue of discovering their weakness: their central position of command, or CC server. This is typically an IRC network that all bots connect to central point, however with the use of P2P method; we cannot find any central point of command. In the P2P networks each bots in searching to connect other peers which can receive or broadcast commands through network. Therefore, an accurate detection and fighting method is required to prevent or stop such dangerous networks. 1.7 Research Questions a. What are the main differences between centralized and decentralized botnets? b. What is the best and efficient general extensible solution for detecting non-specific Peer-to- Peer botnets? 1.8 Objectives of the Study i. To develop a network-based framework for Peer-to-Peer botnets detection by common behavior in network communication. ii. To study the behavior of bots and recognizing behavioral similarities across multiple bots in order to develop mentioned framework. 1.9 Scope of the Study The project scope is limited to developing some algorithms pertaining to our proposed framework. This algorithms are using for decreasing traffics by filtering it, classifying intended traffics, monitoring traffics and the detection of malicious activities. 1.10 Significance of the study Peer-to-Peer botnets are one of the most sophisticated types of cyber crime today. They give the full control of many computers around to world to exploit them for malicious activities purpose such as spread of virus and worm, spam distribution and DDoS attack. Therefore, studying the behavior of P2P botnets and develop a technique that can detect them is important and high-demanded. 1.11 Summary Understanding the Botnet Command-and-Control(CC) is a critical part in recognizing how to best protect against the overall botnet threat. The CC channels utilized by the Botnets will often show the type and degree of actions an enterprise can follow in either blocking or shutting down a botnet, and the probability of success. It is also obvious that attackers have been trying for years to move away from Centralized CC channels, and are achieving some success using Decentralized(P2P) CC channels over the last 5 or so years. Therefore in this chapter we have defined a classification for better understanding of Botnets CC channels, which is included Centralized, Decentralized, and Hybrid model and tried to evaluate recognized protocols in each of them. Understanding the communication topologies in Botnets is essential to precisely identify, detect and mitigate the ever-increasing Botnets threats. CHAPTER 2 LITERATURE REVIEW 2.1 Introduction Before majority of botnets was using IRC (Internet Relay Chat) as a communication protocol for Command and Control(CC) mechanism. Therefore, many researches tried to develop botnet detection scheme which was based on analysis of IRC traffic [50]. As a result, attackers decided to develop more sophisticated botnets, such as Storm worm and Nugache toward the utilization of P2P networks for CC infrastructures. In response to this movement, researches have proposed various models of botnets detection that are based on P2P infrastructure [5]. One key advantage of both IRC and HTTP Botnet is the use of central Command and Control. This characteristic provides the attacker with very well-organized communication. However, the assets also considers as a main disadvantage to the attacker [8]. The threat of the Botnet can be decreased and possibly omitted if the central CC is taken over or taken down [8]. The method that is starting to come out is P2P structure for Botnet interaction. There is not any centralized centre for P2P botnets. Any nodes in P2P botnet behave as client and server as well. If any point in the network is shut down the botnet still can continue its operation. The storm botnet is one of the main and recognized recent P2P botnets. It customized the overnet P2P file-sharing application which is based on the Kademlia distributed hash table algorithm [55] and exploit it for its CC infrastructure. Recently many researchers specially in the anti-virus community and electronic media concentrated on storm worm [56,57]. 2.2 Background and History A peer-to-peer network is a network of computers that any computer in the network can behave as both a client and a server. Some explanation of peer-to-peer networks does not need any form of centralized coordination. This definition is more comfortable because the attacker may be interested in hybrid architectures [8]. 