A team from Ben Gurion University, working with communications giant Deutsche Telekom, may have found a way to shut down one of the scourges of the Internet – botnets, the illicit and secretive networks that as many as a half a billion computers around the world have fallen prey to, according to experts.

Using big data and analytical intelligence technology, the researchers have figured out how to track a botnet to its controller – and the location of the command and control server that is managing illicit activity that costs the world economy $100 billion a year.

A team led by Ben Gurion Profs. Bracha Shapira and Lior Rokach analyzed data captured by a network run by Deutsche Telekom, one of the world’s leading telecommunications companies. By analyzing the data, the team built a breakthrough program that identifies the botnet by finding similar attack patterns.

The breakthrough was announced on the second day of Cybertech 2016 in Tel Aviv. Ben-Gurion University of the Negev is the academic sponsor of Israel’s largest cyber security event, organized by Israel Defense.

Fighting the computer zombie armies

Botnets – also known as “computer zombie armies” – are used by hackers to carry out all sorts of nefarious activities, such as running DDoS (Distributed Denial of Service) or other hack attacks, running click fraud scams (in which a computer is recruited to click on a link to pump up a site’s metrics), spambotting (in which innocent computers are used to forward spam), and much more. Hackers send out a piece of malware that, when picked up by a computer, enrolls it in the “bot army.” The new recruit is then pressed into service as part of a distributed network, with a command and control server using its resources to carry out the botnet’s activities – without, of course, the computer’s owner even realizing what is going on.

Detecting that server is next to impossible, since their administrators use all the well-known techniques to hide their location (broadcasting phony IP addresses, using fake domain server names, etc.). While computer security experts have had some success tracking down the controllers of the botnets, there are probably dozens that remain “in the wild” for each one taken down – and, experts say, the techniques used by the botnet owners gets more sophisticated all the time.

In 2014, the FBI announced that in conjunction with other law enforcement agencies and private sector organizations they had managed to disrupt a Russian botnet which targeted personal banking and had managed to steal more than $100 million. But that, the officials conceded, was just the tip of the iceberg.

Enter Shapira and Rockach, BGU scientists working as part of the Deutsche Telekom Innovation Labs@BGU, a new program to develop cyber-security technology to solve the pressing security issues that individuals, business, and entire governments face.

Directed by Prof. Yuval Elovici, the lab offers academics and business professionals to join forces and create solutions to annoying – and dangerous – hacker attacks on systems.

The team looked at traffic patterns of data, and developed a program that enrolled captured data typical to a botnet – spam, DDoS attacks – and studied where it clustered and coalesced. Until now, crunching the data to view those patterns had not been possible because of the processing power needed – but with new sophisticated equipment, that analysis is now possible.

“In this project,”said Ariel Bar, one of the lead researchers on the team, “we implemented a number of unique advanced algorithms based on machine learning in order to reach the important outcomes that we achieved.”

Based on that analysis, the team was able to identify six separate botnets, each capable of inflicting serious criminal and monetary damage. Police in the respective jurisdictions have been informed. According to Dudu Mimran, CTO of Deutsche Telekom Innovation Labs@BGU, “This is the first time such a comprehensive study has been carried out and returned with unique findings.”

And this is just the beginning, Mimran added. “In addition to the aforementioned findings, there were other interesting achievements. For example, the ability to identify whether the attack emanated from a real person or from a robot, as well as the ability to predict future attacks.” All these capabilities will be integrated into a system the researchers hope to deploy in many places – helping to kill the zombie armies of the Internet for once and for all.