Counselling Skills Essay

1. Briefly describe in your own words what is meant by the term ‘counselling’. Counselling is a type of therapy offered to people who is experiencing any difficulties or troubles in life. Counselling gives them a chance to explore and address their problems and to figure out and decide how to deal with these problems emotionally and move on in their life. 2. What factors may make it difficult for a client to commit to counselling? What could you do to help overcome these barriers? Quite often, some people find it difficult or awkward talking to their family and friends about personal issues and are able when talking to a counsellor lay all their cards out on a table. However some people may find it daunting about telling a complete stranger what’s happening in their lives or perhaps worried about how they are going to be perceived by other people by seeking help. It might simply be because they are a closed person emotionally and is unable to open up. I would try to overcome these barriers by first establishing a lot of trust in my relationship as counsellor and client. When established the trust between my client I would then encourage them to talk openly about their issues and reassure them about the importance of confidentiality and absolutely no-one would have to know that they have been for counselling. 3. What are the ‘Core Counselling skills’? Briefly describe each one. 1. Genuineness – Being true, honest, authentic and completely non fake. 2. Acceptance – Completely accepting the client for who they are and not judging them in any way. Being impartial. 3. Empathy – Putting yourself in the client’s shoes, being able to identify with and understand their problems. 4. In your opinion, what are the most important skills required for effective counselling? Justify your answer. I believe the most important skills that are effective for counselling are Empathy, Acceptance, Compassion and genuineness. I think that if you cannot empathize with somebody then it is almost impossible to counsel them. If you cannot imagine what it is like to be their position then you cannot try to help them. I believe acceptance is important because if you allow your own  personal views and opinions get in the way then this will affect how well your therapy sessions go and what the result will be in the end. I believe it is important to be impartial. This is a principle that I use as a volunteer up the Citizens Advice Bureau. I believe compassion and genuineness are important skills because if the client thinks that you are not a compassionate, caring genuine person then they will not want you to counsel them. It will be almost impossible to gain any trust between the client and they will not open up and talk about their problems. Thus therapy will be a complete and utter waste of time for them. For example if somebody wants counselling for depression and are having suicidal thoughts, and you appear uncaring, then this might add to their own feelings of worthlessness and could potentially make the client worse. 5. Think about a time when you helped someone. Write a transcript of what happened and identify any particular counselling skills you employed. You should also make a reference to SOLER within your answer. I’m a big fan of the social networking site known as ‘Facebook’ and over time I noticed that someone who I’m friends with on there which I am only going to refer to as ‘M’ seemed very depressed and down in the dumps. Nearly everything she posted on Facebook was dark and depressing. At the time I didn’t know her that well and had only seen her around the area which I live. I eventually decided that I would Message M to see if she fancied a chat sometime and that I had noticed from the things that she had been saying that she seemed very unhappy. Over a period of time we started talking regularly, general chit chat mostly, and eventually she told me that she suffered from a mental illness called BPD (Borderline Personality Disorder) and that she is Bipolar. I decided to research BPD and to try to find out more about it. I learnt that BPD sufferers can have extreme mood swings, going from feeling wonderful one minute to suicidal the next. During our chats online I told M that if she ever wanted someone to talk to then I would always be there to listen. She told me of her feelings of lack of self worth and that in her opinion nobody really cared about her, or wanted to listen, not even her friends would make that much of an effort. She assumed that because of her mental health condition, not many people would be willing to get to know her. I was very persistent with M, reassuring her that I wanted to listen to her problems. I established a lot of trust with M because otherwise she  would not of told me these things. After a while I suggested to M about going for a coffee and a chat. I sat opposite her in the cafà ©, maintaining eye contact with her and leaning towards her slightly, interested in everything she had to say. As we talked I noticed that there was deep slash marks on both of her wrists. I asked her about them and She told me that she had tried to kill herself many times and that it made her feel better by cutting herself. That was when I decided that my own personal goal was to try and inject some positivity into this girls life and maybe over time she would not cut herself anymore? This girl needed to know that people did care about her and she wasn’t the horrible person she thought she was. After that we met up several times and even to this day we talk online, she has often thanked me for listening to her and has made me feel very good about myself. I think she is very appreciative to have someone who is genuinely interested in her thoughts and feelings. I can definitely empathize with M because in the past I have personally suffered from Anxiety and Paranoia, thus making me feel very down in the dumps and I also believed at the time nobody wanted to listen to me either. Iv accepted M for who she is, not letting her mental illness deter me whatsoever. I’ve learnt something new and find mental health very interesting. I think for some people that if they do not understand something then they treat it with ignorance. Hopefully over time I will help to build up her confidence but there is some very serious underlying problems as to why she cuts herself. This is an ongoing progress but I am determined to get there one day.

Child Trafficking

We talked a lot about social issues affecting human service professional since class began. We discussed the approaching of child abuse, poverty, drug abuse, school system and education, health; diverse the population and human service professional is facing every day to serve different races and poverty levels. They realized that the people they serve have differed with different values, needs, want and dignity and respect must be given to them, no matter their condition they might in or race. The human service worker must respect everyone culture and try to work with them. The social problem which I'd like to write is child trafficking. Reviewing text of child trafficking or Sex trafficking of minors refer to a number of crimes, as well as recruiting or transporting minors to sexual exploitation, exploiting them through prostitution, or exploiting them through survival sex (exchange sexual acts for something of value, such as shelter or food) is unlawful and the government need to put a stop to that.† (National Academy of Sciences, 2014). To write on child trafficking because I accept the true that many are not aware of, and they really needs to say something if you know something. Sex trafficking of children is a form of child neglect and child abuse. These problems are sensitive because working with children and seeing how affected they can be and that they suffer from being abused and hurt is something that needs to be stopped. It not only affecting them as a child as they grow into adulthood will continue to affect them. Society is also affected when we have children who by now hurt. There is a need to break this cycle in the U.S. and in other countries. The first article I read is about child trafficking in the United State and how its long term effects have on children (National Academy of Sciences, 2014). There are health issues and social problems can arise when these children to so. The article states that child trafficking is not reported or overlooked because it is happening behind closed doors. Child trafficking is impacting the U.S. because it means the children aren't getting the education, food, or nutrients they need; it becomes a recurring cycle of poverty and continuing the cycle as an adult. The article shares how many exploited children may come from a background of abuse, foster homes, homeless and sleeping in the street. Child trafficking impacts the U.S. and the law because lots of states operation is viewed through prostitution law. This impacts our juvenile system, â€Å"minors can be arrested and charged with crimes instead of treating these sexually exploited minors as victims. These children and adolescents may be arrested, adjudication or conviction, and commitment; they may have permanent records as offenders† (National Academy of Sciences, 2014). Child trafficking and abduction cases in Nigeria are now topic globally. The clarity inside the story in Nigeria of trafficking people is not only base on sexual exploitation, but children are forcefully taken from their homes brought into slavery also, forced to unwanted marriages to a man older than them, and illegal adoptions. The article I reviewed shows how child trafficking has been taken place in the country and what is been prepared to assist the children that has affected by it. Child trafficking in Nigeria is so large now that it is actually bringing the country together to ask why. The matter is pretty huge that the people are annoying and want to involve and call on the government for their support on finding these children who are unlawfully kidnapped by these traffickers. The article also states that this is being done as a â€Å"factory† type of business. The country is impacted because of poverty and lack of legal justice. It influences Nigeria by not having trust in the government. It can also influence a person's trust of whom to trust. So the long-term effects that have been accomplished now in the U.S. to evaluate child trafficking is acknowledging the fact that is happening and something need to get done, we need policymakers to call on state, local, tribal, and protective jurisdictions to expand laws and regulation to push through survivors of sexual exploitation under the age of 18 away from the accusers arrest and prosecute them. Toward systems, agencies, and services that are available to them† (National Academy of Sciences, 2014). I think training for those who work with children is needed to realize the harshness of this matter as a result so they can learn how to help these children. In Nigeria there has been out cries to help stop child trafficking and by going a step further asking for help from the outside agencies and other countries because they do not have any trust in their own country to fix the problem. Another way Nigerians are seeking to fix the problem is having private agencies work with specific areas to try to prevent before it happens. One important thing think could also be accomplish thing that could be done is to indict or prosecuting those who pay for these services. Providing the exploited children services that they need to be successful in society such as education, work, and the proper counseling through their recovery. I also believe that more funding should be remarked to the after care of those kids involved in these misdeeds.

The Duty to Intervene in Conflicts Around the World Essay

The Duty to Intervene in Conflicts Around the World - Essay Example France, Belgium, the United States, and even the United Nations, did not intervene to stop the slaughter, and instead, they decided to pull out 90% of their peacekeeping soldiers and to evacuate all white people from Rwanda (â€Å"Genocide in Rwanda†; Rwanda Genocide Documentary). Some people believe that the U.S. and other powerful nations do not have a duty to intervene. We have a duty to intervene in conflicts around the world because it is right to do something that should be a universal law and because to do so without expecting anything in return is to treat people as ends in themselves who have moral worth. At the same time, the Universal Declaration of Human Rights declares that member states have a duty to promote universal human rights and freedoms. Moreover, I believe that it is wrong to just leave and look the other way or to not do anything, like what happened to Rwanda, because these are innocent people who are unarmed and who have no one else to protect them, no t even their government, so another government should help them out of their humanity where compassion and goodwill live in. We have a duty to intervene in conflicts around the world because it is right to do something that should be a universal law. Immanuel Kant describes in â€Å"Good Will, Duty, and the Categorical Imperative† what it means do what is good. He offers two categorical imperatives, which are commands that must be done unconditionally. The first categorical imperative is to act according to the maxim that it â€Å"should become a universal law† (152). If nations help other besieged people in other countries, this should be a universal law because it is the act of rationality to help others in dire need. It is wrong then for France, Belgium, the United States, and the United Nations to not extend help to the Tutsis whom they were aware were being systematically slaughtered.  