2.2.1 History The table 2.1 shows a summary of some well-known bots and P2P protocols. The range of time from the first bots, EggDrop, until the Storm Worm P2P bot is newly released. The first non-malicious bot was EggDrop that came up many years ago, and we know it as one of the first IRC bots that came to market. GTBot that have many other categories is another well-known malicious bot, that its variants are IRC client, mIRC.exe[61]. After a while, P2P protocols have been used for Botnet activities. Napster is one of the first bot that used P2P as its communication. Napster built an platform that permit all bots can find each other and share files with each other in the network. In this bot, file sharing has been done in the centralized server that we can say it was not completely a P2P botnet. Therefore, all bots have to upload an index of their files to the centralized server and also if they are looking for other files among all bots, have to search in centralized server. If it can find any file that looking for, then can directly connect to that bot and download what they want. Nowadays, because Napster has been shutdown as their service recognized as illegal service, many other P2P service focusing on avoiding such finding. After few years after Napster, Gnutella protocol came up as the first completely P2P services. Actually after Gnutellas , as shown in Table 2.1, many other P2P protocols have been released, such as Kademilia and Chord. This two new p2p service are using distributed hash table as a method for finding information in the peer-to-peer networks. Agobot is another malicious P2P bot that came up recently and become widespread because of good design and modular code base [61]. Nowadays many researchers are concentrating on P2P bots and there is an anticipation that P2P bots will reach to the stage that Centralized botnets will not been used any more in the future. Table 2.1: P2P based Botnets 2.3 Peers-to-Peer Overlay Networks Overlay networks are categorized into two categories: Structured and Unstructured. All nodes in first category can connect to most X peers regarding some conditions for identification of nodes that those peers want to connect. However in unstructured type there is not any specified limit for the number of peers that they can connect, in spite of the fact that there is not any condition for connecting to other peers. Overnet is a good example of structured p2p networks and Chorf is a good example of unstructured P2P networks. 2.3.1 Brief overview of Overnet One of the popular file sharing networks is Overnet that use for their design use distributed hash table (DHT) algorithm that called Kademlia[55]. Each node produces a 128-bit id for joining the network and also use for sending to other node for introducing itself. Actually each node in the network saves the information about other nodes in order to route query messages. 2.3.2 Brief overview of Gnutella Gnutellas is a unstructured file sharing network. In this network, when a node like n want to connect to a node like m, use a ping message to inform the other node for its presence. As long as node m received ping message, then send it back to other nodes in its neighbor and also send a Pong message to the sender of ping message that was node n. this transaction among node let them to learn about each other. 2.4 Botnet Detection In particular, to compare existing botnet detection techniques, different methods are described and then disadvantages of each method are mentioned respectively. 2.4.1 Honeypot-based tracking Honeypot can be used to collect bots for analyzing its behavior and signatures and also for tracking botnets. But using honeypots have several limitations. The most important limitation is because of limited scale of exploited activities that can track. And also it cannot capture the bots that use the method of propagation other than scanning, such as spam. And finally it can only give report for infection machines that are anticipated and put in the network as trap system. So it means that it can not give a report for those computers that are infected with bot in the network but are not devoted as trap machines. So we can come to this conclusion that generally in this technique we have to wait until one bot in the network infect our system and then we can track or analyze the machine. 