Mimicking Attack Detection at Hybrid Level

Botnets are becoming an easy way of creating multiple attacks. One of them was botnets simulate the behaviour that is very near to the legitimate users. Previous research found through semi-Markov model it was difficult to detect mimicking attack based on browsing statistics if attacking bots were sufficiently large in number [1]. By using Bots attackers will collect the user profiles from multiple systems. Bot master (attacker) will study statistics and Bot master will prepare a common profile (or) multiple profiles similar to the user activities. In the next phase, bot master injects profile into user systems through bots. If bot master injects common profile across all bot injected system then the attack was considered as a homogeneous mimicking attack. If bot master injects multiple profiles to the bot injected systems the attack was considered a heterogeneous mimicking attack. As part of our study, we simulated the mimicking attack and worked on detecting at multiple levels. We have developed algorithms of detecting at a server level [2] and the gateway level [3]. In this paper, we are going to discuss the merits and demerits of these two detection algorithms and proposing another architecture module hybrid level detection. Which will be spread across servers and gateway which will have the bird view of activities happening in the network. It collects the statistics from different network elements and based on the analysis of the trace of the bot activities will identify mimicking attack.