Cover Letter 122345 Essays (312 words) - Accounts Receivable

Marlon Josephs 3715 village estates ct. Cumming, Georgia | 770-296-6826 | [emailprotected] 11/11/18 Dear Ashley Jones, I would like to bring in my job experience as office clerk and junior accountant. I have been working for six years in the accounting of medium-sized companies in the metal trade and printing and publishing sectors.Already in my activity in metal trading I gained experience in international business transactions including customs declarations, while as a junior accountant in publishing I became familiar with the peculiarities of working with larger subscriber bases. The main focus of my previous activities was on accounts receivable accounting, including dunning, as well as data preparation and analysis in cooperation with other departments such as receivables management, controlling and marketing. Recently, I successfully completed my training as an "accountant (IHK)".I would now like to apply the expertise gained in an adequate position, which unfortunately my current employer can not offer me for the foreseeable future.In addition to the technica l requirements, I am tempted by the job advertised by you to enter a fast-growing and future-oriented industry with the changes and upheavals that are likely to occur again and again. Extreme care and absolute reliability are a natural part of my work.In addition, I work with a lot of team spirit and joy across departments and have already gained extensive experience in my previous activities. In everyday dealings, I am absolutely secure with MS Office, the relevant SAP modules and have some years of experience in dealing with other accounting software.I speak good English and have a solid basic knowledge of the French language. My notice period is six weeks to the end of the month.I look forward to personally discussing the possibilities of working with you. Sincerely, Sincerely , Marlon Josephs

Hulu Has Live Sports Goal Celebration Professor Ramos Blog

Hulu Has Live Sports Goal Celebration This is a commercial from Hulu with some of the United States women’s soccer players. The ad begins with the team passing the ball to each other and go all the way up to roughly around 15 yards away from the goal post. They then complete their play by scoring a goal to the left side of the goal post passing above the goalie’s fingertips. After the soccer players score they celebrate their goal by forming a human couch, an ottoman, and a television with one person sitting on the couch with a remote in hand watching the human made television. One of the female players is behind the television dancing to complete the display of the television. While this celebration is occurring a famous former player from the United States soccer team Mia Hamm asks two of the coaches on the sideline what they players are doing. They respond by saying that it is their new celebration goal and they are calling it â€Å"Hulu has live sports†. Mia Hamm follows up with another question asking how much Hulu will be paying them for this, and the two women just giggle and laugh. At the end of the commercial it shows the team all together side by side of each other as if to take a team picture wearing green uniforms saying Hulu has live sports with two pallets full of money dropping from a crane hook on the other side of the players. Towards the very end of the commercial where the team is together, this scene has multiple objects and other things with green details throughout the background. There are green text shown in the background in the stadium to represent the colors of the Hulu Company. They have certain seats colored green throughout the stadium so it can read out Hulu from a distance. There are also banners shown that say no cable required, which is another great way to interest their viewers. This is adding another reason to get Hulu other than Hulu having live sports included. The appeal of ethos is to convince or persuade the audience of ones’ character or credibility. This appeal is being used in this advertisement mainly because of the famous and well-known athletes in the commercial. Research suggests that over time, as heroes retire and disappear from the spotlight, their appeal begins to increase, even more than when they were performing (Lunardo, Renaud, et al. 692). This commercial is not in any way formal, it is more causal and normal type of presentation that can bring different types of viewers to stay interested because there is a little bit of comedy and like it was discussed earlier famous athletes/ celebrities. They also use the sport soccer to catch the viewers’ attention. Soccer is a very popular sport that is well known all around the world. To combine all of these together this advertisement has a very good chance to catch many sorts of viewers and to keep them hooked. â€Å"And finally children’s books are up to three times more likely to contain only male role models† (Adams-Blair 45). This sentence by Adams- Blair is very intriguing because the author is trying to allow the readers to have a clear image of how many children’s books’ contain only male role models. This mean that very few books have a only female role models to inspire children as they grow. This is a very important message that show be acknowledged because many kids could grow up thinking that only men or boys will be successful or better to achieve certain tasks. In the Hulu advertisement there are only female athletes and there are no men shown in this video. This can allow their viewers to understand that woman are capable of doing what men do. In this case it indicates that the women’s United States soccer team are female role models that can inspire kids as they grow to know that women too can do things like playing professional soccer. The emotion set for on this advertisement for certain people could be excitement or happiness. For example soccer fans might find this commercial fun or exciting because it involves soccer. Many people enjoy watching games and are very entertained just to watch a match. There is also joy and happiness seeing peoples’ favorite team on television. The appeal of logos is an appeal of logic, to convince an audience based off of reasoning. There are some good reasoning in this commercial that Hulu uses to logically convince their viewers to understand that it would benefit themselves to get Hulu. The main benefit of Hulu in this case is that they stream live sports for both female sand males. This in my perspective was viewed as Hulu having live sports for anyone, that Hulu will and does not discriminate based on gender. There is a bubble map in the article â€Å"Effectiveness of Absurdity in Advertising across Cultures.† This map describes how some viewers’ reactions could be based on how they can relate to the situation or what is happening in the advertisement. The first bubble on the map says absurdity, they use this word to let the readers know that this can literally be anything and that it could be as crazy as possible or something that is reasonable either or. Then there are two bubble for the next part that read recall and attitude towards ad. These two bubbles will show how the readers or viewers can reaction to the absurdity in the first bubble. So in the Hulu advertisement there can be different ways for the audience to react to the commercial. Either the viewers can recall or relate to the situation on the screen or they can have a certain opinion on the advertisement good or bad. Hulu is giving the sport of soccer to allow the viewers to relate to the commercial or recall a similar experience they had. This is all logical strategies used to appeal or interest viewers to get Hulu with live sports. The audience will have a better connection to the advertisement because they can relate situation. In conclusion, Hulu is using soccer to persuade the viewers to sign up for a Hulu account. The appeals used were pathos, ethos and logos. Hulu wants their audience to know that they will have live sports available and that there will not be any cable required to access these games. In the commercial the appeal of ethos is the one to mainly stand out because of all the famous athletes from the United States Women’s National Team that appear throughout the video. They also include a former player from the United States team Mia Hamm who was a great player and is a good role models for young kids. This advertisement used comedy and positive environment to set the emotion. Seeing professional female athletes can bring joy and excitement to people seeing them on commercials and intrigue the audience to continue to watch the video so Hulu can convince people to get Hulu with live sports. Work Cited Page Adams-Blair, Heater R. â€Å"The Importance of Physical Education and Sport in the Lives of Young Female.†International Sports Journal, vol. 6, no. 1, Winter 2002, p. 45.EBSCOhost, search.ebscohost.com/login.aspx?direct=truedb=a9hAN=6539181site=ehost-live. Gelbrich, Katja, et al. â€Å"Effectiveness of Absurdity in Advertising Across Cultures.†Ã‚  Journal of Promotion Management, vol. 18, no. 4, Oct. 2012, pp. 393–413.  EBSCOhost, doi:10.1080/10496491.2012.693058. Lunardo, Renaud, et al. â€Å"Celebrities as Human Brands: An Investigation of the Effects of Personality and Time on Celebrities’ Appeal.†Ã‚  Journal of Marketing Management, vol. 31, no. 5–6, May 2015, pp. 685–712.  EBSCOhost, doi:10.1080/0267257X.2015.1008548.

Leglization of Marijuana Research Paper Example | Topics and Well Written Essays - 750 words

Leglization of Marijuana - Research Paper Example Firstly, a comparison between alcohol and cigarettes shows that the use of marijuana has mild health risks and losses to the society. This is a great paradox since alcohol and cigarettes have not been banned despite their greater damage potential. This scenario further worsens owing to the ease of availability of the two products. On the contrary, to get marijuana, one must do it in secret so as not to arouse suspicion. Such hypocrisy and unfairness to marijuana users ought to end (Legalizationofmarijuana.com, 2010). Secondly, prohibiting marijuana has served to increase the black market that goes as far as to even corrupt the judicial system. There is massive bribing of judges that occurs to secure the release of rich marijuana dealers. Such arrests have led to America ending up as the largest jailor nation overcrowding jails, resulting in the release of more dangerous criminals such as murderers. On average, drug dealers are sentenced at a rate that is five times higher than the rate of those arrested for manslaughter. Such unfair severity in terms of punishment has led to the resignation of judges who do not wish to belong to a corrupt system (Legalizationofmarijuana.com, 2010). In addition, many farmers in America have turned to growing marijuana in their cornfields. This is because marijuana farming has become a lucrative venture with a bushel selling for up to 70,000 dollars. This is in stark contrast to that of corn, which rakes in a few dollars per bushel. Clearly, marijuana is fast substituting corn as the major cash crop in America. Failing to legalize marijuana is turning innocent farmers on whom the country‘s survival depends into criminals. Legislation of marijuana will work better than simply decriminalizing or medicalizing it. Decriminalisation serves to legalize the possession of little amounts of the drug although it does not put an end to the enormous black market or allow for simpler taxation.

How does low income level relates to child abuse Term Paper

How does low income level relates to child abuse - Term Paper Example The main concern of a poor class is to survive and combat with poverty. The poverty problem is a dilemma which gives rise to child sexual abuse since the families are not concerned about child protection. The way children are maltreated, misuse, and neglect have many times escorted them to the vulnerability of child abuse. However in the United States, child abuse is not a new issue, since children have been the subject of various types of abuse for decades, therefore concern for abused children now demands action from private citizens as well as the government. Despite the existence and active participation of child welfare programs, child abuse is a common problem confronted by the United States. One reason for the widespread of this quandary is the fact that economic resources and political structure varies according to the social determinants for people who live in urban and rural regions (Kenney et al, 2001, p. xv). Child abuse some decades ago was seen as a problem of physical battering and the deliberate intention to harm the child, mainly by parents. It was in the 1970s that the meaning of the term child abuse expanded to include not only physical harm of the child, but also sexual or emotional maltreatment by parents or caretakers since abuse does not have to be deliberate infliction, but can also take the form of omission to act resulting in neglect of the childs needs. The main concern pertains to what our communities consider as child abuse, for example in many community cases in the professional consensus in the United States it was a concern as to what constitutes abuse or neglect of a child. When analyzed on the basis of community research it was found that all agreed to consider a child with fractured bones from repeated beatings as abused, while a child who is not given the minimum amount of food, clothing, or attention necessary for survival or a young child left unfed in a room as

Critical Essay Example | Topics and Well Written Essays - 1000 words

Critical - Essay Example They established a system to investigate the membrane dynamics of the events occurring at the interface of HIV-1 infected and receptor expressing T cells. The authors selected appropriate CD4+/CXCR4+ T cell lines for the study and maintained them in an antibiotic supplemented cell growth medium and established the purity of the cell lines at a level greater than 90% by flow cytometry by indirect immunofluorescence. These CD4+ cells were labeled as target cells. Jurkat CE 6.1 cells infected with HIV-1 strain LAI were used as effector cells. After phenotyping the cells for surface Env and CD4 expression, the effector and the target cells were mixed in equal quantities on cover slips, with or without inclusion of mAb (monoclonal antibody). For specific time intervals after which they were fixed and stained. Kinetic studies were conducted in separate experiments by immunostaining of conjugates for specific mAbs. Appropriate software and methods for confocal microscopy and photography wer e employed. Inhibition of cytoskeletal rearrangement and signaling were studied in separate experiments. Cell-cell fusion assay and transmission electron microscopy were the other experiments conducted. The authors have been able to develop a novel system to study the cell to cell dissemination of HIV-1 by demonstrating a close packing and concentration of the virus particles in the plasma membranes of both effector and target cells, though they could not actually demonstrate the formation of a synapse between the two cells, which they suggest is the most likely mechanism. The role of an actin dependent mechanism in the Env-dependent recruitment of CD4, CXCR4, and LFA-1 has successfully been demonstrated. This cytoskeleton dependent receptor movement during infection of the target cells along with formation of an adhesive junction has been proposed as the likely