2.4.2 Intrusion detection systems Intrusion detection techniques can be categorized into two categories: host-based and network-based solution. Host-based techniques are used for recognizing malware binaries such as viruses. A good example of this type is anti-virus detection systems. However, we know that anti-virus are good for just virus detection. The most important disadvantages of anti-virus are that bots can easily evade the detection technique by changing their signatures easily, because the detection system cannot update their databases consistency. And also bots can disable any anti-virus tools in the system to protect themselves from detection. Network- based intrusion detection system is another method for detection that is used in the field of botnet detection. Snort[67] and Bro[68] are the two well-known signature based detection system that are used currently. They use a database as signatures of famous malicious activities to detect botnets or any other malware. Actually if our objective is using this technique for botnet detection, we have to keep updating the database and recognizing all malware quickly to make a signature of it and add to our database. For solving this solving this problem recently researchers are using anomaly based IDS that can detect malicious activities based on behavior of malware or detection techniques. 2.4.3 Bothunter : Dialog correlation-based Botnet detection This technique developed an evidence-trail approach for detecting successful bot infection with patterns during communication for infection process. In this strategy, bot infection pattern are modeled to use for recognizing the whole process of infection of botnet in the network. All behavior that occur the bot infection such as target scanning, CC establishment, binary downloading and outbound propagation have to model by this method. This method gathers an evidence-trail of connected infection process for each internal machine and then tries to look for a threshold combination of sequences that will convince the condition for bot infection [32]. The BotHunter use snort with adding two anomaly-detection components to it that are SLADE (Statistical payLoad Anomaly Detection Engine) and SCADE (Statistical scan Anomaly Detection Engine). SCADE produce internal and external scan detection warnings that are weighted for criticality toward malware scanning patterns. SLADE perform a byte-distribution payload anomaly detection of incoming packets, providing a matching non-signature approach in inbound exploit detection [32 ]. Slade use an n-gram payload examination of traffics that have typical malware intrusions. SCADE execute some port scan analysis for incoming and outgoing traffics. Actually BotHunter has a link between scan and alarm intrusion that shows a host has been infected. When a adequate sequence of alerts is established to match BotHunters infection dialog model, a comprehensive report is created to get all the related events participants that have a rule in infection dialog [32]. This method provides some important features: i. This technique concentrates on malware detection by IDS-driven dialog correlation. This model shows an essential network processes that occur during a successful bot infection. ii. This technique has one IDS-independent dialog correlation engine and three bot-specific sensors. This technique can automatically produce a report of whole detection of bot, as well as the infection of agent, identification of the computer that has been infected and source of Command and Control centre. 2.4.3.1 Bot infection sequences Actually understanding bot infection life processes is a challenging work for protection of network in the future. The major work in this area is differentiating between successful bot infection and background exploit attempt. For reaching to this point analysis of two-way dialog flow between internal hosts and external hosts (internet) is needed. In a good design network which uses filtering at gateway, the threats of direct exploitations are limited. However, contemporary malware families are highly flexible in their ability to attack vulnerable hosts through email attachments, infected P2P media, and drive-by download infections [32]. 2.4.3.2 Modeling the infection dialog process The bot distribution model can conclude by an analysis of external communication traffics that shows the behavior of relevant botnet. Incoming scan and utilize alarms are not enough to state a winning malware infection, as are assumed that a stable stream of scan and exploit signals will be observed from the way out monitor [32]. Figure 2.1 shows the process of bot infection in BotHunter that used for evaluating network flows through eight stages. This model is almost similar with the model that Rajab et al. presented for IRC detection model. The model that they proposed has early initial scanning that is a preceding consideration happen in form of IP exchange and pointing vulnerable ports. Actually figure 2.1 is not aimed for a strict ordering of infection events that happen during bot infection. The important issue here is that bot dialog processes analysis have to be strong to the absence of some dialog events and must not need strong sequencing on the order in bound dialog is conducted. One solution to solve the problem of sequence order and event is to use a weighted event threshold system that take smallest essential sparse sequences of events under which bot profile statement can be initiated [32]. For instance, it is possible put weighting and threshold system for the look of each event in a way that a smallest set of event is important prior of bot detection. 