Computing Now Exclusive Content — October 2010

News Archive

July 2012

Gig.U Project Aims for an Ultrafast US Internet

June 2012

Bringing Location and Navigation Technology Indoors

May 2012

Plans Under Way for Roaming between Cellular and Wi-Fi Networks

Encryption System Flaw Threatens Internet Security

April 2012

For Business Intelligence, the Trend Is Location, Location, Location

Corpus Linguistics Keep Up-to-Date with Language

March 2012

Are Tomorrow's Firewalls Finally Here Today?

February 2012

Spatial Humanities Brings History to Life

December 2011

Could Hackers Take Your Car for a Ride?

November 2011

What to Do about Supercookies?

October 2011

Lights, Camera, Virtual Moviemaking

September 2011

Revolutionizing Wall Street with News Analytics

August 2011

Growing Network-Encryption Use Puts Systems at Risk

New Project Could Promote Semantic Web

July 2011

FBI Employs New Botnet Eradication Tactics

Google and Twitter "Like" Social Indexing

June 2011

Computing Commodities Market in the Cloud

May 2011

Intel Chips Step up to 3D

Apple Programming Error Raises Privacy Concerns

Thunderbolt Promises Lightning Speed

April 2011

Industrial Control Systems Face More Security Challenges

Microsoft Effort Takes Down Massive Botnet

March 2011

IP Addresses Getting Security Upgrade

February 2011

Studios Agree on DRM Infrastructure

January 2011

New Web Protocol Promises to Reduce Browser Latency

To Be or NAT to Be?

December 2010

Intel Gets inside the Helmet

Tuning Body-to-Body Networks with RF Modeling

November 2010

New Wi-Fi Spec Simplifies Connectivity

Expanded Top-Level Domains Could Spur Internet Real Estate Boom

October 2010

New Weapon in War on Botnets

September 2010

Content-Centered Internet Architecture Gets a Boost

Gesturing Going Mainstream

August 2010

Is Context-Aware Computing Ready for the Limelight?

Flexible Routing in the Cloud

Signal Congestion Rejuvenates Interest in Cell Paging-Channel Protocol

July 2010

New Protocol Improves Interaction among Networked Devices and Applications

Security for Domain Name System Takes a Big Step Forward

The ROADM to Smarter Optical Networking

Distributed Cache Goes Mainstream

June 2010

New Application Protects Mobile-Phone Passwords

WiGig Alliance Reveals Ultrafast Wireless Specification

Cognitive Radio Adds Intelligence to Wireless Technology

May 2010

New Product Uses Light Connections in Blade Server

April 2010

Browser Fingerprints Threaten Privacy

New Animation Technique Uses Motion Frequencies to Shake Trees

March 2010

Researchers Take Promising Approach to Chemical Computing

Screen-Capture Programming: What You See is What You Script

Research Project Sends Data Wirelessly at High Speeds via Light

February 2010

Faster Testing for Complex Software Systems

IEEE 802.1Qbg/h to Simplify Data Center Virtual LAN Management

Distributed Data-Analysis Approach Gains Popularity

Twitter Tweak Helps Haiti Relief Effort

January 2010

2010 Rings in Some Y2K-like Problems

Infrastructure Sensors Improve Home Monitoring

Internet Search Takes a Semantic Turn

December 2009

Phase-Change Memory Technology Moves toward Mass Production

IBM Crowdsources Translation Software

Digital Ants Promise New Security Paradigm

November 2009

Program Uses Mobile Technology to Help with Crises

More Cores Keep Power Down

White-Space Networking Goes Live

Mobile Web 2.0 Experiences Growing Pains

October 2009

More Spectrum Sought for Body Sensor Networks

Optics for Universal I/O and Speed

High-Performance Computing Adds Virtualization to the Mix

ICANN Accountability Goes Multinational

RFID Tags Chat Their Way to Energy Efficiency

September 2009

Delay-Tolerant Networks in Your Pocket

Flash Cookies Stir Privacy Concerns

Addressing the Challenge of Cloud-Computing Interoperability

Ephemeralizing the Web

August 2009

Bluetooth Speeds Up

Grids Get Closer

DCN Gets Ready for Production

The Sims Meet Science

Sexy Space Threat Comes to Mobile Phones

July 2009

WiGig Alliance Makes Push for HD Specification

New Dilemnas, Same Principles:
Changing Landscape Requires IT Ethics to Go Mainstream

Synthetic DNS Stirs Controversy:
Why Breaking Is a Good Thing

New Approach Fights Microchip Piracy

Technique Makes Strong Encryption Easier to Use

New Adobe Flash Streams Internet Directly to TVs

June 2009

Aging Satellites Spark GPS Concerns

The Changing World of Outsourcing

North American CS Enrollment Rises for First Time in Seven Years

Materials Breakthrough Could Eliminate Bootups

April 2009

Trusted Computing Shapes Self-Encrypting Drives

March 2009

Google, Publishers to Try New Advertising Methods

Siftables Offer New Interaction Model for Serious Games

Hulu Boxed In by Media Conglomerates

February 2009

Chips on Verge of Reaching 32 nm Nodes

Hathaway to Lead Cybersecurity Review

A Match Made in Heaven: Gaming Enters the Cloud

January 2009

Government Support Could Spell Big Year for Open Source

25 Reasons For Better Programming

Web Guide Turns Playstation 3 Consoles into Supercomputing Cluster

Flagbearers for Technology: Contemporary Techniques Showcase US Artifact and European Treasures

