Intrusion Detection System for BotnetAttacks in Wireless Networks UsingHybrid Detection Method Based on DNS

Raimundo Pereira da Cunha Neto, Zair Abdelouahab,Valéria Priscilla Monteiro Fernandes and Bruno Rodrigues Froz

Abstract The expansion of defense mechanisms to combat attacks led to theevolution of malwares, which became more structured for the disruption of thesenew defense barriers. Among the numerous malwares, the Botnets becamethe bigger cyber threat because of its ability of control and capability of distributedattacks. In wireless networks, the signal propagation through unguided media,facilitates the actions of malware. This vulnerability makes wireless networkssusceptible for Botnet attacks, which can establish control of their activities. Thisarticle presents a model of Intrusion Detection System for Wireless Networks(WIDS) which aims to expand Botnet detectors by using multi-agent technology,offering a collection of sensors, a preprocessing filter and detection based onsignatures and anomaly.

R. P. da Cunha Neto (&) � Z. Abdelouahab � V. P. M. Fernandes � B. R. FrozFederal University of Maranhão—UFMA, Campus do Bacanga, São Luís,MA 65080-040, Brazile-mail: netocunhathe@gmail.com

Z. Abdelouahabe-mail: zair@dee.ufma.br

V. P. M. Fernandese-mail: valpriscilla@gmail.com

B. R. Froze-mail: bfroz63@gmail.com

T. Sobh and K. Elleithy (eds.), Emerging Trends in Computing, Informatics,Systems Sciences, and Engineering, Lecture Notes in Electrical Engineering 151,DOI: 10.1007/978-1-4614-3558-7_59, � Springer Science+Business Media New York 2013

689

1 Introduction

The technology of wireless networks has become, over the years, much used incorporate, household and public networks, such as malls, airports and restaurantsbecause of the ease of deployment and practicality of their use. The widespreadimplementation of wireless networks has also brought new challenges to securityand privacy. Its organizational structure facilitates invasion by various types ofattacks such as denial of service, sniffing, man in the middle, among others.

Among the increasing attacks, the Botnet have been highlighted by the orga-nization to carry out distributed attacks and the impacts on major networks aroundthe world [1], which would cause havoc on their mobile devices and servicesimplemented.

Among the tools of today’s defenses, we highlight the Intrusion DetectionSystems (IDS) as mechanisms that focus on the detection of intrusive activities onnetworks [1]. Many of the proposed IDS technologies complement each otherbecause different types of environments some approaches have better performance.The Intrusion Detection System for Wireless Networks (WIDS) proposed in thisstudy aims data collection and analysis of packets transmitted within the network,supported by use of agents for increasing the detection of intruders in wirelessnetworks, with emphasis to attack from a Botnet.

The structure of the paper is organized as follows. Section 2 introduces Botnets.Section 3 is about IDS, focus of this work. Section 4 shows related works.Section 5 explores the model suggested by this work under study. In Sect. 6 theimplementation of the model is presented. Sections 7 and 8 describe the resultsand conclusions of our work.

2 Botnet

Botnet is a network of compromised computers, called Botnets, under the controlof a remote human operator, the ‘‘Botmaster’’. The term ‘‘bot’’ is derived from theword ‘‘Robot.’’ Bots are host devices designed to perform some pre-definedfunctions in an automated fashion, which enables the Botmaster to remotelycontrol the actions of attack [1–5].

Unlike other malware such as viruses and worms, which are focused onattacking the infected host, Botnets have a structure of command and control,described in Fig. 1, where through servers Command and Control (C & C) arereceived commands from a Botmaster and these are passed on to the bots executethem, setting a platform for distributed attack [6, 7].

690 R. P. da Cunha Neto et al.

2.1 The Architecture

The architectural organization of the Botnet is composed of three basic elements:

i. BotmasterBotmaster is the human controller of a Botnet. It operates remotely controllingthe bots through commands sent to server C & C, which make the communi-cation with the Bots [1–4, 6]. Usually the Botnet is controlled by its creator, butmany Botnets are created for marketing, leased for criminal actions.

ii. C & C serverThe C & C server is responsible for communication between the bots andBotmaster by routing commands to carry out attacks. According to its com-mand and control structure the Botnets can be categorized as: IRC based, HTTPbased, DNS based or based on Peer to Peer (P2P) [1, 2, 7]. P2P Botnets makeuse of P2P protocol to avoid single point of failure. Moreover, P2P Botnets aremore difficult to locate and make the server shutdown C & C. The most pre-valent Botnets are based on the protocol Internet Relay Chat (IRC) [1], withcentralized command and control mechanisms.

iii. Bot or ZombieIt is the compromised computer or device, remotely controlled by a Botmasterto perform some commands through the commands received. Once the code ofthe malware was installed on the infected computer, the computer becomes azombie or robot [1, 2, 7]. The Bots are normally distributed on the Internet,looking for unprotected and vulnerable computers to infect. When they find anunprotected computer, they infect it and then send a report to Botmaster [6].