Analysis of Botnet Security Threats

Analysis of Botnet Security Threats CHAPTER 1 INTRODUCTION 1.1 Introduction During the last few decades, we have seen the dramatically rise of the Internet and its applications to the point which they have become a critical part of our lives. Internet security in that way has become more and more important to those who use the Internet for work, business, entertainment or education. Most of the attacks and malicious activities on the Internet are carried out by malicious applications such as Malware, which includes viruses, trojan, worms, and botnets. Botnets become a main source of most of the malicious activities such as scanning, distributed denial-of-service (DDoS) activities, and malicious activities happen across the Internet. 1.2 Botnet Largest Security Threat A bot is a software code, or a malware that runs automatically on a compromised machine without the users permission. The bot code is usually written by some criminal groups. The term â€Å"bot† refers to the compromised computers in the network. A botnet is essentially a network of bots that are under the control of an attacker (BotMaster). Figure 1.1 illustrates a typical structure of a botnet. A bot usually take advantage of sophisticated malware techniques. As an example, a bot use some techniques like keylogger to record user private information like password and hide its existence in the system. More importantly, a bot can distribute itself on the internet to increase its scale to form a bot army. Recently, attackers use compromised Web servers to contaminate those who visit the websites through drive-by download [6]. Currently, a botnet contains thousands of bots, but there is some cases that botnet contain several millions of bots [7]. Actually bots differentiate themselves from other kind of worms by their ability to receive commands from attacker remotely [32]. Attacker or better call it botherder control bots through different protocols and structures. The Internet Relay Chat (IRC) protocol is the earliest and still the most commonly used CC channel at present. HTTP is also used because Http protocol is permitted in most networks. Centralized structure botnets was very successful in the past but now botherders use decentralized structure to avoid single point of failure problem. Unlike previous malware such as worms, which are used probably for entertaining, botnets are used for real financial abuse. Actually Botnets can cause many problems as some of them listed below: i. Click fraud. A botmaster can easily profit by forcing the bots to click on advertisement for the purpose of personal or commercial abuse. ii. Spam production. Majority of the email on the internet is spam. iii. DDoS attacks. A bot army can be commanded to begin a distributed denial-of-service attack against any machine. iv. Phishing. Botnets are widely used to host malicious phishing sites. Criminals usually send spam messages to deceive users to visit their forged web sites, so that they can obtain users critical information such as usernames, passwords. 1.3 Botnet in-Depth Nowadays, the most serious manifestation of advanced malware is Botnet. To make distinction between Botnet and other kinds of malware, the concepts of Botnet have to understand. For a better understanding of Botnet, two important terms, Bot and BotMaster have been defined from another point of views. Bot Bot is actually short for robot which is also called as Zombie. It is a new type of malware [24] installed into a compromised computer which can be controlled remotely by BotMaster for executing some orders through the received commands. After the Bot code has been installed into the compromised computers, the computer becomes a Bot or Zombie [25]. Contrary to existing malware such as virus and worm which their main activities focus on attacking the infecting host, bots can receive commands from BotMaster and are used in distributed attack platform. BotMaster BotMaster is also known as BotHerder, is a person or a group of person which control remote Bots. Botnets- Botnets are networks consisting of large number of Bots. Botnets are created by the BotMaster to setup a private communication infrastructure which can be used for malicious activities such as Distributed Denial-of-Service (DDoS), sending large amount of SPAM or phishing mails, and other nefarious purpose [26, 27, 28]. Bots infect a persons computer in many ways. Bots usually disseminate themselves across the Internet by looking for vulnerable and unprotected computers to infect. When they find an unprotected computer, they infect it and then send a report to the BotMaster. The Bot stay hidden until they are announced by their BotMaster to perform an attack or task. Other ways in which attackers use to infect a computer in the Internet with Bot include sending email and using malicious websites, but common way is searching the Internet to look for vulnerable and unprotected computers [29]. The activities associated with Botnet can be classified into three parts: (1) Searching searching for vulnerable and unprotected computers. (2) Dissemination the Bot code is distributed to the computers (targets), so the targets become Bots. (3) sign-on the Bots connect to BotMaster and become ready to receive command and control traffic. The main difference between Botnet and other kind of malwares is the existence of Command-and-Control (CC) infrastructure. The CC allows Bots to receive commands and malicious capabilities, as devoted by BotMaster. BotMaster must ensure that their CC infrastructure is sufficiently robust to manage thousands of distributed Bots across the globe, as well as resisting any attempts to shutdown the Botnets. However, detection and mitigation techniques against Botnets have been increased [30,31]. Recently, attackers are also continually improving their approaches to protect their Botnets. The first generation of Botnets utilized the IRC (Internet Relay Chat) channels as their Common-and-Control (CC) centers. The centralized CC mechanism of such Botnet has made them vulnerable to being detected and disabled. Therefore, new generation of Botnet which can hide their CC communication have emerged, Peer-to-Peer (P2P) based Botnets. The P2P Botnets do not experience from a single point of failur e, because they do not have centralized CC servers [35]. Attackers have accordingly developed a range of strategies and techniques to protect their CC infrastructure. Therefore, considering the CC function gives better understanding of Botnet and help defenders to design proper detection or mitigation techniques. According to the CC channel we categorize Botnets into three different topologies: a) Centralized; b) Decentralized and c) Hybrid. In Section 1.1.4, these topologies have been analyzed and completely considered the protocols that are currently being used in each model. 1.4 Botnet Topologies According to the Command-and-Control(CC) channel, Botnet topology is categorized into three different models, the Centralized model, the Decentralized model and Hybrid model. 1.4.1 Centralized Model The oldest type of topology is the centralized model. In this model, one central point is responsible for exchanging commands and data between the BotMaster and Bots. In this model, BotMaster chooses a host (usually high bandwidth computer) to be the central point (Command-and-Control) server of all the Bots. The CC server runs certain network services such as IRC or HTTP. The main advantage of this model is small message latency which cause BotMaster easily arranges Botnet and launch attacks. Since all connections happen through the CC server, therefore, the CC is a critical point in this model. In other words, CC server is the weak point in this model. If somebody manages to discover and eliminates the CC server, the entire Botnet will be worthless and ineffective. Thus, it becomes the main drawback of this model. A lot of modern centralized Botnets employed a list of IP addresses of alternative CC servers, which will be used in case a CC server discovered and has been taken offline. Since IRC and HTTP are two common protocols that CC server uses for communication, we consider Botnets in this model based on IRC and HTTP. Figure 1.2 shows the basic communication architecture for a Centralized model. There are two central points that forward commands and data between the BotMaster and his Bots. 1.4.1.1 Botnets based on IRC The IRC is a type of real-time Internet text messaging or synchronous conferencing [36]. IRC protocol is based on the Client Server model that can be used on many computers in distributed networks. Some advantages which made IRC protocol widely being used in remote communication for Botnets are: (i) low latency communication; (ii) anonymous real-time communication; (iii) ability of Group (many-to-many) and Private (one-to-one) communication; (iv) simple to setup and (v) simple commands. The basic commands are connect to servers, join channels and post messages in the channels; (vi) very flexibility in communication. Therefore IRC protocol is still the most popular protocol being used in Botnet communication. In this model, BotMasters can command all of their Bots or command a few of the Bots using one-to-one communication. The CC server runs IRC service that is the same with other standard IRC service. Most of the time BotMaster creates a channel on the IRC server that all the bots can connect, which instruct each connected bot to do the BotMasters commands. Figure 1.3 showed that there is one central IRC server that forwards commands and data between the BotMaster and his Bots. Puri [38] presented the procedures and mechanism of Botnet based on IRC, as shown in Figure. 1.4. Bots infection and control process [38]: i. The attacker tries to infect the targets with Bots. ii. After the Bot is installed on target machine, it will try to connect to IRC server. In this while a random nickname will be generate that show the bot in attackers private channel. iii. Request to the DNS server, dynamic mapping IRC servers IP address. iv. The Bot will join the private IRC channel set up by the attacker and wait for instructions from the attacker. Most of these private IRC channel is set as the encrypted mode. v. Attacker sends attack instruction in private IRC channel. vi. The attacker tries to connect to private IRC channel and send the authentication password. vii. Bots receive instructions and launch attacks such as DDoS attacks. 1.4.1.2 Botnet based on HTTP The HTTP protocol is an additional well-known protocol used by Botnets. Because IRC protocol within Botnets became well-known, internet security researchers gave more consideration to monitoring IRC traffic to detect Botnet. Consequently, attackers started to use HTTP protocol as a Command-and-Control communication channel to make Botnets become more difficult to detect. The main advantage of using the HTTP protocol is hiding Botnets traffics in normal web traffics, so it can easily passes firewalls and avoid IDS detection. Usually firewalls block incoming and outgoing traffic to not needed ports, which usually include the IRC port. 1.4.2 Decentralized model Due to major disadvantage of Centralized model-Central Command-and-Control (CC)-attackers tried to build another Botnet communication topology that is harder to discover and to destroy. Hence, they decided to find a model in which the communication system does not heavily depending on few selected servers and even discovering and destroying a number of Bots. As a result, attackers take advantage of Peer-to-Peer (P2P) communication as a Command-and-Control (CC) pattern which is much harder to shut down in the network. The P2P based CC model will be used considerably in Botnets in the future, and definitely Botnets that use P2P based CC model impose much bigger challenge for defense of networks. In the P2P model, as shown in Fig. 1.6, there is no Centralized point for communication. Each Bot have some connections to the other Bots of the same Botnet and Bots act as both Clients and servers. A new Bot must know some addresses of the Botnet to connect there. If Bots in the Botnet are taken offline, the Botnet can still continue to operate under the control of BotMaster. P2P Botnets aim at removing or hiding the central point of failure which is the main weakness and vulnerability of Centralized model. Some P2P Botnets operate to a certain extent decentralized and some completely decentralized. Those Botnets that are completely decentralized allow a BotMaster to insert a command into any Bots. Since P2P Botnets usually allow commands to be injected at any node in the network, the authentication of commands become essential to prevent other nodes from injecting incorrect commands. For a better understanding in this model, some characteristics and important features of famous P2P Botnets have been mentioned: Slapper: Allows the routing of commands to distinct nodes. Uses Public key and private key cryptography to authenticate commands. BotMasters sign commands with private key and only those nodes which has corresponding public key can verify the commands [42]. Two important weak points are: (a) its list of known Bots contains all (or almost all) of the Botnet. Thus, one single captured Bot would expose the entire Botnet to defenders [42] (b) its sophisticated communication mechanism produces lot traffic, making it vulnerable to monitoring via network flow analysis. Sinit: This Bot uses random searching to discove other Bots to communicate with. It can results in an easy detection due to the extensive probing traffic [34]. Nugache: Its weakness is based on its reliance on a seed list of 22 IP addresses during its bootstrap process [47]. Phatbot: Uses Gnutella cache server for its bootstrap process which can be easily shutdown. Also its WASTE P2P protocol has a scalability problem across a long network [48]. Strom worm: it uses a P2p overnet protocl to control compromised hosts. The communication protocol for this Bot can be classified into five steps, as describes below :[37] i. Connect to Overnet Bots try to join Overnet network. Each Bot initially has hard-coded binary files which is included the IP addresses of P2P-based Botnet nodes. ii. Search and Download Secondary Injection URL Bot uses hard-coded keys to explore for and download the URL on the Overnet network [37]. iii. Decrypt Secondary Injection URL compromised hosts take advantages of a key(hard coded) to decrypt the URL. iv. Download Secondary Injection compromised hosts attempt to download the second injection from a server(probably web server). It could be infected files or updated files or list of the P2P nodes [37]. 1.4.3 Hybrid model The Bots in the Hybrid Botnet are categorized into two groups: 1) Servant Bots Bots in the first group are called as servant Bots, because they behave as both clients and servers, which have static, routable IP addresses and are accessible from the entire Internet. 2) Client Bots Bots in the second group is called as client Bots since they do not accept incoming connections. This group contains the remaining Bots, including:- (a) Bots with dynamically designated IP addresses; (b) Bots with Non-routable IP addresses; and (c) Bots behind firewalls which they cannot be connected from the global Internet. 