December 2008

.Tel TLD Debuts As New Way to Network

Science Exchange

November 2008

The Future is Reconfigurable

New Weapon in War on Botnets

by George Lawton

Researchers at University of Illinois at Urbana-Champaign (UIUC) have developed a new technique for tracking stealthy botnets that use peer-to-peer (P2P) technology. BotGrep is an inference algorithm that uses graph analysis to detect botnets that hide from other security tools.

Some botnet implementations, such as Conficker and Storm, are fairly easy to identify because they generate a lot of spam or denial-of-service (DOS) traffic. But others like Zeus, a popular malware family often used in stealing banking data, preserve their stealth by sending far less information. "As long as the botnet uses P2P communications," said Nikita Borisov, an UIUC associate professor and coauthor of the BotGrep tool, "we are able to identify its existence even though it does not have the loud activities."

A botnet is "an army of compromised hosts under a common command and control," according to a landmark presentation to the North American Network Operators Group ( The first botnets used an HTTP server or the Internet Relay Chat (IRC) system for command and control (C&C). However, as security experts developed better techniques for disrupting these communication channels, hackers began using P2P networks to distribute cryptographically protected commands.

"Pinning down P2P botnets communication is hard for the industry right now as there is no central point of control to track," said Ivan Macalintal, manager of advanced threat research at security firm Trend Micro. "BotGrep is going to be a game changer when it comes to analyzing P2P botnets."

BotGrep can identify all the hosts in a P2P network by analyzing Internet traffic logs to find the patterns of communication between infected hosts. Other approaches have targeted control servers or analyzed the P2P traffic content. BotGrep merely looks at whether any given set of nodes communicate with each other.

Grep Meets Bot

BotGrep works on the IP transit log files of large ISPs. The tool's name is based on the old Unix grep utility that performs a global search for regular patterns in text files. "BotGrep also relies on global patterns of regular activity," said Borisov, "so the name fit."

These regular patterns are translated into a communications graph that maps all the hosts' packet exchanges. Stealthy botnets using P2P networks form more complex interconnection patterns than other types of communications. Using BotGrep to analyze the sum total of these patterns on real test data, the UIUC researchers were able to localize between 93 and 99 percent of P2P connected hosts with a false positive of less than 0.6 percent.

Other researchers have applied graph analysis to botnet and P2P detection, but their techniques depended on the communication contents, port number, packet size, or interarrival delays. The botnet could evade detection by simply encrypting traffic and randomly adjusting packet sizes and port numbers. In contrast, BotGrep simply looks at where packets originate and terminate without analyzing the actual traffic. This makes it more robust to changes in botnet design.

Working with several tier-1 ISPs, the researchers obtained the log data from a few hundred thousand hosts. They used this raw data to generate synthetic data for 30 million hosts for more comprehensive testing. The basic algorithm was able to quickly analyze the entire 30-million-host data set on a high-end PC. One test caught a 1,000-node P2P network.

The UIUC team is also working on a privacy-preserving version of the algorithm that would let them collect data from multiple ISPs in a way that protects individual consumers' data. However, these algorithms take about a thousand times more computational power to achieve the same result.

BotGrep can only determine a host's IP address. This can confound the botnet analysis because many hosts can share one IP address and a mobile host can connect from multiple IP addresses. This also makes it harder to remediate the problem because an ISP can’t be sure which machine is infected. Organizations with a dedicated network management team can better identify infected machines.

The Race Goes On

BotGrep can integrate with response tools, such as blacklists, to mitigate the botnet's impact once it's discovered. It only complements rather than replaces current detection and remediation tools.

Borisov said he believes large ISPs will eventually be able to incorporate BotGrep into a suite of security services for their customers, but he and his colleagues don't have specific commercialization plans at this time. Accurately determining whether a P2P network is an innocuous application or a malicious botnet remains an open problem. Because BotGrep algorithms can't distinguish an authorized P2P network from a stealthy botnet, other botnet tracking tools are needed to make this distinction.

"A false-positive error would be all-or-nothing — the whole P2P network, with thousands or even millions hosts would be flagged as malicious," Borisov explained. "Obviously, this is something you would want to prevent."

Other tools to identify afflicted hosts could include intrusion-detection systems that look for anomalous behavior or patterns of misuse. Honeynets use unsecured virtual machines as bait to attract botnet infections. Honeynet computers don't run legitimate P2P code, so any P2P activity from them is likely to be part of a botnet.

In the long run, however, malware developers are likely to find counter techniques for evading detection and control. "For every detection technique, there can be approaches that the botnet authors can use to counteract the detection technique," Borisov noted. "There is a constant arms race. Trying to see one or two steps ahead of the botnet authors is a challenge."

George Lawton is a freelance journalist currently based in Guernevilla, CA. You can reach him via his website