2.4.3.3 Design and implementation More attention devoted for designing a passive network monitoring system in this part which be able of identifying the bidirectional warning signs when internal hosts are infected with b

10,000 Hour Tenacity in Outliers by Malcolm Gladwell Essay -- pattern o

The Beatles, Bill Gates, Steve Jobs, professional hockey players, and solo violinists all have one thing in common. Malcolm Gladwell, author of â€Å"Outliers†, is able to effectively link these different parties together though his â€Å"10,000 Hour Rule†. Gladwell states that, â€Å"practice isn’t the thing you do once you’re good. It’s the thing that makes you good† (42). Using rhetorical devices, Gladwell effectively conveys how overall success can be spotted by historical, recurring patterns or events. Malcolm Gladwell has supported himself as a reputable author as well. Using supported statistics, easily illustrated patterns, and well known examples, Gladwell fulfills the logos appeal. Also, due to his very successful works â€Å"The Boiling Point† and â€Å"Blink†, Gladwell shows his credibility as an author. Gladwell’s main purpose is to teach his audience the pattern of success, and why some people did or did not succeed. This audience is consisted of those who want to succeed, and want to create as many possibilities to reach their goal. Their main values are gaining success for themselves. Another possible audience is a group who enjoys statistics and patterns. These patterns show that around 10,000 of practice in an activity, the person becomes very proficient in that activity. Citing the Beatles, Bill Joy, and Bill Gates as his examples, Gladwell shows that practice can make perfect. Malcolm Gladwell states that to reach a level of expertise, one must practice that activity for 10,000 hours. Using rhetorical devices, tone, and logos, Gladwell efficiently supports his claim of the 10,000 hour rule. Gladwell’s style of writing begins with explaining or presenting an example of someone with success in a field. He then quickly refutes the reader’... ...a well defended argument, and was able to reinforce it well with factual evidence, rhetorical devices, and tone. Gladwell effectively uses rhetorical devices, tone, and factual evidence to support his claim of the 10,000 hour rule. Using rhetorical devices such as parallelism, facts and statistics (logos), and style of writing, Gladwell reinforces his idea of practice. Malcolm Gladwell uses his evidence to make a reader truly think about those who are successful as being hard workers, not just â€Å"lucky†. He illustrates how many well-known experts became legends in their field. This not only shows how software moguls and tycoons became wealthy or successful, but how the reader can as well: by following the old piece of advice â€Å"practice makes perfect†. Works Cited Gladwell, Malcolm. Outliers: The Story of Success. New York: Little, Brown and, 2008. ________Print

Creative Writing Essay

Specific poetic forms have been developed by many cultures. In more developed, closed or â€Å"received† poetic forms, the rhyming scheme, meter and other elements of a poem are based on sets of rules, ranging from the relatively loose rules that govern the construction of an elegy to the highly formalized structure of the ghazal or villanelle. Described below are some common forms of poetry widely used across a number of languages. Additional forms of poetry may be found in the discussions of poetry of particular cultures or periods and in the glossary. Sonnet Among the most common forms of poetry through the ages is the sonnet, which by the 13th century was a poem of fourteen lines following a set rhyme scheme and logical structure. By the 14th century, the form further crystallized under the pen of Petrarch, whose sonnets were later translated in the 16th century by Sir Thomas Wyatt, who is credited with introducing the sonnet form into English literature. A sonnet’s first