1.5 Background of the Problem Botnets which are controlled remotely by BotMasters can launch huge denial of service attacks, several infiltration attacks, can be used to spread spam and also conduct malicious activities [115]. While bot army activity has, so far, been limited to criminal activity, their potential for causing large- scale damage to the entire internet is immeasurable [115]. Therefore, Botnets are one of the most dangerous types of network-based attack today because they involve the use of very large, synchronized groups of hosts for their malicious activities. Botnets obtain their power by size, both in their increasing bandwidth and in their reach. As mentioned before Botnets can cause severe network disruptions through huge denial- of-service attacks, and the danger of this interruption can charge enterprises big sums in extortion fees. Botnets are also used to harvest personal, corporate, or government sensitive information for sale on a blooming organized crime market. 1.6 Statement of the Problem Recently, botnets are using new type of command-and-control(CC) communication which is totally decentralized. They utilize peer-to-peer style communication. Tracking the starting point and activity of this botnet is much more complicated due to the Peer-to-Peer communication infrastructure. Combating botnets is usually an issue of discovering their weakness: their central position of command, or CC server. This is typically an IRC network that all bots connect to central point, however with the use of P2P method; we cannot find any central point of command. In the P2P networks each bots in searching to connect other peers which can receive or broadcast commands through network. Therefore, an accurate detection and fighting method is required to prevent or stop such dangerous networks. 1.7 Research Questions a. What are the main differences between centralized and decentralized botnets? b. What is the best and efficient general extensible solution for detecting non-specific Peer-to- Peer botnets? 1.8 Objectives of the Study i. To develop a network-based framework for Peer-to-Peer botnets detection by common behavior in network communication. ii. To study the behavior of bots and recognizing behavioral similarities across multiple bots in order to develop mentioned framework. 1.9 Scope of the Study The project scope is limited to developing some algorithms pertaining to our proposed framework. This algorithms are using for decreasing traffics by filtering it, classifying intended traffics, monitoring traffics and the detection of malicious activities. 1.10 Significance of the study Peer-to-Peer botnets are one of the most sophisticated types of cyber crime today. They give the full control of many computers around to world to exploit them for malicious activities purpose such as spread of virus and worm, spam distribution and DDoS attack. Therefore, studying the behavior of P2P botnets and develop a technique that can detect them is important and high-demanded. 1.11 Summary Understanding the Botnet Command-and-Control(CC) is a critical part in recognizing how to best protect against the overall botnet threat. The CC channels utilized by the Botnets will often show the type and degree of actions an enterprise can follow in either blocking or shutting down a botnet, and the probability of success. It is also obvious that attackers have been trying for years to move away from Centralized CC channels, and are achieving some success using Decentralized(P2P) CC channels over the last 5 or so years. Therefore in this chapter we have defined a classification for better understanding of Botnets CC channels, which is included Centralized, Decentralized, and Hybrid model and tried to evaluate recognized protocols in each of them. Understanding the communication topologies in Botnets is essential to precisely identify, detect and mitigate the ever-increasing Botnets threats. CHAPTER 2 LITERATURE REVIEW 2.1 Introduction Before majority of botnets was using IRC (Internet Relay Chat) as a communication protocol for Command and Control(CC) mechanism. Therefore, many researches tried to develop botnet detection scheme which was based on analysis of IRC traffic [50]. As a result, attackers decided to develop more sophisticated botnets, such as Storm worm and Nugache toward the utilization of P2P networks for CC infrastructures. In response to this movement, researches have proposed various models of botnets detection that are based on P2P infrastructure [5]. One key advantage of both IRC and HTTP Botnet is the use of central Command and Control. This characteristic provides the attacker with very well-organized communication. However, the assets also considers as a main disadvantage to the attacker [8]. The threat of the Botnet can be decreased and possibly omitted if the central CC is taken over or taken down [8]. The method that is starting to come out is P2P structure for Botnet interaction. There is not any centralized centre for P2P botnets. Any nodes in P2P botnet behave as client and server as well. If any point in the network is shut down the botnet still can continue its operation. The storm botnet is one of the main and recognized recent P2P botnets. It customized the overnet P2P file-sharing application which is based on the Kademlia distributed hash table algorithm [55] and exploit it for its CC infrastructure. Recently many researchers specially in the anti-virus community and electronic media concentrated on storm worm [56,57]. 2.2 Background and History A peer-to-peer network is a network of computers that any computer in the network can behave as both a client and a server. Some explanation of peer-to-peer networks does not need any form of centralized coordination. This definition is more comfortable because the attacker may be interested in hybrid architectures [8]. 2.2.1 History The table 2.1 shows a summary of some well-known bots and P2P protocols. The range of time from the first bots, EggDrop, until the Storm Worm P2P bot is newly released. The first non-malicious bot was EggDrop that came up many years ago, and we know it as one of the first IRC bots that came to market. GTBot that have many other categories is another well-known malicious bot, that its variants are IRC client, mIRC.exe[61]. After a while, P2P protocols have been used for Botnet activities. Napster is one of the first bot that used P2P as its communication. Napster built an platform that permit all bots can find each other and share files with each other in the network. In this bot, file sharing has been done in the centralized server that we can say it was not completely a P2P botnet. Therefore, all bots have to upload an index of their files to the centralized server and also if they are looking for other files among all bots, have to search in centralized server. If it can find any file that looking for, then can directly connect to that bot and download what they want. Nowadays, because Napster has been shutdown as their service recognized as illegal service, many other P2P service focusing on avoiding such finding. After few years after Napster, Gnutella protocol came up as the first completely P2P services. Actually after Gnutellas , as shown in Table 2.1, many other P2P protocols have been released, such as Kademilia and Chord. This two new p2p service are using distributed hash table as a method for finding information in the peer-to-peer networks. Agobot is another malicious P2P bot that came up recently and become widespread because of good design and modular code base [61]. Nowadays many researchers are concentrating on P2P bots and there is an anticipation that P2P bots will reach to the stage that Centralized botnets will not been used any more in the future. Table 2.1: P2P based Botnets 2.3 Peers-to-Peer Overlay Networks Overlay networks are categorized into two categories: Structured and Unstructured. All nodes in first category can connect to most X peers regarding some conditions for identification of nodes that those peers want to connect. However in unstructured type there is not any specified limit for the number of peers that they can connect, in spite of the fact that there is not any condition for connecting to other peers. Overnet is a good example of structured p2p networks and Chorf is a good example of unstructured P2P networks. 2.3.1 Brief overview of Overnet One of the popular file sharing networks is Overnet that use for their design use distributed hash table (DHT) algorithm that called Kademlia[55]. Each node produces a 128-bit id for joining the network and also use for sending to other node for introducing itself. Actually each node in the network saves the information about other nodes in order to route query messages. 2.3.2 Brief overview of Gnutella Gnutellas is a unstructured file sharing network. In this network, when a node like n want to connect to a node like m, use a ping message to inform the other node for its presence. As long as node m received ping message, then send it back to other nodes in its neighbor and also send a Pong message to the sender of ping message that was node n. this transaction among node let them to learn about each other. 2.4 Botnet Detection In particular, to compare existing botnet detection techniques, different methods are described and then disadvantages of each method are mentioned respectively. 2.4.1 Honeypot-based tracking Honeypot can be used to collect bots for analyzing its behavior and signatures and also for tracking botnets. But using honeypots have several limitations. The most important limitation is because of limited scale of exploited activities that can track. And also it cannot capture the bots that use the method of propagation other than scanning, such as spam. And finally it can only give report for infection machines that are anticipated and put in the network as trap system. So it means that it can not give a report for those computers that are infected with bot in the network but are not devoted as trap machines. So we can come to this conclusion that generally in this technique we have to wait until one bot in the network infect our system and then we can track or analyze the machine. 2.4.2 Intrusion detection systems Intrusion detection techniques can be categorized into two categories: host-based and network-based solution. Host-based techniques are used for recognizing malware binaries such as viruses. A good example of this type is anti-virus detection systems. However, we know that anti-virus are good for just virus detection. The most important disadvantages of anti-virus are that bots can easily evade the detection technique by changing their signatures easily, because the detection system cannot update their databases consistency. And also bots can disable any anti-virus tools in the system to protect themselves from detection. Network- based intrusion detection system is another method for detection that is used in the field of botnet detection. Snort[67] and Bro[68] are the two well-known signature based detection system that are used currently. They use a database as signatures of famous malicious activities to detect botnets or any other malware. Actually if our objective is using this technique for botnet detection, we have to keep updating the database and recognizing all malware quickly to make a signature of it and add to our database. For solving this solving this problem recently researchers are using anomaly based IDS that can detect malicious activities based on behavior of malware or detection techniques. 2.4.3 Bothunter : Dialog correlation-based Botnet detection This technique developed an evidence-trail approach for detecting successful bot infection with patterns during communication for infection process. In this strategy, bot infection pattern are modeled to use for recognizing the whole process of infection of botnet in the network. All behavior that occur the bot infection such as target scanning, CC establishment, binary downloading and outbound propagation have to model by this method. This method gathers an evidence-trail of connected infection process for each internal machine and then tries to look for a threshold combination of sequences that will convince the condition for bot infection [32]. The BotHunter use snort with adding two anomaly-detection components to it that are SLADE (Statistical payLoad Anomaly Detection Engine) and SCADE (Statistical scan Anomaly Detection Engine). SCADE produce internal and external scan detection warnings that are weighted for criticality toward malware scanning patterns. SLADE perform a byte-distribution payload anomaly detection of incoming packets, providing a matching non-signature approach in inbound exploit detection [32 ]. Slade use an n-gram payload examination of traffics that have typical malware intrusions. SCADE execute some port scan analysis for incoming and outgoing traffics. Actually BotHunter has a link between scan and alarm intrusion that shows a host has been infected. When a adequate sequence of alerts is established to match BotHunters infection dialog model, a comprehensive report is created to get all the related events participants that have a rule in infection dialog [32]. This method provides some important features: i. This technique concentrates on malware detection by IDS-driven dialog correlation. This model shows an essential network processes that occur during a successful bot infection. ii. This technique has one IDS-independent dialog correlation engine and three bot-specific sensors. This technique can automatically produce a report of whole detection of bot, as well as the infection of agent, identification of the computer that has been infected and source of Command and Control centre. 2.4.3.1 Bot infection sequences Actually understanding bot infection life processes is a challenging work for protection of network in the future. The major work in this area is differentiating between successful bot infection and background exploit attempt. For reaching to this point analysis of two-way dialog flow between internal hosts and external hosts (internet) is needed. In a good design network which uses filtering at gateway, the threats of direct exploitations are limited. However, contemporary malware families are highly flexible in their ability to attack vulnerable hosts through email attachments, infected P2P media, and drive-by download infections [32]. 2.4.3.2 Modeling the infection dialog process The bot distribution model can conclude by an analysis of external communication traffics that shows the behavior of relevant botnet. Incoming scan and utilize alarms are not enough to state a winning malware infection, as are assumed that a stable stream of scan and exploit signals will be observed from the way out monitor [32]. Figure 2.1 shows the process of bot infection in BotHunter that used for evaluating network flows through eight stages. This model is almost similar with the model that Rajab et al. presented for IRC detection model. The model that they proposed has early initial scanning that is a preceding consideration happen in form of IP exchange and pointing vulnerable ports. Actually figure 2.1 is not aimed for a strict ordering of infection events that happen during bot infection. The important issue here is that bot dialog processes analysis have to be strong to the absence of some dialog events and must not need strong sequencing on the order in bound dialog is conducted. One solution to solve the problem of sequence order and event is to use a weighted event threshold system that take smallest essential sparse sequences of events under which bot profile statement can be initiated [32]. For instance, it is possible put weighting and threshold system for the look of each event in a way that a smallest set of event is important prior of bot detection. 