Compare and contrast 2 different transportation modes and 2 different Essay

Compare and contrast 2 different transportation modes and 2 different terminals - Essay Example It is also important to put into consideration the peak and off-peak periods of travel. There are a lot of similarities between air transport and the high-speed rail, more than even the similarity that is there between either the conventional rail. High speed rails tend to compete with airplanes to a large success. As such, the line normally tends to attract a premium class of travelers who give priority to high-value traveling (Hensher, 2004). High speed rail, unlike airports will however require less space. On the other hand, there is a dire need for vast spaces in the case of an airport, and the associated low-density expansion. When major stations have been directly located at the heart of a city, their economic benefit tends to be concentrated from the system. A good example is the San Francisco owned S. F. Airport. A lot of the economic advantage that accrues from this airport is normally to the benefit of the car-rentals, hotels, and restaurants that are located within the San Mateo County, as opposed to the revenue that is collected by the city. Since it is not possible for an airport to be located in San Francisco, the city can however make use of the high-speed rail. ... In addition, they can also act as an important part of a good system of transport. There are also capable of connecting rail stations in a city center to a multitude of other rail stations in other city center, in a record loading and unloading time for passengers of between 3 and 8 minutes (Dempsey, 1999). Conversely, the air transport tends to connect airports that are located in different city centers, and the average interconnectivity of the passengers ranges from 30 minutes to 1 hour. Nevertheless, if the two modes of transportation are properly designed and maintained, they normally tend to complement one another (Song et al, 2006). Usually, journeys that takes between two to three hours are best suited for high speed rail, as in such an average distance of 200 miles, the high speed rails tends to be faster than even air transport. Normally when one is traveling for a distance that is below 400 miles, air transport is slowed down by such processes as security checks, as well as the distance one has to cover to and fro the airport. In the long-run the time spent on an air journey becomes almost similar to that by a high speed rail (Rodriquez et al, 2006). Airport vs. rail terminus The early airport terminal bore the origin of their architectural designs from the then union stations of railroad. The term terminal also bears its origin from the railroad industry. Both the rail and airport terminus bears some similarities. In a case whereby the inter-modal facilities of a terminus are properly designed, it is possible for a passenger to board and exit an aircraft and a train (Dempsey, 1999). In a way, the terminus normally found in an airport tends to differ a bit from the railways terminus

Analyze Machiavelli and Plato and their relationship to each other Essay

Analyze Machiavelli and Plato and their relationship to each other - Essay Example His views advocated certain courses of action. The scholar has two sides of the argument stating what the prince should do in times of war and what he should do in times of peace. In his work known as the Prince that gives details on how the prince should act in times of war is most famous of all his works and has gained many quotes over time. In the Prince, he begins by talking on how the two monarchies that existed quickly moved to retain a rebel territory that had been conquered (Machiavelli & Parks, 2009). He talks of how the prince should have a good fortune so that he retained the rebels acquired, and he was supposed to dedicate himself to the task at hand in handling the rebels. He continues in explaining how the prince was supposed to rule the people he acquired after conquering a new territory and tells of the different ways to govern a city that was used to its liberty and independence (Machiavelli & Parks, 2009). The prince was to destroy them, live together with them or decide to leave them alone. He stated the different ways in which the princes’ who acquired power through violent and nonviolent ways were to conduct themselves. The code of conduct all depended on the amount of support that the ruler had from the population. According to him, he maintains that the rulers friendships with the population acted to help them rule with ease and experience little resistance from the people being ruled. The writer talks of how the ruler must be feared by all but not hated, he also talks of how the leaders are supposed to walk with great ability imposed upon them by the people. The status is to be achieved only if the prince keeps distance from the lives of the ordinary people below him in rank. There is also the other side of Machiavelli where he talks about the end justifying the means and this is Machiavellis side of the republic. In his work, he talks of the republic and argues that it is the best form of

Formal Report Presentation Essay Example | Topics and Well Written Essays - 500 words

Formal Report Presentation - Essay Example Inspiration to be physical therapy assistant: The inspiration to be assistant physical therapists goes back to my younger years. My favorite uncle got a car accident, which made him almost immobile. With curiosity, I asked whether my uncle would ever walk again. I missed the many walks and trails he took me to almost every fortnight. My mother informed that my uncle would be better through physical therapy. As young as I was, I never forgot that name despite the fact that it was beyond my age knowledge. It was challenging to see my uncle go through physical therapy. From that time onwards, I decided that I learn physical therapy to assist people like my uncle. It was beyond my imagination, thinking just how many people suffer from such problems in the world. The need and demand for physical therapy assistant services: According to the Government of Canada (2013), the demand for physical therapy has increased over the years. The United States Department of Labor (2012) indicates there is high demand for physical therapists in the United States. The high number of accidents and violence has increased the demand for the physical therapy services. Why Physical therapy is important to me: the fact that my uncle walked eventually, even though he limbs was a revelation that many people in the society can get help and be better. In that regard, I focused on physical therapy because it could touch the lives of many people in the society significantly. My future: it is my desire to continue serving the society in my current role. In the future, I would like to assist in addressing the problems this medical field faces. Improvement in physical therapy field will affect even more people by improving their lives for the better. Doctor Stewart: Physical therapy is a solution to immobility. This medical field has made it possible for accident victims to be mobile again in the future. The kind of

Point of View Paper Essay Example | Topics and Well Written Essays - 500 words

Point of View Paper - Essay Example The Confederate soldier would tell Farquhar that the Owl Creek Bridge had been taken, but if someone lit old driftwood on fire it would burn like tow. However, the Confederate soldier would warn Farquhar of the Union decree of death by hanging for anyone tampering with the railroad or bridges. Farquhar would not reply, but give a smug smile at the news. Then I would film Farquhar sliding off a plank and the rope snapping, with him plunging in the water. This scene should have a watch ticking in the background right before Farquhar slides off, and then snap back to actual sound when he hits the water. Shock should be filmed on the Union soldiers faces, with their fumbling for their guns. The next scenes shot would be Farquhar underwater. Lethargic at first, Farquhar would sink, and then come alive. He would slip out the ropes binding his arms, flinging off his noose, and come out of the water with a piercing shriek. The two soldiers on the bridge would be aiming and shooting at him. Since it takes a moment to reload, Farquhar would reach the sanding bank as the cannon fires a volley into the ground before him. Farquhar would reach the woods and flee. Then a couple of scenes of Farquhar running in the woods at night should be shot. One should show him running in fright, the next walking tiredly. Finally in the morning light, Farquhar should be shot walking with his eyes shut up a long driveway towards a two story home with six columns on the porch. He opens his eyes to run toward a woman dressed in a brown hoopskirt. As soon as he reaches her, the whole scene fades. The final shot should be of Farquhar’s swinging body on the bridge. It should not be of him falling, this would already been seen when the rope broke. Just his swinging body should be shot. A close up taken of the actor’s face might show a slight smile at the thought of being home. This would represent Farquhar’s peace at going home through death. To

Thermal Solar Energy Essay Example | Topics and Well Written Essays - 2500 words

Thermal Solar Energy - Essay Example (n.d). Cost of operation, equipment and maintenance is expensive. This necessitates the need for a source of energy that is renewable, available at low cost and eco-friendly. The best option is renewable energy that is restored by natural process. In regards to the UAE, the most available source of renewables is solar. The solar energy comes from the sun and the nuclear activities in the core of the sun release radiant energy. The solar energy is quickly converted into electrical or thermal energy (Cameron & Craig, 2010). The paper will discuss thermal solar power generation. It will also outline the advantages and disadvantages of thermal solar generation. Moreover, the essay will concentrate on the utilization of this kind of power in the United Arab Emirates (UAE). The paper will consider the reason many people prefer this form of energy. Moreover, it will deliberate on the future of thermal solar power in energy growing economy. Solar thermal energy is a technology for exploiting the energy that comes from the solar for thermal heat. It is transferred from the sun rays and converted into electric current that is utilized in many industrial and domestic settings for electricity and heating purposes (Tabak, 2009). The thermal energy from the sun is described as a small, medium, or high form of energy that is gathered by thermal energy technology. The solar power relies on solar cell or photovoltaic devices that transform sun into electricity (Shakespeare, 2014). The concentrated solar power is a solar collector system that utilizes reflective surfaces to gather sunlight onto a tiny zone, where it is absorbed and transformed to electricity (Technology Fundamentals, 2003). Concentrating solar panels are categorized according to the manner in which they collect solar energy by utilizing power tower systems, linear concentrators, and engines/dishes. The systems