four lines typically introduce the topic. A sonnet usually follows an a-b-a-b rhyme pattern. The sonnet’s conventions have changed over its history, and so there are several different sonnet forms. Traditionally, in sonnets English poets use iambic pentameter, the Spenserian and Shakespearean sonnets being especially notable. In the Romance languages, the hendecasyllable and Alexandrine are the most widely used meters, though the Petrarchan sonnet has been used in Italy since the 14th century. Sonnets are particularly associated with love poetry, and often use a poetic diction heavily based on vivid imagery, but the twists and turns associated with the move from octave to sestet and to final couplet make them a useful and dynamic form for many subjects.] Shakespeare’s sonnets are among the most famous in English poetry, with 20 being included in the Oxford Book of English Verse. Shi (poetry) Shi (traditional Chinese: è © ©; simplified Chinese: è ¯â€"; pinyin: shÄ «; Wade-Giles: shih) Is the main type of Classical Chinese poetry.Within this form of poetry the most important variations are â€Å"folk song† styled verse (yuefu), â€Å"old style† verse (gushi), â€Å"modern style† verse (jintishi). In all cases, rhyming is obligatory. The Yuefu is a folk ballad or a poem written in the folk ballad style, and the number of lines and the length of the lines could be irregular. For the other variations of shi poetry, generally either a four line (quatrain, or jueju) or else an eight line poem is normal; either way with the even numbered lines rhyming. The line length is scanned by according number of characters (according to the convention that one character equals one syllable), and are predominantly either five or seven characters long, with a caesura before the final three syllables. The lines are generally end-stopped, considered as a series of couplets, and exhibit verbal parallelism as a key poetic device. ]The â€Å"old style† verse (gushi) is less formally strict than the jintishi, or regulated verse, which, despite the name â€Å"new style† verse actually had its theoretical basis laid as far back to Shen Yue, in the 5th or 6th century, although not considered to have reached its full development until the time of Chen Zi’ang (661-702) A good example of a poet known for his gushi poems is Li Bai. Among its other rules, the jintishi rules regulate the tonal variations within a poem, including the use of set patterns of the four tones of Middle Chinese The basic form of jintishi (lushi) has eight lines in four couplets, with parallelism between the lines in the second and third couplets. The couplets with parallel lines contain contrasting content but an identical grammatical relationship between words. Jintishi often have a rich poetic diction, full of allusion, and can have a wide range of subject, including history and politics. One of the masters of the form was Du Fu, who wrote during the Tang Dynasty (8th century). Villanelle The villanelle is a nineteen-line poem made up of five triplets with a closing quatrain; the poem is characterized by having two refrains, initially used in the first and third lines of the first stanza, and then alternately used at the close of each subsequent stanza until the final quatrain, which is concluded by the two refrains. The remaining lines of the poem have an a-b alternating rhyme.The villanelle has been used regularly in the English language since the late 19th century by such poets as Dylan Thomas, W. H. Auden,and Elizabeth Bishop. Tanka Tanka is a form of unrhymed Japanese poetry, with five sections totalling 31 onji (phonological units identical to morae), structured in a 5-7-5 7–7 pattern.There is generally a shift in tone and subject matter between the upper 5-7-5 phrase and the lower 7-7 phrase. Tanka were written as early as the Nara period by such poets as Kakinomoto no Hitomaro, at a time when Japan was emerging from a period where much of its poetry followed Chinese form. Tanka was originally the shorter form of Japanese formal poetry, and was used more heavily to explore personal rather than public themes. By the 13th century, tanka had become the dominant form of Japanese poetry, and it is still widely written today. Haiku Haiku is a popular form of unrhymed Japanese poetry, which evolved in the 17th century from the hokku, or opening verse of a renku. Generally written in a single vertical line, the haiku contains three sections totalling 17 onji, structured in a 5-7-5 pattern. Traditionally, haiku contain a kireji, or cutting word, usually placed at the end of one of the poem’s three sections, and a kigo, or