2.4.3.3 Design and implementation More attention devoted for designing a passive network monitoring system in this part which be able of identifying the bidirectional warning signs when internal hosts are infected with b Analysis of Botnet Security Threats Analysis of Botnet Security Threats CHAPTER 1 INTRODUCTION 1.1 Introduction During the last few decades, we have seen the dramatically rise of the Internet and its applications to the point which they have become a critical part of our lives. Internet security in that way has become more and more important to those who use the Internet for work, business, entertainment or education. Most of the attacks and malicious activities on the Internet are carried out by malicious applications such as Malware, which includes viruses, trojan, worms, and botnets. Botnets become a main source of most of the malicious activities such as scanning, distributed denial-of-service (DDoS) activities, and malicious activities happen across the Internet. 1.2 Botnet Largest Security Threat A bot is a software code, or a malware that runs automatically on a compromised machine without the users permission. The bot code is usually written by some criminal groups. The term â€Å"bot† refers to the compromised computers in the network. A botnet is essentially a network of bots that are under the control of an attacker (BotMaster). Figure 1.1 illustrates a typical structure of a botnet. A bot usually take advantage of sophisticated malware techniques. As an example, a bot use some techniques like keylogger to record user private information like password and hide its existence in the system. More importantly, a bot can distribute itself on the internet to increase its scale to form a bot army. Recently, attackers use compromised Web servers to contaminate those who visit the websites through drive-by download [6]. Currently, a botnet contains thousands of bots, but there is some cases that botnet contain several millions of bots [7]. Actually bots differentiate themselves from other kind of worms by their ability to receive commands from attacker remotely [32]. Attacker or better call it botherder control bots through different protocols and structures. The Internet Relay Chat (IRC) protocol is the earliest and still the most commonly used CC channel at present. HTTP is also used because Http protocol is permitted in most networks. Centralized structure botnets was very successful in the past but now botherders use decentralized structure to avoid single point of failure problem. Unlike previous malware such as worms, which are used probably for entertaining, botnets are used for real financial abuse. Actually Botnets can cause many problems as some of them listed below: i. Click fraud. A botmaster can easily profit by forcing the bots to click on advertisement for the purpose of personal or commercial abuse. ii. Spam production. Majority of the email on the internet is spam. iii. DDoS attacks. A bot army can be commanded to begin a distributed denial-of-service attack against any machine. iv. Phishing. Botnets are widely used to host malicious phishing sites. Criminals usually send spam messages to deceive users to visit their forged web sites, so that they can obtain users critical information such as usernames, passwords. 1.3 Botnet in-Depth Nowadays, the most serious manifestation of advanced malware is Botnet. To make distinction between Botnet and other kinds of malware, the concepts of Botnet have to understand. For a better understanding of Botnet, two important terms, Bot and BotMaster have been defined from another point of views. Bot Bot is actually short for robot which is also called as Zombie. It is a new type of malware [24] installed into a compromised computer which can be controlled remotely by BotMaster for executing some orders through the received commands. After the Bot code has been installed into the compromised computers, the computer becomes a Bot or Zombie [25]. Contrary to existing malware such as virus and worm which their main activities focus on attacking the infecting host, bots can receive commands from BotMaster and are used in distributed attack platform. BotMaster BotMaster is also known as BotHerder, is a person or a group of person which control remote Bots. Botnets- Botnets are networks consisting of large number of Bots. Botnets are created by the BotMaster to setup a private communication infrastructure which can be used for malicious activities such as Distributed Denial-of-Service (DDoS), sending large amount of SPAM or phishing mails, and other nefarious purpose [26, 27, 28]. Bots infect a persons computer in many ways. Bots usually disseminate themselves across the Internet by looking for vulnerable and unprotected computers to infect. When they find an unprotected computer, they infect it and then send a report to the BotMaster. The Bot stay hidden until they are announced by their BotMaster to perform an attack or task. Other ways in which attackers use to infect a computer in the Internet with Bot include sending email and using malicious websites, but common way is searching the Internet to look for vulnerable and unprotected computers [29]. The activities associated with Botnet can be classified into three parts: (1) Searching searching for vulnerable and unprotected computers. (2) Dissemination the Bot code is distributed to the computers (targets), so the targets become Bots. (3) sign-on the Bots connect to BotMaster and become ready to receive command and control traffic. The main difference between Botnet and other kind of malwares is the existence of Command-and-Control (CC) infrastructure. The CC allows Bots to receive commands and malicious capabilities, as devoted by BotMaster. BotMaster must ensure that their CC infrastructure is sufficiently robust to manage thousands of distributed Bots across the globe, as well as resisting any attempts to shutdown the Botnets. However, detection and mitigation techniques against Botnets have been increased [30,31]. Recently, attackers are also continually improving their approaches to protect their Botnets. The first generation of Botnets utilized the IRC (Internet Relay Chat) channels as their Common-and-Control (CC) centers. The centralized CC mechanism of such Botnet has made them vulnerable to being detected and disabled. Therefore, new generation of Botnet which can hide their CC communication have emerged, Peer-to-Peer (P2P) based Botnets. The P2P Botnets do not experience from a single point of failur e, because they do not have centralized CC servers [35]. Attackers have accordingly developed a range of strategies and techniques to protect their CC infrastructure. Therefore, considering the CC function gives better understanding of Botnet and help defenders to design proper detection or mitigation techniques. According to the CC channel we categorize Botnets into three different topologies: a) Centralized; b) Decentralized and c) Hybrid. In Section 1.1.4, these topologies have been analyzed and completely considered the protocols that are currently being used in each model. 1.4 Botnet Topologies According to the Command-and-Control(CC) channel, Botnet topology is categorized into three different models, the Centralized model, the Decentralized model and Hybrid model. 1.4.1 Centralized Model The oldest type of topology is the centralized model. In this model, one central point is responsible for exchanging commands and data between the BotMaster and Bots. In this model, BotMaster chooses a host (usually high bandwidth computer) to be the central point (Command-and-Control) server of all the Bots. The CC server runs certain network services such as IRC or HTTP. The main advantage of this model is small message latency which cause BotMaster easily arranges Botnet and launch attacks. Since all connections happen through the CC server, therefore, the CC is a critical point in this model. In other words, CC server is the weak point in this model. If somebody manages to discover and eliminates the CC server, the entire Botnet will be worthless and ineffective. Thus, it becomes the main drawback of this model. A lot of modern centralized Botnets employed a list of IP addresses of alternative CC servers, which will be used in case a CC server discovered and has been taken offline. Since IRC and HTTP are two common protocols that CC server uses for communication, we consider Botnets in this model based on IRC and HTTP. Figure 1.2 shows the basic communication architecture for a Centralized model. There are two central points that forward commands and data between the BotMaster and his Bots. 1.4.1.1 Botnets based on IRC The IRC is a type of real-time Internet text messaging or synchronous conferencing [36]. IRC protocol is based on the Client Server model that can be used on many computers in distributed networks. Some advantages which made IRC protocol widely being used in remote communication for Botnets are: (i) low latency communication; (ii) anonymous real-time communication; (iii) ability of Group (many-to-many) and Private (one-to-one) communication; (iv) simple to setup and (v) simple commands. The basic commands are connect to servers, join channels and post messages in the channels; (vi) very flexibility in communication. Therefore IRC protocol is still the most popular protocol being used in Botnet communication. In this model, BotMasters can command all of their Bots or command a few of the Bots using one-to-one communication. The CC server runs IRC service that is the same with other standard IRC service. Most of the time BotMaster creates a channel on the IRC server that all the bots can connect, which instruct each connected bot to do the BotMasters commands. Figure 1.3 showed that there is one central IRC server that forwards commands and data between the BotMaster and his Bots. Puri [38] presented the procedures and mechanism of Botnet based on IRC, as shown in Figure. 1.4. Bots infection and control process [38]: i. The attacker tries to infect the targets with Bots. ii. After the Bot is installed on target machine, it will try to connect to IRC server. In this while a random nickname will be generate that show the bot in attackers private channel. iii. Request to the DNS server, dynamic mapping IRC servers IP address. iv. The Bot will join the private IRC channel set up by the attacker and wait for instructions from the attacker. Most of these private IRC channel is set as the encrypted mode. v. Attacker sends attack instruction in private IRC channel. vi. The attacker tries to connect to private IRC channel and send the authentication password. vii. Bots receive instructions and launch attacks such as DDoS attacks. 1.4.1.2 Botnet based on HTTP The HTTP protocol is an additional well-known protocol used by Botnets. Because IRC protocol within Botnets became well-known, internet security researchers gave more consideration to monitoring IRC traffic to detect Botnet. Consequently, attackers started to use HTTP protocol as a Command-and-Control communication channel to make Botnets become more difficult to detect. The main advantage of using the HTTP protocol is hiding Botnets traffics in normal web traffics, so it can easily passes firewalls and avoid IDS detection. Usually firewalls block incoming and outgoing traffic to not needed ports, which usually include the IRC port. 1.4.2 Decentralized model Due to major disadvantage of Centralized model-Central Command-and-Control (CC)-attackers tried to build another Botnet communication topology that is harder to discover and to destroy. Hence, they decided to find a model in which the communication system does not heavily depending on few selected servers and even discovering and destroying a number of Bots. As a result, attackers take advantage of Peer-to-Peer (P2P) communication as a Command-and-Control (CC) pattern which is much harder to shut down in the network. The P2P based CC model will be used considerably in Botnets in the future, and definitely Botnets that use P2P based CC model impose much bigger challenge for defense of networks. In the P2P model, as shown in Fig. 1.6, there is no Centralized point for communication. Each Bot have some connections to the other Bots of the same Botnet and Bots act as both Clients and servers. A new Bot must know some addresses of the Botnet to connect there. If Bots in the Botnet are taken offline, the Botnet can still continue to operate under the control of BotMaster. P2P Botnets aim at removing or hiding the central point of failure which is the main weakness and vulnerability of Centralized model. Some P2P Botnets operate to a certain extent decentralized and some completely decentralized. Those Botnets that are completely decentralized allow a BotMaster to insert a command into any Bots. Since P2P Botnets usually allow commands to be injected at any node in the network, the authentication of commands become essential to prevent other nodes from injecting incorrect commands. For a better understanding in this model, some characteristics and important features of famous P2P Botnets have been mentioned: Slapper: Allows the routing of commands to distinct nodes. Uses Public key and private key cryptography to authenticate commands. BotMasters sign commands with private key and only those nodes which has corresponding public key can verify the commands [42]. Two important weak points are: (a) its list of known Bots contains all (or almost all) of the Botnet. Thus, one single captured Bot would expose the entire Botnet to defenders [42] (b) its sophisticated communication mechanism produces lot traffic, making it vulnerable to monitoring via network flow analysis. Sinit: This Bot uses random searching to discove other Bots to communicate with. It can results in an easy detection due to the extensive probing traffic [34]. Nugache: Its weakness is based on its reliance on a seed list of 22 IP addresses during its bootstrap process [47]. Phatbot: Uses Gnutella cache server for its bootstrap process which can be easily shutdown. Also its WASTE P2P protocol has a scalability problem across a long network [48]. Strom worm: it uses a P2p overnet protocl to control compromised hosts. The communication protocol for this Bot can be classified into five steps, as describes below :[37] i. Connect to Overnet Bots try to join Overnet network. Each Bot initially has hard-coded binary files which is included the IP addresses of P2P-based Botnet nodes. ii. Search and Download Secondary Injection URL Bot uses hard-coded keys to explore for and download the URL on the Overnet network [37]. iii. Decrypt Secondary Injection URL compromised hosts take advantages of a key(hard coded) to decrypt the URL. iv. Download Secondary Injection compromised hosts attempt to download the second injection from a server(probably web server). It could be infected files or updated files or list of the P2P nodes [37]. 1.4.3 Hybrid model The Bots in the Hybrid Botnet are categorized into two groups: 1) Servant Bots Bots in the first group are called as servant Bots, because they behave as both clients and servers, which have static, routable IP addresses and are accessible from the entire Internet. 2) Client Bots Bots in the second group is called as client Bots since they do not accept incoming connections. This group contains the remaining Bots, including:- (a) Bots with dynamically designated IP addresses; (b) Bots with Non-routable IP addresses; and (c) Bots behind firewalls which they cannot be connected from the global Internet. 