The Environmental Aspect of Pocahontas Essay Example for Free

The Environmental Aspect of Pocahontas Essay â€Å" Humankind has not woven the web of life. We are but one thread within it. Whatever we do to the web, we do to ourselves. All things are bound together. All things connect. † This is a quote said by a Native American chief, shows the attitudes of the Native American people as a whole and Pocahontas’ Mattaponi tribe. Disney’s highly acclaimed movie, Pocahontas, is about a female Indians battle to be with an Englishman named John Smith; even against her tribes culture and traditions. Throughout this story, we find that there are huge gaps in the way that the Englishmen and the Native Americans treat and view nature; through their culture and religion, the ways they acted towards earth, and the songs that they sang in the movie. One can tell a lot about a person or people by the culture they come from, ranging from: the way they dress, the way they talk etc. In Pocahontas, that could not be truer; we first have the Native Americans. Their culture was solely based on nature and nature alone. They believe they are one with the earth, that earth is their mother; everyone should respect it because we do not own it, but rather that we are borrowing it. Native Americans look to the spirits and the forces of Nature to guide them through life and help make important decisions and sort out dilemmas they will encounter in life. For example, Grandmother Willow, who in fact is not really a human but an actual willow tree who has the face and wisdom that one would find in their grandmother; as she also is Pocahontas’ guiding force and wisdom provider. Now on the other hand we have the Englishmen’s culture: their culture was very self-centered based due to their religion of Catholicism/Christianity; which to them are human-centered religions. Basically saying that their world view of their religion makes them think that everything in this world was created for them and that they can do what ever they choose to do with it, regardless of how it is come about acquiring what they want. Another difference between the two groups is their distinguished appearance. The Englishmen for example are pompous and actually very fat, showing how they gorge themselves into the luxuries of food and self-centered living. As for the Native Americans, only take what they need and no more, as they look healthy and strong. These examples give a glimpse of their true attitudes towards the earth, and Mother Nature. The attitudes of both the Englishman and the Native Americans towards Mother Earth are very obvious and different in this film as from their culture. â€Å"The gold of Cortez, the jewels of Pizarro / Will seem like mere trinkets by this time tomorrow. The gold we find here will dwarf them by far. / Oh, with all you got in ya, boys / Dig up Virginia, boys. † This quote was said by Governor Ratcliffe, the leader of the Englishmen, showing the English’s self-centered, egotistical way of thinking when it comes to the earth. They do not care for nature or the creatures, even the other people of the world; the world and everything in it, is solely theirs for the taking and no one person, people or thing can stop them. However, the Native Americans attitude towards the earth and in general is more humble and nurturing. Since their belief system is that they are one with the earth; in order to take care of ones self they must take of the earth. So this caring way of living in turn makes them a humble people. One can also tell how the attitudes of the two groups through the songs that they sing throughout the movie. â€Å"And dig, boys, dig ‘til ya drop. Grab a pick, boys. Quick, boys, shove in a shovel†¦It’s gold and it’s mine, mine, mine†¦Make this land, My Land,† this is one of the lyrics sang by Governor Ratcliffe in the song called, â€Å"Mine, Mine, Mine. The name of the song in itself shows the Englishmen’s view of earth, which is very greedy and narcissistic of him and his men. Another quote from the song showing this selfish way of thinking was at the end of the song where all the Englishmen sing in unison, â€Å"This land and what’s in it is Mine! † They only view the land as theirs and not the Native Americans even though the Native Americans were the native people! On top of that they refer to the Native Americans as savages, â€Å"What can you expect, from filthy little heathens? Their whole disgusting race is like a curse. Their skin’s a hellish red. They’re only good when dead. They’re vermin, as I said. And worse, they’re Savages! Savages! † Even though this one lyric does not have to do with nature directly they are disrespecting the people of mother nature completely, degrading not only their land with their actions, but the people of the land with their words and hatred. â€Å"Drive them from our shore. They’re not like you and me. Which means they must be evil. † The Englishmen in this song show the lust of power to kill anyone and anything who isn’t ike them only to get gold and riches. Now on the other hand, the songs that Pocahontas sings are not so harsh and self indulged. â€Å"You think you own whatever land you land on. The Earth is just a dead thing you can claim. But I know every rock and tree and creature; has a life, has a spirit, has a name,† she sings to John Smith explaining, that the earth is more than just something to dig up and take from. The Earth and everything in it, like her and Smith, have the same qualities that the humans do. She also sings in that song , â€Å"Come run the hidden pine trails of the forest. Come taste the sun sweet berries of the earth. Come roll in all the riches all around you. And for once, never wonder what they’re worth,† she tells Smith to bask in the earth and all its resources without thinking about how much money or the worth it could be sold at. Also another aspect of that lyric is when she says riches, she is not referring to money but rather the richness of beauty and quality the Earth gives us. Another song that reflects the Native American culture to nature is, Just Around the River Bend. † This is a song where Pocahontas compares life to the river and asks the Spirits a question regarding whether she should marry Kocoum or not. â€Å"Should I choose the smoothest course, steady as the beating drum? Should I marry Kocoum? Is all my dreaming at an end? Or do you still wait for me, Dream Giver; Just around the River Bend? † Pocahontas does not know whether she should take the path chosen for her or to continue on the path of her free spirit. She asks the Dream Giver is she should the safe path and do as her customs say or is the Spirit waiting for her just around the river bend. These are just a few examples of the many through the music in this movie. One can now see how both the Englishmen and Native Americans way of thinking environmentally are polar opposites. Through their culture, attitudes, actions and musical numbers, we view the sanctity of Mother Earth to both the groups. But this movie did show that the humbler the attitude towards the earth did in fact become the victors in the situation.

Importance of Command Essay Example for Free

Importance of Command Essay The chain of command is an important structure in the military. First it allows problem to be handled at the lowest level possible in the command. If a military personnel has a problem he would go to his NCO first before going to their SCNOs or Commander; this way he isn’t stepping on people’s feet and everyone is aware of the situation so they can get it fixed. You also have to think of it in a war situation. If there was no chain of command then everyone would think they are in charge. If an NCO tells a private to go do this, then the private knows to just go do it. If there was no chain of command then the private would probably try and tell the NCO off and then he will probably end up getting shot by the enemy. You work your way through the chain of command by rank and experience. This is why no one is going to question an order coming from someone higher ranking with more experience. As well as if the person believes that their situation needs to be addressed and executes the wrong decision then what more can that person do? Everyone learns through their mistakes and no one is perfect in this world, but with a bad situation comes with bad judgment and lack of decision making. In the civilian world they also use Chain of Command as well for example, most organizations have an established chain of command that is essential for effective management, accountability, and a strong means of operation. Whether its because individuals now have higher expectations or perhaps it is simply out of force of habit, many of us want to go right to the top with our complaints. In terms of fairness and efficiency, this is not appropriate for their athlete programs as it creates the necessity for an established chain of command. As a leader, you must start by educating everyone on the significance of your chain of command. You can do this in a variety of ways to give the person in need of dire help ready for anything. We initially cover the chain of command in boot camp when a recruit needs to use the head or needs to go to medical for any apparent reason. Because of the strong support from our Chain of Command and our efforts to educate and communicate and have high expectations, most new military personnel observe the neglect as if no one cares for them. For this they need to be supportive to them and give them that security that everything is getting handled as fast as they can, as a result this will significantly decrease the number of complaints and any further problems that may occur or rise. In any situation the NCOs will tell the lower rank have you mentioned this to anyone or how long has this problem been going on. In any form of situation regardless if they brought it up or not, the chain of command needs to be properly used in order for the personnel not to get in any trouble. Back to summarizing boot camp; while the recruits were in the depot they aren’t used to being yelled at or being bossed around like if they weren’t anything but as the days went on they grew accustomed to the new procedures that they were doing. Whatever the reason they needed to talk to the Drill Instructor, they went and knocked at the hatch of their doors and said the correct phrase and correct greeting of the day. After being heard they would ask the Drill Instructor if they could use the head or go to medical or go to dental or if they have any financial issues back home or had to go the bank or post office for any reason. It not only starts while you’re in boot camp but as being back home when you were still a civilian. When you need something you were still using your chain of command with your parents, depending which one was more soft or tough on you that’s the person you would go talk to about whatever you needed or wanted. For example, if you needed gas money or a ride to the movies you would ask your parents, could have been your mother you ask because she could be the soft one that would allow you to go or give you money of any kind. As a result not only do we use chain of command in the military but we used it back home and never realized it until you enlist in the military and experience it yourself. Leadership, accountability, efficiency, morale, and a sense of order all depend upon your chain of command. Why it is important to follow proper instruction procedures in the military is for many reasons. As military personnel, it is our responsibility to not only follow instruction/orders, but to execute the command. Not following orders can result into consequences not only for the personnel whom committed not following instructions, but also it can put others at risk too. Like your NCO in charge of you, to your Team Leader, to your Platoon Sergeant, to your 1st Sergeant, to your Company Commander, to your Brigade Commander, and so on. Not only can your NCO in charge of you, your Team Leader, your Platoon Sergeant, your 1st Sergeant, your Company Commander, and your Brigade Commander could all get into trouble for your actions of not following direct instructions/orders. But some may lose rank in the process including the personnel whom didn’t follow the specific instructions/orders giving by a personnel higher rank than those individual personnel. Also when you are down range deployed to Iraq, Afghanistan, North Korea, and other combat places we have our units fighting the war at, not only can a personnel lose rank but in fact not following directions/orders you could get a personnel fighting alongside of you in the war killed in combat but you as well. Try to explain to a spouse, or a mother and father, better yet the personnel kids that the reason why your parent, father or mother isn’t coming home to see you is because you failed to follow proper instructions/ orders giving to you and that is why your parent father or mother isn’t coming home to you. Not only is it important to follow instructions/orders, but you as the military personnel could lose rank. The purpose of the Chain of Command is to install structure, discipline and respect into newer enlisted military personnel. Each branch has its own secretary that assigns forces under their jurisdictions to unify and specific commanders they perform missions and report back to their chain of command. The chain of command starts with the Commander-in-Chief (the U. S. President) and works its way down to the lowest ranking private in the Army, Navy or Marine Corps. Within the military, the chain of command is a method for leading and communicating. In addition to being a chain of command within the officer ranks, one of the main purposes of the chain of command is to be the back bone of the NCO support channel. The discipline and order that the every branch maintains is what makes their branch the strongest in the world. From the moment you raise your hand and join the military you do as you are instructed at any time to complete any mission during the time allotted, once completed whoever at the time has to report back to the Chain of Command. The chain of command is extremely important. The importance of the chain of command is that it provides stability inside the work place for when incidents come about that need to be dealt with it sets up the structure for which you report all good and bad thing accidents, mistakes, tardiness, and anything that can allow the mission of the day to be slowed down. All incidents in essence are intended to be dealt with on the lowest level before it is brought up to highest personnel as well as other reasons such as it helps build leadership, responsibility and common knowledge of how to run a stable work place. Such as the leadership aspect it helps people who are or would not normally be able to take control of situations and control how things are ran they can take control and help whoever it is with the problem When it works well. When it doesnt work right, leadership is ineffective and some personnel end up doing other peoples jobs for them.