season-word. The most famous exponent of the haiku was Matsuo BashÃ…  (1644–1694). An example of his writing: Ã¥ ¯Å'Ã¥ £ «Ã£  ®Ã© ¢ ¨Ã£â€šâ€žÃ¦â€°â€¡Ã£  «Ã£  ®Ã£ â€ºÃ£  ¦Ã¦ ±Å¸Ã¦Ë† ¸Ã¥Å"Ÿç” £ fuji no kaze ya oogi ni nosete Edo miyage the wind of Mt. Fuji I’ve brought on my fan! a gift from Edo Ode Odes were first developed by poets writing in ancient Greek, such as Pindar, and Latin, such as Horace. Forms of odes appear in many of the cultures that were influenced by the Greeks and Latins.The ode generally has three parts: a strophe, an antistrophe, and an epode. The antistrophes of the ode possess similar metrical structures and, depending on the tradition, similar rhyme structures. In contrast, the epode is written with a different scheme and structure. Odes have a formal poetic diction, and generally deal with a serious subject. The strophe and antistrophe look at the subject from different, often conflicting, perspectives, with the epode moving to a higher level to either view or resolve the underlying issues. Odes are often intended to be recited or sung by two choruses (or individuals), with the first reciting the strophe, the second the antistrophe, and both together the epode.Over time, differing forms for odes have developed with considerable variations in form and structure, but generally showing the original influence of the Pindaric or Horatian ode. One non-Western form which resembles the ode is the qasida in Persian poetry. Ghazal The ghazal (also ghazel, gazel, gazal, or gozol) is a form of poetry common in Arabic, Persian, Turkish, Azerbaijani, Urdu and Bengali poetry. In classic form, the ghazal has from five to fifteen rhyming couplets that share a refrain at the end of the second line. This refrain may be of one or several syllables, and is preceded by a rhyme. Each line has an identical meter. The ghazal often reflects on a theme of unattainable love or divinity. As with other forms with a long history in many languages, many variations have been developed, including forms with a quasi-musical poetic diction in Urdu. Ghazals have a classical affinity with Sufism, and a number of major Sufi religious works are written in ghazal form. The relatively steady meter and the use of the refrain produce an incantatory effect, which complements Sufi mystical themes well. Among the masters of the form is Rumi, a 13th-century Persian poet who lived in Konya, in present-day Turkey. Genres In addition to specific forms of poems, poetry is often thought of in terms of different genres and subgenres. A poetic genre is generally a tradition or classification of poetry based on the subject matter, style, or other broader literary characteristics. Some commentators view genres as natural forms of literature. Others view the study of genres as the study of how different works relate and refer to other works. Narrative poetry Narrative poetry is a genre of poetry that tells a story. Broadly it subsumes epic poetry, but the term â€Å"narrative poetry† is often reserved for smaller works, generally with more appeal to human interest. Narrative poetry may be the oldest type of poetry. Many scholars of Homer have concluded that his Iliad and Odyssey were composed from compilations of shorter narrative poems that related individual episodes. Much narrative poetry—such as Scottish and English ballads, and Baltic and Slavic heroic poems—is performance poetry with roots in a preliterate oral tradition. It has been speculated that some features that distinguish poetry from prose, such as meter, alliteration and kennings, once served as memory aids for bards who recited traditional tales. Notable narrative poets have included Ovid, Dante, Juan Ruiz, Chaucer, William Langland, Luà ­s de Camà µes, Shakespeare, Alexander Pope, Robert Burns, Fernando de Rojas, Adam Mickiewicz, Alexander Pushkin, Edgar Allan Poe and Alfred Tennyson. Epic poetry Epic poetry is a genre of poetry, and a major form of narrative literature. This genre is often defined as lengthy poems concerning events of a heroic or important nature to the culture of the time. It recounts, in a continuous narrative, the life and works of a heroic or mythological person or group of persons.] Examples of epic poems are Homer’s Iliad and Odyssey, Virgil’s Aeneid, the Nibelungenlied, Luà ­s de Camà µes’ Os Lusà ­adas, the Cantar de Mio Cid, the Epic of Gilgamesh, the Mahabharata, Valmiki’s Ramayana, Ferdowsi’s Shahnama, Nizami (or Nezami)’s Khamse (Five Books), and the Epic of King Gesar. While the composition of epic poetry, and of long poems generally, became less common in the west after the early 20th