1.5 Background of the Problem Botnets which are controlled remotely by BotMasters can launch huge denial of service attacks, several infiltration attacks, can be used to spread spam and also conduct malicious activities [115]. While bot army activity has, so far, been limited to criminal activity, their potential for causing large- scale damage to the entire internet is immeasurable [115]. Therefore, Botnets are one of the most dangerous types of network-based attack today because they involve the use of very large, synchronized groups of hosts for their malicious activities. Botnets obtain their power by size, both in their increasing bandwidth and in their reach. As mentioned before Botnets can cause severe network disruptions through huge denial- of-service attacks, and the danger of this interruption can charge enterprises big sums in extortion fees. Botnets are also used to harvest personal, corporate, or government sensitive information for sale on a blooming organized crime market. 1.6 Statement of the Problem Recently, botnets are using new type of command-and-control(CC) communication which is totally decentralized. They utilize peer-to-peer style communication. Tracking the starting point and activity of this botnet is much more complicated due to the Peer-to-Peer communication infrastructure. Combating botnets is usually an issue of discovering their weakness: their central position of command, or CC server. This is typically an IRC network that all bots connect to central point, however with the use of P2P method; we cannot find any central point of command. In the P2P networks each bots in searching to connect other peers which can receive or broadcast commands through network. Therefore, an accurate detection and fighting method is required to prevent or stop such dangerous networks. 1.7 Research Questions a. What are the main differences between centralized and decentralized botnets? b. What is the best and efficient general extensible solution for detecting non-specific Peer-to- Peer botnets? 1.8 Objectives of the Study i. To develop a network-based framework for Peer-to-Peer botnets detection by common behavior in network communication. ii. To study the behavior of bots and recognizing behavioral similarities across multiple bots in order to develop mentioned framework. 1.9 Scope of the Study The project scope is limited to developing some algorithms pertaining to our proposed framework. This algorithms are using for decreasing traffics by filtering it, classifying intended traffics, monitoring traffics and the detection of malicious activities. 1.10 Significance of the study Peer-to-Peer botnets are one of the most sophisticated types of cyber crime today. They give the full control of many computers around to world to exploit them for malicious activities purpose such as spread of virus and worm, spam distribution and DDoS attack. Therefore, studying the behavior of P2P botnets and develop a technique that can detect them is important and high-demanded. 1.11 Summary Understanding the Botnet Command-and-Control(CC) is a critical part in recognizing how to best protect against the overall botnet threat. The CC channels utilized by the Botnets will often show the type and degree of actions an enterprise can follow in either blocking or shutting down a botnet, and the probability of success. It is also obvious that attackers have been trying for years to move away from Centralized CC channels, and are achieving some success using Decentralized(P2P) CC channels over the last 5 or so years. Therefore in this chapter we have defined a classification for better understanding of Botnets CC channels, which is included Centralized, Decentralized, and Hybrid model and tried to evaluate recognized protocols in each of them. Understanding the communication topologies in Botnets is essential to precisely identify, detect and mitigate the ever-increasing Botnets threats. CHAPTER 2 LITERATURE REVIEW 2.1 Introduction Before majority of botnets was using IRC (Internet Relay Chat) as a communication protocol for Command and Control(CC) mechanism. Therefore, many researches tried to develop botnet detection scheme which was based on analysis of IRC traffic [50]. As a result, attackers decided to develop more sophisticated botnets, such as Storm worm and Nugache toward the utilization of P2P networks for CC infrastructures. In response to this movement, researches have proposed various models of botnets detection that are based on P2P infrastructure [5]. One key advantage of both IRC and HTTP Botnet is the use of central Command and Control. This characteristic provides the attacker with very well-organized communication. However, the assets also considers as a main disadvantage to the attacker [8]. The threat of the Botnet can be decreased and possibly omitted if the central CC is taken over or taken down [8]. The method that is starting to come out is P2P structure for Botnet interaction. There is not any centralized centre for P2P botnets. Any nodes in P2P botnet behave as client and server as well. If any point in the network is shut down the botnet still can continue its operation. The storm botnet is one of the main and recognized recent P2P botnets. It customized the overnet P2P file-sharing application which is based on the Kademlia distributed hash table algorithm [55] and exploit it for its CC infrastructure. Recently many researchers specially in the anti-virus community and electronic media concentrated on storm worm [56,57]. 2.2 Background and History A peer-to-peer network is a network of computers that any computer in the network can behave as both a client and a server. Some explanation of peer-to-peer networks does not need any form of centralized coordination. This definition is more comfortable because the attacker may be interested in hybrid architectures [8]. 2.2.1 History The table 2.1 shows a summary of some well-known bots and P2P protocols. The range of time from the first bots, EggDrop, until the Storm Worm P2P bot is newly released. The first non-malicious bot was EggDrop that came up many years ago, and we know it as one of the first IRC bots that came to market. GTBot that have many other categories is another well-known malicious bot, that its variants are IRC client, mIRC.exe[61]. After a while, P2P protocols have been used for Botnet activities. Napster is one of the first bot that used P2P as its communication. Napster built an platform that permit all bots can find each other and share files with each other in the network. In this bot, file sharing has been done in the centralized server that we can say it was not completely a P2P botnet. Therefore, all bots have to upload an index of their files to the centralized server and also if they are looking for other files among all bots, have to search in centralized server. If it can find any file that looking for, then can directly connect to that bot and download what they want. Nowadays, because Napster has been shutdown as their service recognized as illegal service, many other P2P service focusing on avoiding such finding. After few years after Napster, Gnutella protocol came up as the first completely P2P services. Actually after Gnutellas , as shown in Table 2.1, many other P2P protocols have been released, such as Kademilia and Chord. This two new p2p service are using distributed hash table as a method for finding information in the peer-to-peer networks. Agobot is another malicious P2P bot that came up recently and become widespread because of good design and modular code base [61]. Nowadays many researchers are concentrating on P2P bots and there is an anticipation that P2P bots will reach to the stage that Centralized botnets will not been used any more in the future. Table 2.1: P2P based Botnets 2.3 Peers-to-Peer Overlay Networks Overlay networks are categorized into two categories: Structured and Unstructured. All nodes in first category can connect to most X peers regarding some conditions for identification of nodes that those peers want to connect. However in unstructured type there is not any specified limit for the number of peers that they can connect, in spite of the fact that there is not any condition for connecting to other peers. Overnet is a good example of structured p2p networks and Chorf is a good example of unstructured P2P networks. 2.3.1 Brief overview of Overnet One of the popular file sharing networks is Overnet that use for their design use distributed hash table (DHT) algorithm that called Kademlia[55]. Each node produces a 128-bit id for joining the network and also use for sending to other node for introducing itself. Actually each node in the network saves the information about other nodes in order to route query messages. 2.3.2 Brief overview of Gnutella Gnutellas is a unstructured file sharing network. In this network, when a node like n want to connect to a node like m, use a ping message to inform the other node for its presence. As long as node m received ping message, then send it back to other nodes in its neighbor and also send a Pong message to the sender of ping message that was node n. this transaction among node let them to learn about each other. 2.4 Botnet Detection In particular, to compare existing botnet detection techniques, different methods are described and then disadvantages of each method are mentioned respectively. 2.4.1 Honeypot-based tracking Honeypot can be used to collect bots for analyzing its behavior and signatures and also for tracking botnets. But using honeypots have several limitations. The most important limitation is because of limited scale of exploited activities that can track. And also it cannot capture the bots that use the method of propagation other than scanning, such as spam. And finally it can only give report for infection machines that are anticipated and put in the network as trap system. So it means that it can not give a report for those computers that are infected with bot in the network but are not devoted as trap machines. So we can come to this conclusion that generally in this technique we have to wait until one bot in the network infect our system and then we can track or analyze the machine. 2.4.2 Intrusion detection systems Intrusion detection techniques can be categorized into two categories: host-based and network-based solution. Host-based techniques are used for recognizing malware binaries such as viruses. A good example of this type is anti-virus detection systems. However, we know that anti-virus are good for just virus detection. The most important disadvantages of anti-virus are that bots can easily evade the detection technique by changing their signatures easily, because the detection system cannot update their databases consistency. And also bots can disable any anti-virus tools in the system to protect themselves from detection. Network- based intrusion detection system is another method for detection that is used in the field of botnet detection. Snort[67] and Bro[68] are the two well-known signature based detection system that are used currently. They use a database as signatures of famous malicious activities to detect botnets or any other malware. Actually if our objective is using this technique for botnet detection, we have to keep updating the database and recognizing all malware quickly to make a signature of it and add to our database. For solving this solving this problem recently researchers are using anomaly based IDS that can detect malicious activities based on behavior of malware or detection techniques. 2.4.3 Bothunter : Dialog correlation-based Botnet detection This technique developed an evidence-trail approach for detecting successful bot infection with patterns during communication for infection process. In this strategy, bot infection pattern are modeled to use for recognizing the whole process of infection of botnet in the network. All behavior that occur the bot infection such as target scanning, CC establishment, binary downloading and outbound propagation have to model by this method. This method gathers an evidence-trail of connected infection process for each internal machine and then tries to look for a threshold combination of sequences that will convince the condition for bot infection [32]. The BotHunter use snort with adding two anomaly-detection components to it that are SLADE (Statistical payLoad Anomaly Detection Engine) and SCADE (Statistical scan Anomaly Detection Engine). SCADE produce internal and external scan detection warnings that are weighted for criticality toward malware scanning patterns. SLADE perform a byte-distribution payload anomaly detection of incoming packets, providing a matching non-signature approach in inbound exploit detection [32 ]. Slade use an n-gram payload examination of traffics that have typical malware intrusions. SCADE execute some port scan analysis for incoming and outgoing traffics. Actually BotHunter has a link between scan and alarm intrusion that shows a host has been infected. When a adequate sequence of alerts is established to match BotHunters infection dialog model, a comprehensive report is created to get all the related events participants that have a rule in infection dialog [32]. This method provides some important features: i. This technique concentrates on malware detection by IDS-driven dialog correlation. This model shows an essential network processes that occur during a successful bot infection. ii. This technique has one IDS-independent dialog correlation engine and three bot-specific sensors. This technique can automatically produce a report of whole detection of bot, as well as the infection of agent, identification of the computer that has been infected and source of Command and Control centre. 2.4.3.1 Bot infection sequences Actually understanding bot infection life processes is a challenging work for protection of network in the future. The major work in this area is differentiating between successful bot infection and background exploit attempt. For reaching to this point analysis of two-way dialog flow between internal hosts and external hosts (internet) is needed. In a good design network which uses filtering at gateway, the threats of direct exploitations are limited. However, contemporary malware families are highly flexible in their ability to attack vulnerable hosts through email attachments, infected P2P media, and drive-by download infections [32]. 2.4.3.2 Modeling the infection dialog process The bot distribution model can conclude by an analysis of external communication traffics that shows the behavior of relevant botnet. Incoming scan and utilize alarms are not enough to state a winning malware infection, as are assumed that a stable stream of scan and exploit signals will be observed from the way out monitor [32]. Figure 2.1 shows the process of bot infection in BotHunter that used for evaluating network flows through eight stages. This model is almost similar with the model that Rajab et al. presented for IRC detection model. The model that they proposed has early initial scanning that is a preceding consideration happen in form of IP exchange and pointing vulnerable ports. Actually figure 2.1 is not aimed for a strict ordering of infection events that happen during bot infection. The important issue here is that bot dialog processes analysis have to be strong to the absence of some dialog events and must not need strong sequencing on the order in bound dialog is conducted. One solution to solve the problem of sequence order and event is to use a weighted event threshold system that take smallest essential sparse sequences of events under which bot profile statement can be initiated [32]. For instance, it is possible put weighting and threshold system for the look of each event in a way that a smallest set of event is important prior of bot detection. 2.4.3.3 Design and implementation More attention devoted for designing a passive network monitoring system in this part which be able of identifying the bidirectional warning signs when internal hosts are infected with b