Analysis of Botnet Security Threats

Analysis of Botnet Security Threats CHAPTER 1 INTRODUCTION 1.1 Introduction During the last few decades, we have seen the dramatically rise of the Internet and its applications to the point which they have become a critical part of our lives. Internet security in that way has become more and more important to those who use the Internet for work, business, entertainment or education. Most of the attacks and malicious activities on the Internet are carried out by malicious applications such as Malware, which includes viruses, trojan, worms, and botnets. Botnets become a main source of most of the malicious activities such as scanning, distributed denial-of-service (DDoS) activities, and malicious activities happen across the Internet. 1.2 Botnet Largest Security Threat A bot is a software code, or a malware that runs automatically on a compromised machine without the users permission. The bot code is usually written by some criminal groups. The term â€Å"bot† refers to the compromised computers in the network. A botnet is essentially a network of bots that are under the control of an attacker (BotMaster). Figure 1.1 illustrates a typical structure of a botnet. A bot usually take advantage of sophisticated malware techniques. As an example, a bot use some techniques like keylogger to record user private information like password and hide its existence in the system. More importantly, a bot can distribute itself on the internet to increase its scale to form a bot army. Recently, attackers use compromised Web servers to contaminate those who visit the websites through drive-by download [6]. Currently, a botnet contains thousands of bots, but there is some cases that botnet contain several millions of bots [7]. Actually bots differentiate themselves from other kind of worms by their ability to receive commands from attacker remotely [32]. Attacker or better call it botherder control bots through different protocols and structures. The Internet Relay Chat (IRC) protocol is the earliest and still the most commonly used CC channel at present. HTTP is also used because Http protocol is permitted in most networks. Centralized structure botnets was very successful in the past but now botherders use decentralized structure to avoid single point of failure problem. Unlike previous malware such as worms, which are used probably for entertaining, botnets are used for real financial abuse. Actually Botnets can cause many problems as some of them listed below: i. Click fraud. A botmaster can easily profit by forcing the bots to click on advertisement for the purpose of personal or commercial abuse. ii. Spam production. Majority of the email on the internet is spam. iii. DDoS attacks. A bot army can be commanded to begin a distributed denial-of-service attack against any machine. iv. Phishing. Botnets are widely used to host malicious phishing sites. Criminals usually send spam messages to deceive users to visit their forged web sites, so that they can obtain users critical information such as usernames, passwords. 1.3 Botnet in-Depth Nowadays, the most serious manifestation of advanced malware is Botnet. To make distinction between Botnet and other kinds of malware, the concepts of Botnet have to understand. For a better understanding of Botnet, two important terms, Bot and BotMaster have been defined from another point of views. Bot Bot is actually short for robot which is also called as Zombie. It is a new type of malware [24] installed into a compromised computer which can be controlled remotely by BotMaster for executing some orders through the received commands. After the Bot code has been installed into the compromised computers, the computer becomes a Bot or Zombie [25]. Contrary to existing malware such as virus and worm which their main activities focus on attacking the infecting host, bots can receive commands from BotMaster and are used in distributed attack platform. BotMaster BotMaster is also known as BotHerder, is a person or a group of person which control remote Bots. Botnets- Botnets are networks consisting of large number of Bots. Botnets are created by the BotMaster to setup a private communication infrastructure which can be used for malicious activities such as Distributed Denial-of-Service (DDoS), sending large amount of SPAM or phishing mails, and other nefarious purpose [26, 27, 28]. Bots infect a persons computer in many ways. Bots usually disseminate themselves across the Internet by looking for vulnerable and unprotected computers to infect. When they find an unprotected computer, they infect it and then send a report to the BotMaster. The Bot stay hidden until they are announced by their BotMaster to perform an attack or task. Other ways in which attackers use to infect a computer in the Internet with Bot include sending email and using malicious websites, but common way is searching the Internet to look for vulnerable and unprotected computers [29]. The activities associated with Botnet can be classified into three parts: (1) Searching searching for vulnerable and unprotected computers. (2) Dissemination the Bot code is distributed to the computers (targets), so the targets become Bots. (3) sign-on the Bots connect to BotMaster and become ready to receive command and control traffic. The main difference between Botnet and other kind of malwares is the existence of Command-and-Control (CC) infrastructure. The CC allows Bots to receive commands and malicious capabilities, as devoted by BotMaster. BotMaster must ensure that their CC infrastructure is sufficiently robust to manage thousands of distributed Bots across the globe, as well as resisting any attempts to shutdown the Botnets. However, detection and mitigation techniques against Botnets have been increased [30,31]. Recently, attackers are also continually improving their approaches to protect their Botnets. The first generation of Botnets utilized the IRC (Internet Relay Chat) channels as their Common-and-Control (CC) centers. The centralized CC mechanism of such Botnet has made them vulnerable to being detected and disabled. Therefore, new generation of Botnet which can hide their CC communication have emerged, Peer-to-Peer (P2P) based Botnets. The P2P Botnets do not experience from a single point of failur e, because they do not have centralized CC servers [35]. Attackers have accordingly developed a range of strategies and techniques to protect their CC infrastructure. Therefore, considering the CC function gives better understanding of Botnet and help defenders to design proper detection or mitigation techniques. According to the CC channel we categorize Botnets into three different topologies: a) Centralized; b) Decentralized and c) Hybrid. In Section 1.1.4, these topologies have been analyzed and completely considered the protocols that are currently being used in each model. 1.4 Botnet Topologies According to the Command-and-Control(CC) channel, Botnet topology is categorized into three different models, the Centralized model, the Decentralized model and Hybrid model. 1.4.1 Centralized Model The oldest type of topology is the centralized model. In this model, one central point is responsible for exchanging commands and data between the BotMaster and Bots. In this model, BotMaster chooses a host (usually high bandwidth computer) to be the central point (Command-and-Control) server of all the Bots. The CC server runs certain network services such as IRC or HTTP. The main advantage of this model is small message latency which cause BotMaster easily arranges Botnet and launch attacks. Since all connections happen through the CC server, therefore, the CC is a critical point in this model. In other words, CC server is the weak point in this model. If somebody manages to discover and eliminates the CC server, the entire Botnet will be worthless and ineffective. Thus, it becomes the main drawback of this model. A lot of modern centralized Botnets employed a list of IP addresses of alternative CC servers, which will be used in case a CC server discovered and has been taken offline. Since IRC and HTTP are two common protocols that CC server uses for communication, we consider Botnets in this model based on IRC and HTTP. Figure 1.2 shows the basic communication architecture for a Centralized model. There are two central points that forward commands and data between the BotMaster and his Bots. 1.4.1.1 Botnets based on IRC The IRC is a type of real-time Internet text messaging or synchronous conferencing [36]. IRC protocol is based on the Client Server model that can be used on many computers in distributed networks. Some advantages which made IRC protocol widely being used in remote communication for Botnets are: (i) low latency communication; (ii) anonymous real-time communication; (iii) ability of Group (many-to-many) and Private (one-to-one) communication; (iv) simple to setup and (v) simple commands. The basic commands are connect to servers, join channels and post messages in the channels; (vi) very flexibility in communication. Therefore IRC protocol is still the most popular protocol being used in Botnet communication. In this model, BotMasters can command all of their Bots or command a few of the Bots using one-to-one communication. The CC server runs IRC service that is the same with other standard IRC service. Most of the time BotMaster creates a channel on the IRC server that all the bots can connect, which instruct each connected bot to do the BotMasters commands. Figure 1.3 showed that there is one central IRC server that forwards commands and data between the BotMaster and his Bots. Puri [38] presented the procedures and mechanism of Botnet based on IRC, as shown in Figure. 1.4. Bots infection and control process [38]: i. The attacker tries to infect the targets with Bots. ii. After the Bot is installed on target machine, it will try to connect to IRC server. In this while a random nickname will be generate that show the bot in attackers private channel. iii. Request to the DNS server, dynamic mapping IRC servers IP address. iv. The Bot will join the private IRC channel set up by the attacker and wait for instructions from the attacker. Most of these private IRC channel is set as the encrypted mode. v. Attacker sends attack instruction in private IRC channel. vi. The attacker tries to connect to private IRC channel and send the authentication password. vii. Bots receive instructions and launch attacks such as DDoS attacks. 1.4.1.2 Botnet based on HTTP The HTTP protocol is an additional well-known protocol used by Botnets. Because IRC protocol within Botnets became well-known, internet security researchers gave more consideration to monitoring IRC traffic to detect Botnet. Consequently, attackers started to use HTTP protocol as a Command-and-Control communication channel to make Botnets become more difficult to detect. The main advantage of using the HTTP protocol is hiding Botnets traffics in normal web traffics, so it can easily passes firewalls and avoid IDS detection. Usually firewalls block incoming and outgoing traffic to not needed ports, which usually include the IRC port. 1.4.2 Decentralized model Due to major disadvantage of Centralized model-Central Command-and-Control (CC)-attackers tried to build another Botnet communication topology that is harder to discover and to destroy. Hence, they decided to find a model in which the communication system does not heavily depending on few selected servers and even discovering and destroying a number of Bots. As a result, attackers take advantage of Peer-to-Peer (P2P) communication as a Command-and-Control (CC) pattern which is much harder to shut down in the network. The P2P based CC model will be used considerably in Botnets in the future, and definitely Botnets that use P2P based CC model impose much bigger challenge for defense of networks. In the P2P model, as shown in Fig. 1.6, there is no Centralized point for communication. Each Bot have some connections to the other Bots of the same Botnet and Bots act as both Clients and servers. A new Bot must know some addresses of the Botnet to connect there. If Bots in the Botnet are taken offline, the Botnet can still continue to operate under the control of BotMaster. P2P Botnets aim at removing or hiding the central point of failure which is the main weakness and vulnerability of Centralized model. Some P2P Botnets operate to a certain extent decentralized and some completely decentralized. Those Botnets that are completely decentralized allow a BotMaster to insert a command