century, some notable epics have continued to be written. Derek Walcott won a Nobel prize to a great extent on the basis of his epic, Omeros. Verse drama and dramatic verse, Theatre of ancient Greece, Sanskrit drama, Chinese Opera, and Noh Dramatic poetry is drama written in verse to be spoken or sung, and appears in varying, sometimes related forms in many cultures. Greek tragedy in verse dates to the 6th century B.C., and may have been an influence on the development of Sanskrit drama, just as Indian drama in turn appears to have influenced the development of the bianwen verse dramas in China, forerunners of Chinese Opera.East Asian verse dramas also include Japanese Noh. Examples of dramatic poetry in Persian literature include Nizami’s two famous dramatic works, Layla and Majnun and Khosrow and Shirin, Ferdowsi’s tragedies such as Rostam and Sohrab, Rumi’s Masnavi, Gorgani’s tragedy of Vis and Ramin, and Vahshi’s tragedy of Farhad. Satirical Poetry Poetry can be a powerful vehicle for satire. The Romans had a strong tradition of satirical poetry, often written for political purposes. A notable example is the Roman poet Juvenal’s satires.[128] The same is true of the English satirical tradition. John Dryden (a Tory), the first Poet Laureate, produced in 1682 Mac Flecknoe, subtitled â€Å"A Satire on the True Blue Protestant Poet, T.S.† (a reference to Thomas Shadwell).Another master of 17th-century English satirical poetry was John Wilmot, 2nd Earl of Rochester.Satirical poets outside England include Poland’s Ignacy Krasicki, Azerbaijan’s Sabir and Portugal’s Manuel Maria Barbosa du Bocage. Lyric poetry Lyric poetry is a genre that, unlike epic and dramatic poetry, does not attempt to tell a story but instead is of a more personal nature. Poems in this genre tend to be shorter, melodic, and contemplative. Rather than depicting characters and actions, it portrays the poet’s own feelings, states of mind, and perceptions.Notable poets in this genre include John Donne, Gerard Manley Hopkins, and Antonio Machado. Elegy An elegy is a mournful, melancholy or plaintive poem, especially a lament for the dead or a funeral song. The term â€Å"elegy,† which originally denoted a type of poetic meter (elegiac meter), commonly describes a poem of mourning. An elegy may also reflect something that seems to the author to be strange or mysterious. The elegy, as a reflection on a death, on a sorrow more generally, or on something mysterious, may be classified as a form of lyric poetry. Notable practitioners of elegiac poetry have included Propertius, Jorge Manrique, Jan Kochanowski, Chidiock Tichborne, Edmund Spenser, Ben Jonson, John Milton, Thomas Gray, Charlotte Turner Smith, William Cullen Bryant, Percy Bysshe Shelley, Johann Wolfgang von Goethe, Evgeny Baratynsky, Alfred Tennyson, Walt Whitman, Louis Gallet, Antonio Machado, Juan Ramà ³n Jimà ©nez, William Butler Yeats, Rainer Maria Rilke, and Virginia Woolf. Fable The fable is an ancient literary genre, often (though not invariably) set in verse. It is a succinct story that features anthropomorphized animals, plants, inanimate objects, or forces of nature that illustrate a moral lesson (a â€Å"moral†). Verse fables have used a variety of meter and rhyme patterns. Notable verse fabulists have included Aesop, Vishnu Sarma, Phaedrus, Marie de France, Robert Henryson, Biernat of Lublin, Jean de La Fontaine, Ignacy Krasicki, Fà ©lix Marà ­a de Samaniego, Tomà ¡s de Iriarte, Ivan Krylov and Ambrose Bierce. Prose poetry Prose poetry is a hybrid genre that shows attributes of both prose and poetry. It may be indistinguishable from the micro-story (a.k.a. the â€Å"short short story†, â€Å"flash fiction†). While some examples of earlier prose strike modern readers as poetic, prose poetry is commonly regarded as having originated in 19th-century France, where its practitioners included Aloysius Bertrand, Charles Baudelaire, Arthur Rimbaud and Stà ©phane Mallarmà ©.Since the late 1980s especially, prose poetry has gained increasing popularity, with entire journals, such as The Prose Poem: An International Journal,Contemporary Haibun Onlinedevoted to that genre. Speculative poetry Speculative poetry, also known as fantastic poetry, (of which weird or macabre poetry is a major subclassification), is a poetic genre which deals thematically with subjects which are ‘beyond reality’, whether via extrapolation as in science fiction or via weird and horrific themes as in horror fiction. Such poetry appears regularly in modern science fiction and horror fiction magazines. Edgar Allan Poe is sometimes seen as the â€Å"father of speculative poetry†.