The Importance of Being Earnest :: Comedy Irony Papers

The Importance of Being Earnest ALGERNON. You have always told me it was Ernest. I have introduced you to every one as Ernest. You answer to the name of Ernest. You look as if your name was Ernest. You are the most earnest-looking person I ever saw in my life. It is perfectly absurd your saying that your name isn't Ernest. It's on your cards. Here is one of them. [Taking it from case.] 'Mr. Ernest Worthing, B. 4, The Albany.' I'll keep this as a proof that your name is Ernest if ever you attempt to deny it to me, or to Gwendolen, or to any one else. [Puts the card in his pocket.] JACK. Well, my name is Ernest in town and Jack in the country, and the cigarette case was given to me in the country. ALGERNON. Yes, but that does not account for the fact that your small Aunt Cecily, who lives at Tunbridge Wells, calls you her dear uncle. Come, old boy, you had much better have the thing out at once. JACK. My dear Algy, you talk exactly as if you were a dentist. It is very vulgar to talk like a dentist when one isn't a dentist. It produces a false impression. ALGERNON. Well, that is exactly what dentists always do. Now, go on! Tell me the whole thing. I may mention that I have always suspected you of being a confirmed and secret Bunburyist; and I am quite sure of it now. JACK. Bunburyist? What on earth do you mean by a Bunburyist? ALGERNON. I'll reveal to you the meaning of that incomparable expression as soon as you are kind enough to inform me why you are Ernest in town and Jack in the country. JACK. Well, produce my cigarette case first. ALGERNON. Here it is. [Hands cigarette case.] Now produce your explanation, and pray make it improbable. [Sits on sofa.] JACK. My dear fellow, there is nothing improbable about my explanation at all. In fact it's perfectly ordinary. Old Mr. Thomas Cardew, who adopted me when I was a little boy, made me in his will guardian to his grand-daughter, Miss Cecily Cardew. Cecily, who addresses me as her uncle from motives of respect that you could not possibly appreciate, lives at my place in the country under the charge of her admirable governess, Miss Prism. ALGERNON. Where in that place in the country, by the way? JACK. That is nothing to you, dear boy.