into any Bots. Since P2P Botnets usually allow commands to be injected at any node in the network, the authentication of commands become essential to prevent other nodes from injecting incorrect commands. For a better understanding in this model, some characteristics and important features of famous P2P Botnets have been mentioned: Slapper: Allows the routing of commands to distinct nodes. Uses Public key and private key cryptography to authenticate commands. BotMasters sign commands with private key and only those nodes which has corresponding public key can verify the commands [42]. Two important weak points are: (a) its list of known Bots contains all (or almost all) of the Botnet. Thus, one single captured Bot would expose the entire Botnet to defenders [42] (b) its sophisticated communication mechanism produces lot traffic, making it vulnerable to monitoring via network flow analysis. Sinit: This Bot uses random searching to discove other Bots to communicate with. It can results in an easy detection due to the extensive probing traffic [34]. Nugache: Its weakness is based on its reliance on a seed list of 22 IP addresses during its bootstrap process [47]. Phatbot: Uses Gnutella cache server for its bootstrap process which can be easily shutdown. Also its WASTE P2P protocol has a scalability problem across a long network [48]. Strom worm: it uses a P2p overnet protocl to control compromised hosts. The communication protocol for this Bot can be classified into five steps, as describes below :[37] i. Connect to Overnet Bots try to join Overnet network. Each Bot initially has hard-coded binary files which is included the IP addresses of P2P-based Botnet nodes. ii. Search and Download Secondary Injection URL Bot uses hard-coded keys to explore for and download the URL on the Overnet network [37]. iii. Decrypt Secondary Injection URL compromised hosts take advantages of a key(hard coded) to decrypt the URL. iv. Download Secondary Injection compromised hosts attempt to download the second injection from a server(probably web server). It could be infected files or updated files or list of the P2P nodes [37]. 1.4.3 Hybrid model The Bots in the Hybrid Botnet are categorized into two groups: 1) Servant Bots Bots in the first group are called as servant Bots, because they behave as both clients and servers, which have static, routable IP addresses and are accessible from the entire Internet. 2) Client Bots Bots in the second group is called as client Bots since they do not accept incoming connections. This group contains the remaining Bots, including:- (a) Bots with dynamically designated IP addresses; (b) Bots with Non-routable IP addresses; and (c) Bots behind firewalls which they cannot be connected from the global Internet. 1.5 Background of the Problem Botnets which are controlled remotely by BotMasters can launch huge denial of service attacks, several infiltration attacks, can be used to spread spam and also conduct malicious activities [115]. While bot army activity has, so far, been limited to criminal activity, their potential for causing large- scale damage to the entire internet is immeasurable [115]. Therefore, Botnets are one of the most dangerous types of network-based attack today because they involve the use of very large, synchronized groups of hosts for their malicious activities. Botnets obtain their power by size, both in their increasing bandwidth and in their reach. As mentioned before Botnets can cause severe network disruptions through huge denial- of-service attacks, and the danger of this interruption can charge enterprises big sums in extortion fees. Botnets are also used to harvest personal, corporate, or government sensitive information for sale on a blooming organized crime market. 1.6 Statement of the Problem Recently, botnets are using new type of command-and-control(CC) communication which is totally decentralized. They utilize peer-to-peer style communication. Tracking the starting point and activity of this botnet is much more complicated due to the Peer-to-Peer communication infrastructure. Combating botnets is usually an issue of discovering their weakness: their central position of command, or CC server. This is typically an IRC network that all bots connect to central point, however with the use of P2P method; we cannot find any central point of command. In the P2P networks each bots in searching to connect other peers which can receive or broadcast commands through network. Therefore, an accurate detection and fighting method is required to prevent or stop such dangerous networks. 1.7 Research Questions a. What are the main differences between centralized and decentralized botnets? b. What is the best and efficient general extensible solution for detecting non-specific Peer-to- Peer botnets? 1.8 Objectives of the Study i. To develop a network-based framework for Peer-to-Peer botnets detection by common behavior in network communication. ii. To study the behavior of bots and recognizing behavioral similarities across multiple bots in order to develop mentioned framework. 1.9 Scope of the Study The project scope is limited to developing some algorithms pertaining to our proposed framework. This algorithms are using for decreasing traffics by filtering it, classifying intended traffics, monitoring traffics and the detection of malicious activities. 1.10 Significance of the study Peer-to-Peer botnets are one of the most sophisticated types of cyber crime today. They give the full control of many computers around to world to exploit them for malicious activities purpose such as spread of virus and worm, spam distribution and DDoS attack. Therefore, studying the behavior of P2P botnets and develop a technique that can detect them is important and high-demanded. 1.11 Summary Understanding the Botnet Command-and-Control(CC) is a critical part in recognizing how to best protect against the overall botnet threat. The CC channels utilized by the Botnets will often show the type and degree of actions an enterprise can follow in either blocking or shutting down a botnet, and the probability of success. It is also obvious that attackers have been trying for years to move away from Centralized CC channels, and are achieving some success using Decentralized(P2P) CC channels over the last 5 or so years. Therefore in this chapter we have defined a classification for better understanding of Botnets CC channels, which is included Centralized, Decentralized, and Hybrid model and tried to evaluate recognized protocols in each of them. Understanding the communication topologies in Botnets is essential to precisely identify, detect and mitigate the ever-increasing Botnets threats. CHAPTER 2 LITERATURE REVIEW 2.1 Introduction Before majority of botnets was using IRC (Internet Relay Chat) as a communication protocol for Command and Control(CC) mechanism. Therefore, many researches tried to develop botnet detection scheme which was based on analysis of IRC traffic [50]. As a result, attackers decided to develop more sophisticated botnets, such as Storm worm and Nugache toward the utilization of P2P networks for CC infrastructures. In response to this movement, researches have proposed various models of botnets detection that are based on P2P infrastructure [5]. One key advantage of both IRC and HTTP Botnet is the use of central Command and Control. This characteristic provides the attacker with very well-organized communication. However, the assets also considers as a main disadvantage to the attacker [8]. The threat of the Botnet can be decreased and possibly omitted if the central CC is taken over or taken down [8]. The method that is starting to come out is P2P structure for Botnet interaction. There is not any centralized centre for P2P botnets. Any nodes in P2P botnet behave as client and server as well. If any point in the network is shut down the botnet still can continue its operation. The storm botnet is one of the main and recognized recent P2P botnets. It customized the overnet P2P file-sharing application which is based on the Kademlia distributed hash table algorithm [55] and exploit it for its CC infrastructure. Recently many researchers specially in the anti-virus community and electronic media concentrated on storm worm [56,57]. 2.2 Background and History A peer-to-peer network is a network of computers that any computer in the network can behave as both a client and a server. Some explanation of peer-to-peer networks does not need any form of centralized coordination. This definition is more comfortable because the attacker may be interested in hybrid architectures [8]. 2.2.1 History The table 2.1 shows a summary of some well-known bots and P2P protocols. The range of time from the first bots, EggDrop, until the Storm Worm P2P bot is newly released. The first non-malicious bot was EggDrop that came up many years ago, and we know it as one of the first IRC bots that came to market. GTBot that have many other categories is another well-known malicious bot, that its variants are IRC client, mIRC.exe[61]. After a while, P2P protocols have been used for Botnet activities. Napster is one of the first bot that used P2P as its communication. Napster built an platform that permit all bots can find each other and share files with each other in the network. In this bot, file sharing has been done in the centralized server that we can say it was not completely a P2P botnet. Therefore, all bots have to upload an index of their files to the centralized server and also if they are looking for other files among all bots, have to search in centralized server. If it can find any file that looking for, then can directly connect to that bot and download what they want. Nowadays, because Napster has been shutdown as their service recognized as illegal service, many other P2P service focusing on avoiding such finding. After few years after Napster, Gnutella protocol came up as the first completely P2P services. Actually after Gnutellas , as shown in Table 2.1, many other P2P protocols have been released, such as Kademilia and Chord. This two new p2p service are using distributed hash table as a method for finding information in the peer-to-peer networks. Agobot is another malicious P2P bot that came up recently and become widespread because of good design and modular code base [61]. Nowadays many researchers are concentrating on P2P bots and there is an anticipation that P2P bots will reach to the stage that Centralized botnets will not been used any more in the future. Table 2.1: P2P based Botnets 2.3 Peers-to-Peer Overlay Networks Overlay networks are categorized into two categories: Structured and Unstructured. All nodes in first category can connect to most X peers regarding some conditions for identification of nodes that those peers want to connect. However in unstructured type there is not any specified limit for the number of peers that they can connect, in spite of the fact that there is not any condition for connecting to other peers. Overnet is a good example of structured p2p networks and Chorf is a good example of unstructured P2P networks. 2.3.1 Brief overview of Overnet One of the popular file sharing networks is Overnet that use for their design use distributed hash table (DHT) algorithm that called Kademlia[55]. Each node produces a 128-bit id for joining the network and also use for sending to other node for introducing itself. Actually each node in the network saves the information about other nodes in order to route query messages. 2.3.2 Brief overview of Gnutella Gnutellas is a unstructured file sharing network. In this network, when a node like n want to connect to a node like m, use a ping message to inform the other node for its presence. As long as node m received ping message, then send it back to other nodes in its neighbor and also send a Pong message to the sender of ping message that was node n. this transaction among node let them to learn about each other. 2.4 Botnet Detection In particular, to compare existing botnet detection techniques, different methods are described and then disadvantages of each method are mentioned respectively. 2.4.1 Honeypot-based tracking Honeypot can be used to collect bots for analyzing its behavior and signatures and also for tracking botnets. But using honeypots have several limitations. The most important limitation is because of limited scale of exploited activities that can track. And also it cannot capture the bots that use the method of propagation other than scanning, such as spam. And finally it can only give report for infection machines that are anticipated and put in the network as trap system. So it means that it can not give a report for those computers that are infected with bot in the network but are not devoted as trap machines. So we can come to this conclusion that generally in this technique we have to wait until one bot in the network infect our system and then we can track or analyze the machine. 