Popular Music, Television, and Film Stars Essay

Everyone at all ages have grown up admiring and idealizing at least on celebrity, be that an actor, singer or any other famous person. What they do not ask while they are young is whether our idols are people we should be looking up to. Usually when people become older they realize that their role models at the time are not someone they would want their children idolizing now. They come to the conclusion that the person they looked up to wasn’t who they truly were, it was all an act. So should a celebrity be considered a true leader? That is worth debating. By using three characteristics of celebrities it will be known whether or not a celebrity has the potential to be a good leader. To begin, a celebrity can be known for many things, but a leader and great role model is not always one of them. One characteristic of a celebrity is being perfect. Is being perfect possible? No, but Paris Hilton is an example of someone who thinks they need to diet uncontrollably and get plastic surgery to make them seem perfect. This is not nearly close enough to be a true leader, because she is giving children the wrong idea; that it’s okay to be unhealthy and to bad things to your body just to look perfect so everyone likes them. The opposition may argue that it’s not always their fault. An example of this would be Demi Lavato. She suffered from bulimia and dieted because she didn’t like the way she looked. However they are wrong because although she couldn’t control her disease, there is no reason she should have hated herself in the beginning. We need to teach the children of this generation that it’s okay to look different. Not everyone needs to wear tons of makeup and be stick thin. A celebrity who can show all of these ideas is one who is truly a leader. Subsequently, everyone is selfish in their life for their own reasons, but should children look up to people who are selfish all the time? A successful celebrity gets money, fame, and anything they virtually want, but that is not a reason they should be selfish. An example of a selfish celebrity would be Kim Kardashion. Everything she does is related to how she can get more fame. Her tv show, her clothes line, her perfume, even her marriage was to give her more publicity. This is not what a leader would do. The opposition would argue that everyone is selfish so why can’t celebrities be who they are; however, they are wrong because although everyone is selfish it’s not as bad as celebrities and non-famous people aren’t the ones trying to get children and  fans to be just like them. Children need to learn that it is important to set aside time to help those who need more help than they do. John Cena is a great example of this. He is a famous wwe wrestler who gets paid a lot and has many fans, however, he takes the time to support the American Red Cross and goes to see children with diseases and cancer to try and make their day better. This is a great way to show how to be a leader. Lastly, something very common in the celebrity world is failed marriages. How are the newer generation’s children supposed to know that, although what t hey see on the tv and in magazines, they are really supposed to marry someone because they love them and want to be with them for the rest of their lives? â€Å"Till death do us part.† right? Wrong the tv, music, and famous world is showing that it’s okay if marriages don’t work out, that they can just find someone else or someone’s at that matter. These celebrities like Kim Kardashion and Kris Humphries were married for 10 months. The only reason they got married was because marrying a famous basketball player with lots of money would defiantly give Kim the publicity she wanted. The opposition may argue that it’s their life and there’s no reason they should be judged by their private life; however, they are wrong because when someone is brought into this industry, their private life is all everyone hears about. Just because they are famous doesn’t mean they can’t get married because of love. An example of a good couple that shows a leader quality would be Tim McGraw and Faith Hill. They are both country singers and have been married for 16 years with three children. Who said that marriage in showbiz had to end so soon? A leader isn’t someone willing to stage a fake marriage for a bigger fan base. Concisely, these days it is getting increasingly hard to tell the difference between a true leader and role model from a fake one. In the celebrity business there are three characteristics such as, perfection, selfishness, and fakeness that results in, are once role models turning into people who we look down upon. It is important to look at people for who they are as a person and what they can do for the people around them, rather than idolizing people for their fashion, money and fame.