Succubus Blues CHAPTER 12

â€Å"Man, if Jerome had threatened to stash me somewhere, I wouldn't be out snooping around.† â€Å"I'm not snooping. I'm just speculating.† Peter shook his head and took the cap off a beer. I sat with him and Cody in their kitchen, the day after Hugh's attack. A ham and pineapple pizza had just arrived, and Cody and I dug into it while the other vampire merely watched. â€Å"Why can't you just accept this for what it is? Jerome's telling the truth. It's a vampire hunter.† â€Å"No. No way. None of this adds up. Not the goofy way Jerome and Carter are acting. Not Hugh's attack. Not that fucked-up note I got.† â€Å"I figured you get screwy love notes all the time. ‘My heart bleeds for you, Georgina.' Written in actual blood. Stuff like that.† â€Å"Yeah, nothing like self-mutilation to turn a girl on,† I muttered. I gulped some Mountain Dew and returned to my pizza. Really, as far as caffeine and sugar went, Mountain Dew was nearly as good as one of my mochas. â€Å"Hey, why aren't you eating any of this?† Peter held up his beer bottle by way of explanation. â€Å"I'm dieting.† I peered at it. Golden Village Low- Carb Ale. I froze, mid-bite. Low- carb? â€Å"Peter†¦ you're a vampire. Aren't you by definition always on a low- carbdiet?† â€Å"It's no use,† Cody chuckled, speaking up for the first time. â€Å"I've already had this argument with him. He won't listen.† â€Å"You wouldn't understand.† Peter eyed our pizza wistfully. â€Å"You can make your body look like anything you want.† â€Å"Yeah, but†¦Ã¢â‚¬  I looked to Cody. â€Å"Can he really even put on weight? Aren't immortal bodies, I don't know, unchangeable? Or timeless? Or something?† â€Å"You'd know more about it than me,† he said. â€Å"We eat other things.† Peter rubbed his stomach selfconsciously. â€Å"Not just blood. It all adds up.† This had to be weirdest thing I'd heard since Duane's death. â€Å"Stop it, Peter. You're being ridiculous. Next thing, you'll be down at Hugh's asking for liposuction.† He brightened. â€Å"Do you think that would help?† â€Å"No! You look fine. You look the same as you always have.† â€Å"I don't know. Cody's been getting all the attention whenever we go out. Maybe I should get more blond put into the spikes.† I refrained from pointing out that Peter had been almost forty when he'd become a vampire, his hair heavily receding. Cody had been very young – barely twenty – and bore tawny, leonine good looks. Immortals who were formerly human stayed fixed at the age and appearance immortality had taken over. If the two vampires still frequented clubs and college bars, I didn't doubt Cody had more luck. â€Å"We're wasting time,† I exclaimed, wanting to derail Peter from this whole image thing. â€Å"I want to figure out who attacked Hugh.† â€Å"Christ, you have a one-track mind,† he snapped. â€Å"Why can't you just wait to find out?† Good question. I didn't know why. Something inside me was tugging to get to the truth of this, to do what I could to protect my friends and myself. I just couldn't stand passively by. â€Å"It couldn't have been a mortal. Not from the way Hugh described the attack.† â€Å"Yeah, but no immortal could have killed Duane. I already told you that.† â€Å"No lesser immortal,† I pointed out. â€Å"But a higher immortal†¦Ã¢â‚¬  Peter laughed. â€Å"Oh-ho, you are pushing the envelope now. You think there's some vindictive demon out there?† â€Å"They'd certainly be capable.† â€Å"Yeah, but they have no motivation.† â€Å"Not nece – â€Å" A funny sensation suddenly spread over me, tingly and gentle and silvery. I was put in mind of the fragrance of lilacs, the tinkling of small bells. I looked sharply at the others. â€Å"What the – † began Cody, but Peter was already moving toward the door. The signature we all felt was similar to Carter's in certain ways but lighter and sweeter. Less powerful. A guardian angel. Peter opened the door, and Lucinda stood there primly, her arms clasped tightly around a book. I nearly choked. It would figure. As a general rule, I didn't interact with many angels in the area, Carter being the exception because of his relationship with Jerome. Still, I knew who the locals were, and I knew Lucinda. She wasn't a true angel like Carter. Guardians were more like the heavenly equivalent of Hugh: former mortals who served and ran errands for all eternity. I had no doubt Lucinda performed all sorts of good deeds on a daily basis. She probably worked in soup kitchens and read to orphans in her free time. Whenever she was around us, however, she became a prissy little bitch. Peter shared my sentiment. â€Å"Yes?† he asked coolly. â€Å"Hello, Peter. Your hair is very†¦ interesting today,† she observed diplomatically, not moving from the doorway. â€Å"May I come in?† Peter scowled at the hair comment but had too many good hosting instincts drilled into him to not wave her inside. He might tease me about mortal hobbies, but the vampire had a meticulous sense of propriety and etiquette bordering on obsessive-compulsive disorder. She swept inside, proper in an ankle-length plaid skirt and high-necked sweater. Her short blond hair curled under in a perfect bob. I was a different story. Between my plunging neckline, ultratight jeans, and fuck-me heels, I felt like I might as well lie down on the floor and spread my legs. The demure look she gave me clearly implied she was thinking the same thing. â€Å"Charming to see you all again.† Her tone was crisp, formal. â€Å"I'm here to deliver something from Mr. Carter.† â€Å"Mr. Carter?† asked Cody. â€Å"Is that his last name? I always thought it was his first.† â€Å"I think he just has one name,† I speculated. â€Å"Like Cher or Madonna.† Lucinda said nothing to our bandying. Instead, she handed me a book. Men Are from Mars, Women Are from Venus: The Classic Guide to Understanding the Opposite Sex. â€Å"What the hell is that?† exclaimed Peter. â€Å"I think I saw it on some talk show.† I suddenly remembered walking out with Carter in the hospital and how he'd claimed to own a book that would help me with Seth. I tossed it on the counter disinterestedly. â€Å"Carter's fucked-up sense of humor in action.† Lucinda flushed deep crimson. â€Å"How can you use such language so carelessly? You sound like you're†¦ like you're in a locker room!† I smoothed down my tank top. â€Å"No way. I'd never wear this in a locker room.† â€Å"Yeah, it isn't even in school colors,† said Peter. I couldn't resist toying with the guardian. â€Å"If I were in a locker room, I'd probably have on a short cheerleader skirt. And no underwear.† Peter continued playing off me. â€Å"And you'd do that one cheer, right? The one with your hands splayed against the shower wall and ass sticking out?† â€Å"That's me,† I agreed. â€Å"Always ready to take one for the team.† Even Cody flushed at our crassness. Lucinda was practically purple. â€Å"You – you two have no sense of decency! None at all.† â€Å"Oh whatever,† I told her. â€Å"Back at the country club, or wherever you and the rest of the choir hang out, you probably wear a shorter version of that skirt all the time. With knee socks. I bet the other angels really go for the schoolgirl look.† If Lucinda were any one of my friends, a comment like that would have only escalated into more sarcasm and snide remarks. The guardian, however, merely stiffened and chose to rely on deadpan self-righteousness. â€Å"We,† she declared, â€Å"do not carry on in such an unseemly manner with each other. We act with decorum. We treat each other with respect. We do not turn on each other.† This last one came with a brief eye-glance toward me. â€Å"What was that for?† She tossed her hair, what little of it there was. â€Å"Oh, I think you know. We've all been hearing about your little vigilante act. First that vampire, then the imp. Nothing about you people surprises me anymore.† Now my face flushed. â€Å"That's bullshit! I was cleared of Duane a long time ago. And Hugh†¦ that's just stupid. He's my friend.† â€Å"What does friendship mean among your kind? He's just as bad. From what I heard, he received a great deal of amusement telling anyone who would listen about your little whip and wings getup. Oh, and by the way, if you don't mind my observation, I think that has to be the most degrading thing I've ever heard. Even for a succubus.† She arched a glance toward the book I had tossed to the counter. â€Å"I'll tell Mr. Carter you, uh, received the book.† With that, she turned neatly and left, closing the door behind her. â€Å"Sanctimonious bitch,† I muttered. â€Å"And how many people know about that demon girl thing anyway?† â€Å"Forget her,† said Peter. â€Å"She's a nobody. And an angel. There's no telling what they'll do.† I scowled. And then, it hit me. I couldn't believe I'd never thought of it before. Maybe Lucinda needed more credit. â€Å"That's it!† â€Å"What's it?† mumbled Cody through a mouthful of nearly cold pizza. â€Å"An angel killed Duane and attacked Hugh! It's perfect. You were right in saying a demon would have no reason to take our side out. But an angel? Why not? I mean a real one, not a guardian like Lucinda.† Peter shook his head. â€Å"An angel could do something like that, but it'd be too petty. The great cosmic good-versus-evil battle is bigger than one-on-one matches. You know that. Taking out one agent of evil at a time would be a waste of resources.† Cody considered. â€Å"What if it was a renegade angel? Someone not following the rules of the game.† Peter and I both turned to the younger vampire in surprise. He'd been more or less avoiding our speculation this evening. â€Å"There's no such thing,† his mentor countered back. â€Å"Is there, Georgina?† I felt both vampires' eyes turn to me, waiting for my opinion. â€Å"Jerome says there are no bad angels. Once they're bad, they become demons, not angels anymore.† â€Å"Well, that kills your theory then. An angel doing something bad would fall and not be an angel anymore. Then Jerome would know about him.† I frowned, still intrigued by Cody's use of the word â€Å"renegade† over â€Å"fallen.† â€Å"Maybe angel sin is like human sin†¦ it's not always ‘bad' if the person thinks they're doing ‘good.' This one hasn't gone over yet.† We all pondered this a moment. Humans continually labor under the delusion that there really is a precise set of rules on what sin is and is not, rules that one might break without even realizing it. In reality, most people know when they do wrong. They feel it. Sin is more of a subjective matter than an objective one. Back in the days of the Puritans, corrupting souls had been no problem for a succubus since almost anything sexual and pleasurable felt wrong to those men. Nowadays, most people don't regard premarital sex as wrong, hence no sin is committed. Succubi have been forced to become more creative over the years if they want to get an energy fix and corrupt a soul. Still, by that logic, it was possible that a renegade angel who believed he or she was doing good might not cross into the realm of sin. If there was no sin, then there could be no fall. Or could there be? The whole concept strained the mind, and Peter apparently thought so too. â€Å"So what's the difference? What makes an angel fall? We're staking a lot here on a technicality.† I could have concurred until I recalled something else. â€Å"The note.† â€Å"Note?† asked Cody. â€Å"The note that was on my door. It said I was beautiful enough to tempt angels into falling.† â€Å"Well, you do look pretty good.† When I raised an eyebrow, Peter said grudgingly, â€Å"Okay, that is kind of suspicious†¦ but it's almost too suspicious. Why would someone overtly leave a calling card?† Cody nearly jumped out of his seat. â€Å"It's some kind of psycho angel who likes playing mind games. Like in those movies where killers carve clues into their victims, so they can watch the police puzzle things out.† I shuddered at that image as I thought over what I knew about angels in general, which really was nothing. Unlike our side, the powers of good did not have the same cryptic hierarchy of supervisors and geographical networks, no matter the stories about cherubim and seraphim. After all, we were the ones who had invented middle management, not them. I always had the impression that most angels and denizens of good operated like private investigators or field agents, completing assorted angelic missions in a very loosely organized way. Such an open venue would provide ample chance for someone to surreptitiously tackle a side agenda. Angelic involvement would also explain the subterfuge, I reflected. Their side was embarrassed. Typical, really. Little embarrassed our side anymore. They, however, would be shamefaced to admit one of theirs had turned rogue, and Carter, being so chummy with Jerome, had conned the demon into keeping quiet about the whole matter. All of his sarcasm and attempts to mock me were only more weak efforts at saving face. The more I considered this far-fetched theory, the more I liked it. Some disgruntled angel, wanting to be heroic, decided to turn vigilante and take on the forces of evil. The renegade angel theory would explain how any of us could be legitimate targets, as well as shed light on why no one could sense this being since we now knew higher immortals could hide their presence. Which made me wonder why exactly Jerome and Carter were also masking their presence. Were they hoping to catch this angel unaware? That, and†¦ â€Å"Why'd this person let Hugh live then?† I looked from vampire to vampire. â€Å"An angel could take out any of us. Hugh said he wasn't winning, and no one interrupted. The attacker just got bored and took off. Why? Why kill Duane but not Hugh? Or me, for that matter, since this person knows what I am.† â€Å"Because Duane was an asshole?† suggested Peter. â€Å"Personality aside, we all weigh in just as heavily on the evil side. Hugh maybe even more so.† Indeed, Hugh was in his prime as far as immortals went. He no longer held a novice's inexperience like Cody, nor had the imp grown world-weary and bored like Peter and I had. Hugh knew enough now to be good at his job, and he actually liked what he did. He should have been a prime target for any angelic vigilante wanting to make the world a better place. Cody agreed with Peter. â€Å"Yeah. Evil or not, some of us are more likable than others. Maybe an angel could respect that.† â€Å"I doubt an angel would find any of us likable – â€Å" I cut myself off. One angel did like us. One angel hung out with us a lot. One angel who seemed to be everywhere Jerome was lately when these attacks happened. One angel who knew us personally, who knew all of our habits and weaknesses. What better way was there to track and study us than to infiltrate our drinking group and pretend to be a friend? The idea was so explosive, so dangerous, I felt ill at ease just giving shape to the thought. I certainly couldn't utter any of it aloud. Not yet. Cody and Peter hardly believed the angel theory at all. I doubted they'd jump on board if I started accusing Carter. â€Å"You okay, Georgina?† Cody queried when I lapsed into silence. â€Å"Yeah†¦ yeah†¦ fine.† I caught a glimpse at the time on the stove and jumped up from my chair, head still reeling. â€Å"Shit. I've got to get back to Queen Anne.† â€Å"What for?† asked Peter. â€Å"I have a date.† â€Å"With who?† Cody grinned slyly at me, and I blushed in response. â€Å"Roman.† Peter turned to his apprentice. â€Å"Which one is that?† â€Å"The hot dancing guy. Georgina was all over him.† â€Å"I was not. I like him too much for that.† They laughed. As I picked up my coat, Peter asked: â€Å"Hey, I don't suppose you could do me a favor sometime?† â€Å"What?† My mind still clung to the mystery winding around us. That, and Roman. He and I had talked on the phone a few times now since the last date, and I was growing more and more amazed at just how well we clicked. â€Å"Well, you know how they've got those computer programs in salons that will show you what you'll look like with different colors and cuts? I was thinking you could be like a living one. You could morph into me and show me what I'd look like with different hairstyles.† Silence hung in the room for a full minute as Cody and I stared at him. â€Å"Peter,† I told him at last, â€Å"that's the stupidest idea I've ever heard.† â€Å"I don't know.† Cody scratched his chin. â€Å"For him, it's not bad.† â€Å"We have too many other issues to deal with right now,† I warned, having no patience to humor Peter with niceties. â€Å"I'm not wasting my energy on your vanity.† â€Å"Come on,† pleaded Peter. â€Å"You're still brimming from that good virgin guy. You can spare it.† I shook my head, slinging my purse over one shoulder. â€Å"Succubus 101. The farther a transformation takes me from my natural form, the more energy it expends. Cross-gender changes are a pain in the ass; cross-species ones are even worse. Playing salon with you would burn through most of my stash, and I've got better things to waste it on.† I eyed him dangerously. â€Å"You need some serious counseling for body image and insecurity, my friend.† Cody regarded me with new interest. â€Å"Cross-species? Could you, like, turn into a Gila monster or†¦ or†¦ a sand dollar or something?† â€Å"Good night, boys. I'm out of here.