2.4.2 Intrusion detection systems Intrusion detection techniques can be categorized into two categories: host-based and network-based solution. Host-based techniques are used for recognizing malware binaries such as viruses. A good example of this type is anti-virus detection systems. However, we know that anti-virus are good for just virus detection. The most important disadvantages of anti-virus are that bots can easily evade the detection technique by changing their signatures easily, because the detection system cannot update their databases consistency. And also bots can disable any anti-virus tools in the system to protect themselves from detection. Network- based intrusion detection system is another method for detection that is used in the field of botnet detection. Snort[67] and Bro[68] are the two well-known signature based detection system that are used currently. They use a database as signatures of famous malicious activities to detect botnets or any other malware. Actually if our objective is using this technique for botnet detection, we have to keep updating the database and recognizing all malware quickly to make a signature of it and add to our database. For solving this solving this problem recently researchers are using anomaly based IDS that can detect malicious activities based on behavior of malware or detection techniques. 2.4.3 Bothunter : Dialog correlation-based Botnet detection This technique developed an evidence-trail approach for detecting successful bot infection with patterns during communication for infection process. In this strategy, bot infection pattern are modeled to use for recognizing the whole process of infection of botnet in the network. All behavior that occur the bot infection such as target scanning, CC establishment, binary downloading and outbound propagation have to model by this method. This method gathers an evidence-trail of connected infection process for each internal machine and then tries to look for a threshold combination of sequences that will convince the condition for bot infection [32]. The BotHunter use snort with adding two anomaly-detection components to it that are SLADE (Statistical payLoad Anomaly Detection Engine) and SCADE (Statistical scan Anomaly Detection Engine). SCADE produce internal and external scan detection warnings that are weighted for criticality toward malware scanning patterns. SLADE perform a byte-distribution payload anomaly detection of incoming packets, providing a matching non-signature approach in inbound exploit detection [32 ]. Slade use an n-gram payload examination of traffics that have typical malware intrusions. SCADE execute some port scan analysis for incoming and outgoing traffics. Actually BotHunter has a link between scan and alarm intrusion that shows a host has been infected. When a adequate sequence of alerts is established to match BotHunters infection dialog model, a comprehensive report is created to get all the related events participants that have a rule in infection dialog [32]. This method provides some important features: i. This technique concentrates on malware detection by IDS-driven dialog correlation. This model shows an essential network processes that occur during a successful bot infection. ii. This technique has one IDS-independent dialog correlation engine and three bot-specific sensors. This technique can automatically produce a report of whole detection of bot, as well as the infection of agent, identification of the computer that has been infected and source of Command and Control centre. 2.4.3.1 Bot infection sequences Actually understanding bot infection life processes is a challenging work for protection of network in the future. The major work in this area is differentiating between successful bot infection and background exploit attempt. For reaching to this point analysis of two-way dialog flow between internal hosts and external hosts (internet) is needed. In a good design network which uses filtering at gateway, the threats of direct exploitations are limited. However, contemporary malware families are highly flexible in their ability to attack vulnerable hosts through email attachments, infected P2P media, and drive-by download infections [32]. 2.4.3.2 Modeling the infection dialog process The bot distribution model can conclude by an analysis of external communication traffics that shows the behavior of relevant botnet. Incoming scan and utilize alarms are not enough to state a winning malware infection, as are assumed that a stable stream of scan and exploit signals will be observed from the way out monitor [32]. Figure 2.1 shows the process of bot infection in BotHunter that used for evaluating network flows through eight stages. This model is almost similar with the model that Rajab et al. presented for IRC detection model. The model that they proposed has early initial scanning that is a preceding consideration happen in form of IP exchange and pointing vulnerable ports. Actually figure 2.1 is not aimed for a strict ordering of infection events that happen during bot infection. The important issue here is that bot dialog processes analysis have to be strong to the absence of some dialog events and must not need strong sequencing on the order in bound dialog is conducted. One solution to solve the problem of sequence order and event is to use a weighted event threshold system that take smallest essential sparse sequences of events under which bot profile statement can be initiated [32]. For instance, it is possible put weighting and threshold system for the look of each event in a way that a smallest set of event is important prior of bot detection. 2.4.3.3 Design and implementation More attention devoted for designing a passive network monitoring system in this part which be able of identifying the bidirectional warning signs when internal hosts are infected with b Analysis of Botnet Security Threats Analysis of Botnet Security Threats CHAPTER 1 INTRODUCTION 1.1 Introduction During the last few decades, we have seen the dramatically rise of the Internet and its applications to the point which they have become a critical part of our lives. Internet security in that way has become more and more important to those who use the Internet for work, business, entertainment or education. Most of the attacks and malicious activities on the Internet are carried out by malicious applications such as Malware, which includes viruses, trojan, worms, and botnets. Botnets become a main source of most of the malicious activities such as scanning, distributed denial-of-service (DDoS) activities, and malicious activities happen across the Internet. 1.2 Botnet Largest Security Threat A bot is a software code, or a malware that runs automatically on a compromised machine without the users permission. The bot code is usually written by some criminal groups. The term â€Å"bot† refers to the compromised computers in the network. A botnet is essentially a network of bots that are under the control of an attacker (BotMaster). Figure 1.1 illustrates a typical structure of a botnet. A bot usually take advantage of sophisticated malware techniques. As an example, a bot use some techniques like keylogger to record user private information like password and hide its existence in the system. More importantly, a bot can distribute itself on the internet to increase its scale to form a bot army. Recently, attackers use compromised Web servers to contaminate those who visit the websites through drive-by download [6]. Currently, a botnet contains thousands of bots, but there is some cases that botnet contain several millions of bots [7]. Actually bots differentiate themselves from other kind of worms by their ability to receive commands from attacker remotely [32]. Attacker or better call it botherder control bots through different protocols and structures. The Internet Relay Chat (IRC) protocol is the earliest and still the most commonly used CC channel at present. HTTP is also used because Http protocol is permitted in most networks. Centralized structure botnets was very successful in the past but now botherders use decentralized structure to avoid single point of failure problem. Unlike previous malware such as worms, which are used probably for entertaining, botnets are used for real financial abuse. Actually Botnets can cause many problems as some of them listed below: i. Click fraud. A botmaster can easily profit by forcing the bots to click on advertisement for the purpose of personal or commercial abuse. ii. Spam production. Majority of the email on the internet is spam. iii. DDoS attacks. A bot army can be commanded to begin a distributed denial-of-service attack against any machine. iv. Phishing. Botnets are widely used to host malicious phishing sites. Criminals usually send spam messages to deceive users to visit their forged web sites, so that they can obtain users critical information such as usernames, passwords. 1.3 Botnet in-Depth Nowadays, the most serious manifestation of advanced malware is Botnet. To make distinction between Botnet and other kinds of malware, the concepts of Botnet have to understand. For a better understanding of Botnet, two important terms, Bot and BotMaster have been defined from another point of views. Bot Bot is actually short for robot which is also called as Zombie. It is a new type of malware [24] installed into a compromised computer which can be controlled remotely by BotMaster for executing some orders through the received commands. After the Bot code has been installed into the compromised computers, the computer becomes a Bot or Zombie [25]. Contrary to existing malware such as virus and worm which their main activities focus on attacking the infecting host, bots can receive commands from BotMaster and are used in distributed attack platform. BotMaster BotMaster is also known as BotHerder, is a person or a group of person which control remote Bots. Botnets- Botnets are networks consisting of large number of Bots. Botnets are created by the BotMaster to setup a private communication infrastructure which can be used for malicious activities such as Distributed Denial-of-Service (DDoS), sending large amount of SPAM or phishing mails, and other nefarious purpose [26, 27, 28]. Bots infect a persons computer in many ways. Bots usually disseminate themselves across the Internet by looking for vulnerable and unprotected computers to infect. When they find an unprotected computer, they infect it and then send a report to the BotMaster. The Bot stay hidden until they are announced by their BotMaster to perform an attack or task. Other ways in which attackers use to infect a computer in the Internet with Bot include sending email and using malicious websites, but common way is searching the Internet to look for vulnerable and unprotected computers [29]. The activities associated with Botnet can be classified into three parts: (1) Searching searching for vulnerable and unprotected computers. (2) Dissemination the Bot code is distributed to the computers (targets), so the targets become Bots. (3) sign-on the Bots connect to BotMaster and become ready to receive command and control traffic. The main difference between Botnet and other kind of malwares is the existence of Command-and-Control (CC) infrastructure. The CC allows Bots to receive commands and malicious capabilities, as devoted by BotMaster. BotMaster must ensure that their CC infrastructure is sufficiently robust to manage thousands of distributed Bots across the globe, as well as resisting any attempts to shutdown the Botnets. However, detection and mitigation techniques against Botnets have been increased [30,31]. Recently, attackers are also continually improving their approaches to protect their Botnets. The first generation of Botnets utilized the IRC (Internet Relay Chat) channels as their Common-and-Control (CC) centers. The centralized CC mechanism of such Botnet has made them vulnerable to being detected and disabled. Therefore, new generation of Botnet which can hide their CC communication have emerged, Peer-to-Peer (P2P) based Botnets. The P2P Botnets do not experience from a single point of failur e, because they do not have centralized CC servers [35]. Attackers have accordingly developed a range of strategies and techniques to protect their CC infrastructure. Therefore, considering the CC function gives better understanding of Botnet and help defenders to design proper detection or mitigation techniques. According to the CC channel we categorize Botnets into three different topologies: a) Centralized; b) Decentralized and c) Hybrid. In Section 1.1.4, these topologies have been analyzed and completely considered the protocols that are currently being used in each model. 