Fig. 1 Botnet architecture

Intrusion Detection System for Botnet Attacks in Wireless Networks 691

2.2 Life Cycle

A typical Botnet can be created and held in four phases, including [2], this cycle isdescribed in Fig. 2, applied in wireless networks:

i. Initial infection: the bots are infected in several ways, such as being activelyexploited, vulnerabilities in the device, malware automatically downloadedwhen viewing web pages, or automatically downloaded and executed byopening an e-mail. In wireless networks this infection can be made easier by thestructure of this network, the attack can be launched right into the devicewithout the need to use the network structure.

ii. Secondary injection bond: after being infected with the bots running bot codeand start the rally, which is the process of connecting to the server C & C, fromthat stage, the bots await the commands that are sent by Botmaster.

iii. Malicious activities: in this stage the bot communicates with the server C & Cthat sends instructions to perform actions such as sending spam attack andDDoS.

iv. Update and maintenance: because of the widespread availability of informa-tion to be exchanged on a Botnet, as the capture of information by bots, it’snecessary to update the new commands and a change of server C & C causedby the fall of the previous Server service.

2.3 Activities

Botnets, as presented earlier, have a control structure to perform various activities[8], these actions are listed below:

Fig. 2 Botnet lifecycle in wireless networks

692 R. P. da Cunha Neto et al.

(i) The Distributed Denial of Service (DDoS) attack is achieved through the actionof all the active bots, which aims at an attack on a computer system or networkcausing the loss of services.

(ii) The Key Logging with help of a key logger is very easy for a bot to obtainsensitive information, it receives the command and performs the action ofgathering.

(iii) In the Traffic Sniffing the bots also use a sniffer to observe the text data, withpurpose of obtain confidential information such as usernames, passwords,bank details, among others.

(iv) The manipulation of online polls, the bots, which have different IP Addresses,held a vote on the poll, validating it as being real people.

(v) Distribution of a new Malware is achieved by the bots using the mechanismsto download and execute a file using HTTP or FTP.

2.4 Using the DNS Botnet

In Botnets execution are used, in some instances, the DNS protocol [9], thesesituations are:

i. The Infected devices seek for access, automatically, to the C & C serverthrough your domain name. This procedure occurs in a group, since the botsperform tasks together.

ii. On the migration of C & C servers the Botnet when migrating to anotherC & C server must perform a DNS query.

iii. In changing the server’s IP address C & C, if a server C & C uses dynamic IP,the corresponding IP address can be changed at any time and Botmaster canalso change the IP address of the C & C intentionally, to make detection moredifficult. With the change of IP address, the bots could not connect to the old IPaddress, so need to send DNS query to access the new server C & C.

iv. In malicious activities, the bots to start a DDoS or spam are accompanied bythe transmission of DNS.

3 Intrusion Detection System

IDS are security tools that, like other measures, such as antivirus, firewalls andaccess control systems, are intended to enhance the security of information sys-tems and communication [8], they are considered the second security force, sinceit aims to evaluate the data from one system and take measures of prevention andprotection [10, 11]. In order to detect such behavior, intrusion detection systemstypically contain two types of components [12]:

Intrusion Detection System for Botnet Attacks in Wireless Networks 693

• Components of data collection;• Components of data analysis.

3.1 Classification of IDS by Type of Data Collection

Components of data collection are composed by entities that are responsible formonitoring and collection of data about user activities and applications. The datacollected are then used for a second type of components, called componentanalysis [10–12]. Two main approaches to data collection have been traditionallyused, which are classified into two types of intrusion detection systems:

i. Host-based IDS (HIDS) which runs on a host and focuses on collecting theirdata, generally through audit logs of the operating system;

ii. Network-based IDS (NIDS) works on the networking and focuses on datacollection by monitoring the traffic flowing through the network.

3.2 IDS Classification by Type of Data Analysis

Once data is collected it is necessary to analyze the data to detect maliciousactivity. IDS normally incorporate mechanisms of analysis that automaticallyanalyze the data collected by several collectors to detect malicious activity. Dataanalysis involves the consolidation of data from IDS, possibly in a central locationand identifies malicious activity [12]. We highlight three types of analysistechniques:

i. Signature-based IDSThis type of IDS is aims to detect intruders through the use of attack signatures.These signatures are composed of a set of rules that characterizes the intruder.This process facilitates the detection. However, the detection techniques basedon signatures can only be used for the detection of known Botnets. Thus, thissolution is not useful for unknown bots [10, 12].

ii. Anomaly-based IDSDetection techniques based on anomalies [10, 12, 13]. This type of IDSdesigned to detect Botnets based on anomalies on the network traffic, such ashigh network latency, high traffic volumes, traffic through unusual doors andabnormal behavior of the system that could indicate the presence of maliciousbots on network [1, 3].

iii. Hybrid IDSThe IDS that uses the application of the techniques of signature and anomalytogether are called Hybrid IDS. Aim to increase the power of intrusiondetection, because they can detect both, known and unknown attacks. Thepresent work uses this technique.