† As I departed, I could just barely hear Peter and Cody debating if it would take more energy for me to change into a really small mammal or a human-sized reptile. Vampires. Honestly, they're like children sometimes. I drove home in record time. I remembered to shape-shift my heels into sandals and walked up to my building's door just as Roman did. Seeing him banished any lingering thoughts of angels and conspiracies. He had told me to dress casually for this evening, and while he had done the same, he still managed to make jeans and a long-sleeved T-shirt look like runway fashion. I apparently had the same effect on him because he caught me up in a giant bear hug and kissed my cheek. â€Å"Hey, gorgeous,† he murmured into my ear, holding on to the embrace a bit longer than necessary. â€Å"Hey, yourself.† I disentangled my body from his and smiled up at him. â€Å"You're so short,† he noted, cupping my cheek in his hand. â€Å"It's cute.† Those eyes threatened to engulf me, and I hastily turned away before I did something stupid. â€Å"Let's go.† I paused. â€Å"Um, where are we going?† He led me to his car, parked just down the street. â€Å"Since you seem to be so good with your feet, I thought I'd take us somewhere to test the rest of your bodily coordination.† â€Å"Like a hotel room?† â€Å"Damn. Am I that obvious?† Several minutes later, he pulled into a dilapidated establishment with a blinking neon sign reading BURT's BOWLING ALLEY. I stared in open distaste, unable to hide my feelings. â€Å"This is your choice of date? A bowling alley? Not even a nice one at that.† Roman seemed unconcerned about my lack of enthusiasm. â€Å"When was the last time you actually went bowling?† I suspected it had been back in the 1970s. â€Å"Not in a very long time.† â€Å"Exactly. You see,† he began conversationally as we went inside and approached the counter, â€Å"I've got you figured out. You claim you don't want to get serious with anyone, but I still get the impression you go out a lot. Size ten, please.† â€Å"Six and a half.† The cashier gave us each a pair of unsavory-looking shoes, and I felt grateful germs posed no threat to me. Roman handed over some cash, and she gestured us down to our designated lane. â€Å"Anyway, like I was saying, regardless of your intentions, you must still end up dating quite a bit. I don't know how you couldn't with the attention you attract.† â€Å"What's that supposed to mean?† I sat down by our lane and took off my Birkenstocks, still eyeing the rental shoes askance. Roman paused in his own shoe-tying and gave me a long, steady look. â€Å"Oh come on, you can't be that oblivious. Men check you out all the time. I always see it when I'm with you. Walking through the bookstore, going to that bar the other night. Even here, in this place. In just walking over from the counter, I saw at least three guys stop and watch you.† â€Å"Is there a point here somewhere?† â€Å"Eventually.† He stood up, and we walked over to a rack of communal bowling balls. â€Å"With all that attention, guys must ask you out all the time, and you must give in sometimes, just like you did with me. Right?† â€Å"I guess.† He paused in his ball selection and gave me another one of those breathtaking, soul-searching looks. â€Å"So tell me about your last date.† â€Å"My last date?† I somehow didn't think Martin Miller counted. â€Å"Your last date. I mean a real date, not like a casual grabbing a drink thing. A date where the guy gave his best shot at planning an itinerary he thought would get you into bed.† I tested the weight of a fluorescent orange and green swirled ball, racking my brain. â€Å"The opera,† I said at last. â€Å"And dinner at Santa Lucia's.† â€Å"Nice spread. And the one before that?† â€Å"Jesus, you're nosy. Um†¦ let's see, I think it was the opening of an art exhibit.† â€Å"Undoubtedly paired with dinner at some restaurant where stiff waiters say ‘thank you' after you make a selection, right?† â€Å"I guess.† â€Å"Just as I thought.† He hoisted a navy blue ball into the crook of his arm. â€Å"This is why you're resistant to dating, why you don't want to get serious with anyone. You're such a hot commodity that plush, five-star dates are par for the course. They're ordinary. Men try to throw out all the stops for you, but after a while, you get bored with them.† His eyes danced mischievously. â€Å"Therefore, I will differentiate myself from those losers by taking you to places your little elitist feet would never dream of touching. The salt of the earth. Back to basics. The way dating was meant to be: two people, more concerned with each other than their posh venue.† I walked with him back to our lane. â€Å"You just took an awfully long time to say you think I want to go slumming.† â€Å"Don't you?† â€Å"No.† â€Å"Then why are you with me?† I eyed that gorgeous appearance and thought about the conversation we'd had the other night on classical languages. Looks and intellect. Hard to beat. â€Å"You're hardly slumming it.† He smiled at me and changed the subject. â€Å"That's your choice?† I looked down at the ball's psychedelic color pattern. â€Å"Yeah. This night is already turning surreal enough. Figured I might as well get the full experience. Maybe we'll drop some acid later.† Roman's eyes crinkled with amusement, and he cocked his head toward the lane. â€Å"Let's see what you can do with it.† I stepped up uncertainly, trying to remember how I used to do this. All up and down the alley, I could see other players walking up and throwing with ease. Shrugging, I stood at the line, drew my arm back, and threw. The ball flew out jerkily, sailed about four feet, hit the lane with a loud crack, and then promptly entered the gutter. Roman walked up beside me, and we silently watched the ball complete its journey. â€Å"Are you always that rough with balls?† he asked finally. â€Å"Most men don't complain.† â€Å"I imagine not. Try making contact with the floor before you let it go this time.† I gave him a sharp look. â€Å"You aren't one of those guys that gets off from showing women how much better you are at stuff, are you?† â€Å"Nope. Just offering friendly advice.† My ball returned, and I followed his instructions. The ball's impact proved quieter that way, but I still ended up in the gutter. â€Å"All right. Show me what you can do,† I grumbled, sitting down huffily into a chair. Roman strode up to the lane, movements graceful and flowing like a cat's. The ball poured from his hand like water from a pitcher, sailing smoothly down and hitting nine pins. When his ball returned, he threw it effortlessly once more and took out the obstinate tenth. â€Å"This is going to be a long night.† â€Å"Cheer up.† He chucked my chin. â€Å"We'll get you through this. Try it again, and aim more toward the left. I'm going to get us some beers.† I threw to the left as advised but only succeeded in hitting the left gutter. On my second throw, I tried greater moderation and managed to hit one pin on the far left. I whooped in spite of myself. â€Å"Nicely done,† cheered Roman, setting two mugs of cheap beer down on the table. I hadn't drunk anything not from a microbrewery in over a decade. â€Å"It's all about baby steps.† That certainly turned out to be true as our evening progressed. My pin count increased slowly, though I soon developed the nasty habit of creating splits on my first throw. I showed no aptitude for picking them up, despite Roman's best explanations. To his credit, he gave good, nonthreatening advice, as well as some hands-on instruction. â€Å"Your arm goes like this, and the rest of you leans like this,† he explained, standing behind me with one hand on my hip and the other on my wrist. My flesh warmed at his touch, and I wondered if his actions were truly driven by altruism or were an excuse to get his hands on me. I exercised such techniques regularly in succubus work. It drove men wild, and now I knew why. Ruse or no, I didn't tell him to stop. I hit my peak in the second game, even managing one strike, though my performance declined in the third round as beer and fatigue took over. Sensing this, Roman called our bowling adventures closed, lauding my progress as highly impressive. â€Å"Do we have to go to a dive now for dinner, in order to keep with this dream-date slumming fantasy you've got going?† He put his arm around me as we walked out to the car. â€Å"I guess that depends if you've succumbed to my wily charm or not.† â€Å"If I say yes, will you take me somewhere good? Sometimes the posh places do work, you know.† We ended up at an upscale Japanese restaurant, much to my satisfaction. Taking our time, we savored both food and conversation, and again Roman's knowledge and wit impressed me. This time we discussed current issues, sharing opinions on recent news and culture, things we liked, things that drove us crazy, etc., etc. I discovered Roman had traveled quite a bit and held strong views on world politics and affairs. â€Å"This country is so in love with itself,† he complained, sipping sake. â€Å"It's like one big mirror. It just sits all day and looks at itself. When it can be bothered to look away, it's only to tell others ‘do this' or ‘be just like me.' Our military and economic policies bully people outside our borders, and inside, conservative groups bully other citizens. I hate it.† I listened with interest, intrigued at this side of a normally light and easygoing guy. â€Å"So do something about it. Or leave.† He shook his head. â€Å"Spoken like a comfortable citizen. The old ‘if you don't like it, you can just leave' policy. Unfortunately, it's a lot harder than that to cut yourself off from your roots.† Leaning back, he forced levity with a small grin. â€Å"And I do do things here and there. Small acts. My own battle against the status quo, you know? Attend the occasional protest. Refuse to buy products made with third world labor.† â€Å"Avoid fur? Eat organic food?† â€Å"That too,† he chuckled. â€Å"Funny,† I said after a moment's silence. Something had just struck me. â€Å"What?† â€Å"This whole time, we've talked about current things. No sharing of traumatic childhoods, college days, exes, or whatever.† â€Å"So what's funny about that?† â€Å"Nothing really. It's just that the human mating process usually seems to dictate everyone share their histories.† â€Å"You want to do that?† â€Å"Not really.† I actually hated that part of dating. I always had to edit my past. I hated the lying, having to keep track of my stories. â€Å"I think the past plagues us enough without muddling it into our present. I'd rather look forward, not backward.† I studied him curiously. â€Å"Does your past plague you?† â€Å"Very much so. I fight every day to not let the past overtake me. Sometimes I win, sometimes it does.† God only knew mine did the same. It was odd to talk to someone about this, someone who felt the same way. I wondered how many people in the world walked around with invisible baggage, hiding it from others. Even while packing said baggage, I'd always kept it concealed. I had a driving need to keep up surface appearances – hence the so-called â€Å"happy face.† I'd smiled and nodded through the worst times of my life, and when that superficial reaction had not been enough, I'd finally just run – even though it cost me my soul. I smiled slightly. â€Å"Well then. I'm glad you and I stick to the present.† He tweaked my noise. â€Å"Me too. In fact, my present is looking pretty damned good right now. Maybe my future too, if I keep weakening your resolve.† â€Å"Don't push it.† â€Å"Aw, come on. Admit it. You find my outrage at the powers-that-be endearing. Maybe even erotic.† â€Å"I think ‘entertaining' would be a better word. If you want outrage, you should spend time with Doug, my coworker. You guys have a lot in common. By day he cleans up and plays respectable assistant manager, by night he's the lead singer of this wacky band, registering his discontent against society through music.† Roman's eyes flickered with interest. â€Å"Does he play around here?† â€Å"Yup. He'll be at the Old Greenlake Brewery this Saturday. Me and some of the other staff are going.† â€Å"Oh yeah? What time should I meet you?† â€Å"I don't recall inviting you.† â€Å"Don't you? Because I could have sworn you just named a day and place. Sounded like a passive invitation to me. You know, the kind where it'd be my job to say ‘mind if I come along,' and then you say ‘yeah, no problem,' and so it goes. I just skipped a few steps.† â€Å"Most efficient of you,† I observed. â€Å"So†¦ mind if I come along?† I groaned. â€Å"Roman, we can't keep going out. It was cute at first, but it was only supposed to be one date. We've already gone past that. People at work think you're my boyfriend.† Casey and Beth had informed me recently what a † hottie† I had. â€Å"Do they?† He looked very happy about this. â€Å"I'm not joking here. I mean it when I say I don't want to get serious with anyone right now.† And yet, I didn't really mean it. Not in my heart. I'd spent centuries cutting myself off from any sort of meaningful attachment with another person, and it hurt. Even when I had purposely cultivated relationships with nice guys in my succubus glory days, I had immediately dropped them and disappeared post-sex. In some ways, my life now was even harder. I avoided the guilt of stealing a nice man's life energy, but I never had true companionship either. No one who cared exclusively for me. Sure, I had friends, but they had their own lives, and those who got too close – like Doug – had to be pushed away again for their own good. â€Å"Don't you believe in casual dating? Or even male-female friendships?† â€Å"No,† I answered decisively. â€Å"I do not.† â€Å"What about the other males in your life? That Doug guy? The dance instructor? Even that writer? You're friends with them, aren't you?† â€Å"Well, yeah, but that's different. I'm not attracted – â€Å" I bit off my words, but it was too late. Roman's face bloomed with hope and pleasure. He leaned toward me, touching my cheek with his hand. I swallowed, terrified and thrilled by how close he was. Beer and sake had made me fuzzy in body and mind, and I made a mental promise not to drink the next time we went out. Not that we were going out again†¦ right? Alcohol confused my senses, made it harder to differentiate between the succubus feeding instinct and pure, primal lust. Either one was dangerous around him. And yet†¦ in that moment, lust wasn't even really the issue. He was. Being with him. Talking to him. Having someone in my life again. Someone who cared about me. Someone who understood me. Someone I could go home to. And with. â€Å"What time should I meet you?† he murmured. I looked down, suddenly feeling warm. â€Å"It's a late show†¦Ã¢â‚¬  His hand slid from my cheek to the back of my neck, intertwining with my hair and tipping my face toward his. â€Å"You want to hang out beforehand?† â€Å"We shouldn't.† My words all seemed long and drawn-out, like I was swimming in molasses. Roman leaned over and kissed my ear. â€Å"I'll be at your place at seven.† â€Å"Seven,† I repeated. His lips moved to kiss the part of my cheek closest to my ear, then the cheek's center, then just below my mouth. His lips hovered so close to mine; my whole body concentrated on that proximity. I could feel the heat from his mouth, like it had its own private aura. Everything moved in slow motion. I wanted him to kiss me, wanted him to consume me with his lips and his tongue. I wanted it and feared it, yet felt powerless to act either way. â€Å"Can I get you something else?† The waiter's mildly embarrassed voice shattered my numbing haze, snapping me back to reason, reminding me what would happen to Roman even with a kiss. Not too much, true, but enough. I broke out of his grasp and shook my head. â€Å"Nothing else. Just the check.† Roman and I spoke little after that. He drove me home and made no advances when he walked me to the door, only smiling kindly as he chucked me under the chin again and reminded me he'd be by at seven on Saturday. I went to bed restless and aching for sex. The alcohol helped me fall asleep easily, but when I awoke in the morning, lying in bed in a drowsy state, I could still remember how it had felt to have his lips so close to mine. The lustful yearning returned with a vengeance. â€Å"This is no good,† I complained to Aubrey, rolling out of bed. I had three hours before work and knew I needed to do something other than daydream about Roman. Remembering that I had never followed up with Erik, I decided I should pay him a visit. The vampire hunter theory was more or less obsolete as far as I was concerned, but he might have found something else of use. I could also ask him about fallen angels. Considering the whole â€Å"stashing† threat, I probably should have experienced more concern about going back to Arcana, Ltd. Still, I felt more or less safe. One thing I had learned about the archdemon was that he was not a morning person. He didn't really need rest, of course, but it was a mortal luxury he'd taken to wholeheartedly. I expected him to still be asleep, wherever he was, with no way of knowing what I planned to do. Dressing and eating breakfast, I soon hit the road to Lake City. I found the shop effortlessly now, feeling dismay once more at its barren look and empty parking lot. Yet, when I entered, I saw a dark shape leaning over a corner of books, too tall to be Erik. Pleasure at the thought of Erik getting more business coursed through me until the figure straightened and fixed me with a sardonic, gray-eyed expression. â€Å"Hello, Georgina.† I swallowed. â€Å"Hello, Carter.†