1.4 Botnet Topologies According to the Command-and-Control(CC) channel, Botnet topology is categorized into three different models, the Centralized model, the Decentralized model and Hybrid model. 1.4.1 Centralized Model The oldest type of topology is the centralized model. In this model, one central point is responsible for exchanging commands and data between the BotMaster and Bots. In this model, BotMaster chooses a host (usually high bandwidth computer) to be the central point (Command-and-Control) server of all the Bots. The CC server runs certain network services such as IRC or HTTP. The main advantage of this model is small message latency which cause BotMaster easily arranges Botnet and launch attacks. Since all connections happen through the CC server, therefore, the CC is a critical point in this model. In other words, CC server is the weak point in this model. If somebody manages to discover and eliminates the CC server, the entire Botnet will be worthless and ineffective. Thus, it becomes the main drawback of this model. A lot of modern centralized Botnets employed a list of IP addresses of alternative CC servers, which will be used in case a CC server discovered and has been taken offline. Since IRC and HTTP are two common protocols that CC server uses for communication, we consider Botnets in this model based on IRC and HTTP. Figure 1.2 shows the basic communication architecture for a Centralized model. There are two central points that forward commands and data between the BotMaster and his Bots. 1.4.1.1 Botnets based on IRC The IRC is a type of real-time Internet text messaging or synchronous conferencing [36]. IRC protocol is based on the Client Server model that can be used on many computers in distributed networks. Some advantages which made IRC protocol widely being used in remote communication for Botnets are: (i) low latency communication; (ii) anonymous real-time communication; (iii) ability of Group (many-to-many) and Private (one-to-one) communication; (iv) simple to setup and (v) simple commands. The basic commands are connect to servers, join channels and post messages in the channels; (vi) very flexibility in communication. Therefore IRC protocol is still the most popular protocol being used in Botnet communication. In this model, BotMasters can command all of their Bots or command a few of the Bots using one-to-one communication. The CC server runs IRC service that is the same with other standard IRC service. Most of the time BotMaster creates a channel on the IRC server that all the bots can connect, which instruct each connected bot to do the BotMasters commands. Figure 1.3 showed that there is one central IRC server that forwards commands and data between the BotMaster and his Bots. Puri [38] presented the procedures and mechanism of Botnet based on IRC, as shown in Figure. 1.4. Bots infection and control process [38]: i. The attacker tries to infect the targets with Bots. ii. After the Bot is installed on target machine, it will try to connect to IRC server. In this while a random nickname will be generate that show the bot in attackers private channel. iii. Request to the DNS server, dynamic mapping IRC servers IP address. iv. The Bot will join the private IRC channel set up by the attacker and wait for instructions from the attacker. Most of these private IRC channel is set as the encrypted mode. v. Attacker sends attack instruction in private IRC channel. vi. The attacker tries to connect to private IRC channel and send the authentication password. vii. Bots receive instructions and launch attacks such as DDoS attacks. 1.4.1.2 Botnet based on HTTP The HTTP protocol is an additional well-known protocol used by Botnets. Because IRC protocol within Botnets became well-known, internet security researchers gave more consideration to monitoring IRC traffic to detect Botnet. Consequently, attackers started to use HTTP protocol as a Command-and-Control communication channel to make Botnets become more difficult to detect. The main advantage of using the HTTP protocol is hiding Botnets traffics in normal web traffics, so it can easily passes firewalls and avoid IDS detection. Usually firewalls block incoming and outgoing traffic to not needed ports, which usually include the IRC port. 1.4.2 Decentralized model Due to major disadvantage of Centralized model-Central Command-and-Control (CC)-attackers tried to build another Botnet communication topology that is harder to discover and to destroy. Hence, they decided to find a model in which the communication system does not heavily depending on few selected servers and even discovering and destroying a number of Bots. As a result, attackers take advantage of Peer-to-Peer (P2P) communication as a Command-and-Control (CC) pattern which is much harder to shut down in the network. The P2P based CC model will be used considerably in Botnets in the future, and definitely Botnets that use P2P based CC model impose much bigger challenge for defense of networks. In the P2P model, as shown in Fig. 1.6, there is no Centralized point for communication. Each Bot have some connections to the other Bots of the same Botnet and Bots act as both Clients and servers. A new Bot must know some addresses of the Botnet to connect there. If Bots in the Botnet are taken offline, the Botnet can still continue to operate under the control of BotMaster. P2P Botnets aim at removing or hiding the central point of failure which is the main weakness and vulnerability of Centralized model. Some P2P Botnets operate to a certain extent decentralized and some completely decentralized. Those Botnets that are completely decentralized allow a BotMaster to insert a command into any Bots. Since P2P Botnets usually allow commands to be injected at any node in the network, the authentication of commands become essential to prevent other nodes from injecting incorrect commands. For a better understanding in this model, some characteristics and important features of famous P2P Botnets have been mentioned: Slapper: Allows the routing of commands to distinct nodes. Uses Public key and private key cryptography to authenticate commands. BotMasters sign commands with private key and only those nodes which has corresponding public key can verify the commands [42]. Two important weak points are: (a) its list of known Bots contains all (or almost all) of the Botnet. Thus, one single captured Bot would expose the entire Botnet to defenders [42] (b) its sophisticated communication mechanism produces lot traffic, making it vulnerable to monitoring via network flow analysis. Sinit: This Bot uses random searching to discove other Bots to communicate with. It can results in an easy detection due to the extensive probing traffic [34]. Nugache: Its weakness is based on its reliance on a seed list of 22 IP addresses during its bootstrap process [47]. Phatbot: Uses Gnutella cache server for its bootstrap process which can be easily shutdown. Also its WASTE P2P protocol has a scalability problem across a long network [48]. Strom worm: it uses a P2p overnet protocl to control compromised hosts. The communication protocol for this Bot can be classified into five steps, as describes below :[37] i. Connect to Overnet Bots try to join Overnet network. Each Bot initially has hard-coded binary files which is included the IP addresses of P2P-based Botnet nodes. ii. Search and Download Secondary Injection URL Bot uses hard-coded keys to explore for and download the URL on the Overnet network [37]. iii. Decrypt Secondary Injection URL compromised hosts take advantages of a key(hard coded) to decrypt the URL. iv. Download Secondary Injection compromised hosts attempt to download the second injection from a server(probably web server). It could be infected files or updated files or list of the P2P nodes [37]. 1.4.3 Hybrid model The Bots in the Hybrid Botnet are categorized into two groups: 1) Servant Bots Bots in the first group are called as servant Bots, because they behave as both clients and servers, which have static, routable IP addresses and are accessible from the entire Internet. 2) Client Bots Bots in the second group is called as client Bots since they do not accept incoming connections. This group contains the remaining Bots, including:- (a) Bots with dynamically designated IP addresses; (b) Bots with Non-routable IP addresses; and (c) Bots behind firewalls which they cannot be connected from the global Internet. 1.5 Background of the Problem Botnets which are controlled remotely by BotMasters can launch huge denial of service attacks, several infiltration attacks, can be used to spread spam and also conduct malicious activities [115]. While bot army activity has, so far, been limited to criminal activity, their potential for causing large- scale damage to the entire internet is immeasurable [115]. Therefore, Botnets are one of the most dangerous types of network-based attack today because they involve the use of very large, synchronized groups of hosts for their malicious activities. Botnets obtain their power by size, both in their increasing bandwidth and in their reach. As mentioned before Botnets can cause severe network disruptions through huge denial- of-service attacks, and the danger of this interruption can charge enterprises big sums in extortion fees. Botnets are also used to harvest personal, corporate, or government sensitive information for sale on a blooming organized crime market. 1.6 Statement of the Problem Recently, botnets are using new type of command-and-control(CC) communication which is totally decentralized. They utilize peer-to-peer style communication. Tracking the starting point and activity of this botnet is much more complicated due to the Peer-to-Peer communication infrastructure. Combating botnets is usually an issue of discovering their weakness: their central position of command, or CC server. This is typically an IRC network that all bots connect to central point, however with the use of P2P method; we cannot find any central point of command. In the P2P networks each bots in searching to connect other peers which can receive or broadcast commands through network. Therefore, an accurate detection and fighting method is required to prevent or stop such dangerous networks. 1.7 Research Questions a. What are the main differences between centralized and decentralized botnets? b. What is the best and efficient general extensible solution for detecting non-specific Peer-to- Peer botnets? 1.8 Objectives of the Study i. To develop a network-based framework for Peer-to-Peer botnets detection by common behavior in network communication. ii. To study the behavior of bots and recognizing behavioral similarities across multiple bots in order to develop mentioned framework. 1.9 Scope of the Study The project scope is limited to developing some algorithms pertaining to our proposed framework. This algorithms are using for decreasing traffics by filtering it, classifying intended traffics, monitoring traffics and the detection of malicious activities. 1.10 Significance of the study Peer-to-Peer botnets are one of the most sophisticated types of cyber crime today. They give the full control of many computers around to world to exploit them for malicious activities purpose such as spread of virus and worm, spam distribution and DDoS attack. Therefore, studying the behavior of P2P botnets and develop a technique that can detect them is important and high-demanded. 1.11 Summary Understanding the Botnet Command-and-Control(CC) is a critical part in recognizing how to best protect against the overall botnet threat. The CC channels utilized by the Botnets will often show the type and degree of actions an enterprise can follow in either blocking or shutting down a botnet, and the probability of success. It is also obvious that attackers have been trying for years to move away from Centralized CC channels, and are achieving some success using Decentralized(P2P) CC channels over the last 5 or so years. Therefore in this chapter we have defined a classification for better understanding of Botnets CC channels, which is included Centralized, Decentralized, and Hybrid model and tried to evaluate recognized protocols in each of them. Understanding the communication topologies in Botnets is essential to precisely identify, detect and mitigate the ever-increasing Botnets threats. CHAPTER 2 LITERATURE REVIEW 2.1 Introduction Before majority of botnets was using IRC (Internet Relay Chat) as a communication protocol for Command and Control(CC) mechanism. Therefore, many researches tried to develop botnet detection scheme which was based on analysis of IRC traffic [50]. As a result, attackers decided to develop more sophisticated botnets, such as Storm worm and Nugache toward the utilization of P2P networks for CC infrastructures. In response to this movement, researches have proposed various models of botnets detection that are based on P2P infrastructure [5]. One key advantage of both IRC and HTTP Botnet is the use of central Command and Control. This characteristic provides the attacker with very well-organized communication. However, the assets also considers as a main disadvantage to the attacker [8]. The threat of the Botnet can be decreased and possibly omitted if the central CC is taken over or taken down [8]. The method that is starting to come out is P2P structure for Botnet interaction. There is not any centralized centre for P2P botnets. Any nodes in P2P botnet behave as client and server as well. If any point in the network is shut down the botnet still can continue its operation. The storm botnet is one of the main and recognized recent P2P botnets. It customized the overnet P2P file-sharing application which is based on the Kademlia distributed hash table algorithm [55] and exploit it for its CC infrastructure. Recently many researchers specially in the anti-virus community and electronic media concentrated on storm worm [56,57]. 2.2 Background and History A peer-to-peer network is a network of computers that any computer in the network can behave as both a client and a server. Some explanation of peer-to-peer networks does not need any form of centralized coordination. This definition is more comfortable because the attacker may be interested in hybrid architectures [8]. 2.2.1 History The table 2.1 shows a summary of some well-known bots and P2P protocols. The range of time from the first bots, EggDrop, until the Storm Worm P2P bot is newly released. The first non-malicious bot was EggDrop that came up many years ago, and we know it as one of the first IRC bots that came to market. GTBot that have many other categories is another well-known malicious bot, that its variants are IRC client, mIRC.exe[61]. After a while, P2P protocols have been used for Botnet activities. Napster is one of the first bot that used P2P as its communication. Napster built an platform that permit all bots can find each other and share files with each other in the network. In this bot, file sharing has been done in the centralized server that we can say it was not completely a P2P botnet. Therefore, all bots have to upload an index of their files to the centralized server and also if they are looking for other files among all bots, have to search in centralized server. If it can find any file that looking for, then can directly connect to that bot and download what they want. Nowadays, because Napster has been shutdown as their service recognized as illegal service, many other P2P service focusing on avoiding such finding. After few years after Napster, Gnutella protocol came up as the first completely P2P services. Actually after Gnutellas , as shown in Table 2.1, many other P2P protocols have been released, such as Kademilia and Chord. This two new p2p service are using distributed hash table as a method for finding information in the peer-to-peer networks. Agobot is another malicious P2P bot that came up recently and become widespread because of good design and modular code base [61]. Nowadays many researchers are concentrating on P2P bots and there is an anticipation that P2P bots will reach to the stage that Centralized botnets will not been used any more in the future. Table 2.1: P2P based Botnets 2.3 Peers-to-Peer Overlay Networks Overlay networks are categorized into two categories: Structured and Unstructured. All nodes in first category can connect to most X peers regarding some conditions for identification of nodes that those peers want to connect. However in unstructured type there is not any specified limit for the number of peers that they can connect, in spite of the fact that there is not any condition for connecting to other peers. Overnet is a good example of structured p2p networks and Chorf is a good example of unstructured P2P networks. 2.3.1 Brief overview of Overnet One of the popular file sharing networks is Overnet that use for their design use distributed hash table (DHT) algorithm that called Kademlia[55]. Each node produces a 128-bit id for joining the network and also use for sending to other node for introducing itself. Actually each node in the network saves the information about other nodes in order to route query messages. 2.3.2 Brief overview of Gnutella Gnutellas is a unstructured file sharing network. In this network, when a node like n want to connect to a node like m, use a ping message to inform the other node for its presence. As long as node m received ping message, then send it back to other nodes in its neighbor and also send a Pong message to the sender of ping message that was node n. this transaction among node let them to learn about each other. 2.4 Botnet Detection In particular, to compare existing botnet detection techniques, different methods are described and then disadvantages of each method are mentioned respectively. 2.4.1 Honeypot-based tracking Honeypot can be used to collect bots for analyzing its behavior and signatures and also for tracking botnets. But using honeypots have several limitations. The most important limitation is because of limited scale of exploited activities that can track. And also it cannot capture the bots that use the method of propagation other than scanning, such as spam. And finally it can only give report for infection machines that are anticipated and put in the network as trap system. So it means that it can not give a report for those computers that are infected with bot in the network but are not devoted as trap machines. So we can come to this conclusion that generally in this technique we have to wait until one bot in the network infect our system and then we can track or analyze the machine. 2.4.2 Intrusion detection systems Intrusion detection techniques can be categorized into two categories: host-based and network-based solution. Host-based techniques are used for recognizing malware binaries such as viruses. A good example of this type is anti-virus detection systems. However, we know that anti-virus are good for just virus detection. The most important disadvantages of anti-virus are that bots can easily evade the detection technique by changing their signatures easily, because the detection system cannot update their databases consistency. And also bots can disable any anti-virus tools in the system to protect themselves from detection. Network- based intrusion detection system is another method for detection that is used in the field of botnet detection. Snort[67] and Bro[68] are the two well-known signature based detection system that are used currently. They use a database as signatures of famous malicious activities to detect botnets or any other malware. Actually if our objective is using this technique for botnet detection, we have to keep updating the database and recognizing all malware quickly to make a signature of it and add to our database. For solving this solving this problem recently researchers are using anomaly based IDS that can detect malicious activities based on behavior of malware or detection techniques. 2.4.3 Bothunter : Dialog correlation-based Botnet detection This technique developed an evidence-trail approach for detecting successful bot infection with patterns during communication for infection process. In this strategy, bot infection pattern are modeled to use for recognizing the whole process of infection of botnet in the network. All behavior that occur the bot infection such as target scanning, CC establishment, binary downloading and outbound propagation have to model by this method. This method gathers an evidence-trail of connected infection process for each internal machine and then tries to look for a threshold combination of sequences that will convince the condition for bot infection [32]. The BotHunter use snort with adding two anomaly-detection components to it that are SLADE (Statistical payLoad Anomaly Detection Engine) and SCADE (Statistical scan Anomaly Detection Engine). SCADE produce internal and external scan detection warnings that are weighted for criticality toward malware scanning patterns. SLADE perform a byte-distribution payload anomaly detection of incoming packets, providing a matching non-signature approach in inbound exploit detection [32 ]. Slade use an n-gram payload examination of traffics that have typical malware intrusions. SCADE execute some port scan analysis for incoming and outgoing traffics. Actually BotHunter has a link between scan and alarm intrusion that shows a host has been infected. When a adequate sequence of alerts is established to match BotHunters infection dialog model, a comprehensive report is created to get all the related events participants that have a rule in infection dialog [32]. This method provides some important features: i. This technique concentrates on malware detection by IDS-driven dialog correlation. This model shows an essential network processes that occur during a successful bot infection. ii. This technique has one IDS-independent dialog correlation engine and three bot-specific sensors. This technique can automatically produce a report of whole detection of bot, as well as the infection of agent, identification of the computer that has been infected and source of Command and Control centre. 2.4.3.1 Bot infection sequences Actually understanding bot infection life processes is a challenging work for protection of network in the future. The major work in this area is differentiating between successful bot infection and background exploit attempt. For reaching to this point analysis of two-way dialog flow between internal hosts and external hosts (internet) is needed. In a good design network which uses filtering at gateway, the threats of direct exploitations are limited. However, contemporary malware families are highly flexible in their ability to attack vulnerable hosts through email attachments, infected P2P media, and drive-by download infections [32]. 2.4.3.2 Modeling the infection dialog process The bot distribution model can conclude by an analysis of external communication traffics that shows the behavior of relevant botnet. Incoming scan and utilize alarms are not enough to state a winning malware infection, as are assumed that a stable stream of scan and exploit signals will be observed from the way out monitor [32]. Figure 2.1 shows the process of bot infection in BotHunter that used for evaluating network flows through eight stages. This model is almost similar with the model that Rajab et al. presented for IRC detection model. The model that they proposed has early initial scanning that is a preceding consideration happen in form of IP exchange and pointing vulnerable ports. Actually figure 2.1 is not aimed for a strict ordering of infection events that happen during bot infection. The important issue here is that bot dialog processes analysis have to be strong to the absence of some dialog events and must not need strong sequencing on the order in bound dialog is conducted. One solution to solve the problem of sequence order and event is to use a weighted event threshold system that take smallest essential sparse sequences of events under which bot profile statement can be initiated [32]. For instance, it is possible put weighting and threshold system for the look of each event in a way that a smallest set of event is important prior of bot detection. 2.4.3.3 Design and implementation More attention devoted for designing a passive network monitoring system in this part which be able of identifying the bidirectional warning signs when internal hosts are infected with b