694 R. P. da Cunha Neto et al.

4 Related Work

Botnets have the dynamic characteristics, which make them difficult to detect bytraditional IDS. The range of techniques used by bots, and the structure of controlexercised by Botmaster, allows Botnet a high power attack and flexibility as avariation of its activities. Botnet detection techniques have been developed, wehighlight the following relevant work in the context of this article.

Snort, one of the most used nowadays [10] is an open source tool for IDS thatmonitors network traffic for signs of intruders, configured through a set of rulesand signatures traffic log, which is considered suspect [1, 12, 14]. New Botnetsrequire human intervention to create signatures for their detection.

Miroslaw [4] suggests an approach for Botnet Detection in Computer NetworksUsing multi-agent technology. The proposed system is used to detect bots based onthe assessment of the events in the operating system and network environment.Detection is performed using algorithms based on signatures derived from analysisof different types of malicious software bots. As happens with Snort, this modeldoes not detect the bots that are not in your database subscription.

Choi et al. [9] developed a model Botnet Detection System following the Groupof Activities of DNS traffic. This architecture for Botnet detection combines thedetection of query from the bots and migration of C & C servers, which requiresthe use of DNS traffic data. This model is ideal for detecting incoming data comingfrom Botnets when there is large-scale DNS traffic data collected by sensorsdeployed, usually, scattered across different networks. The DNS- based detectionof Botnet, is one of the most promising because detect Botnets regardless of itsstructure, centralized or distributed. However this model requires evaluation time,since bots spread rapidly.

5 Model System for Hybrid Intrusion Detection

The proposed solution was built using hybrid detection systems based on DNS onwireless networks with the use of agents to support the project architecture. Below,it is described the architecture and functionality.

5.1 IDS Architecture

The architecture of the proposed model is shown in Fig. 3. We highlight in thispaper the use of a WIDS to Botnet detection supported by a set of agents thatinteract directly or indirectly to collecting, filtering and analyzing packets inwireless networks. The model uses packet filtering through the WhiteList and

Intrusion Detection System for Botnet Attacks in Wireless Networks 695

BlackList, besides carrying the signature and anomaly analysis, to minimize thefalse positives.

i. Monitoring AgentThe function of this type of agent is to capture packets on the wireless network.The monitoring agent stays in strategic points of the network and work as apassive network monitor, working in promiscuous mode, and does not interfereon the performance or the network traffic. In this work the packet capture isconcentrated in regions close to the Access Point, because it is a concentrationpoint of the wireless network. The collected data is stored in the CollectionDatabase.

ii. Filtering AgentThis agent receives the collected data to make a packet filtering. This procedurereduces the number of package to be analyzed by Analysis Agent, since iteliminates the classified packages on the filtering. The filter is composed by twodatabases: BlackList and WhiteList.

1. WhiteListIn this kind of filter, all allowed DNS are listed to the network traffic asauthorized and without suspicious. In this model the WhiteList is providedby the system administrator, even if series of WhiteLists, organized byresearch groups. The non use of preexistent lists is made to reduce the list,and here it is applied only the necessary DNS applications by network users.The filter is applied to the captured packets and those detected on thefiltering are discarded, in this case there is no warning by the reaction agent,because this filter aims only to eliminate the benefic packets.

Fig. 3 WIDS architecture model

696 R. P. da Cunha Neto et al.

2. BlackListThere are a great number of lists available and being shared by severalonline communities containing suspicious IPs. These lists are generallyknown as ‘‘black’’ list [15]. Many of these lists are used to help block spam,malicious attacks, or nuisance users. Some blacklists are an excellent sourceof information when the data is used correctly, but some are so poor that anyuse of them would be detrimental to use the tool.This list of suspicious IP is collected daily by Shadowserver Foundation, asseen in List 1 and exported to the tool, where they are stored in the BlacklistDatabase. The files stored in the database, stay available for 60 days periodin which they are automatically deleted due to rotation of IPs measured as asuspect. This feature makes the database not too large to perform the fil-tering. As made on the WhiteList, the captured packet is checked in the filterwhere the IPs are compared. In the case of detection, this packet is discardedand sent for further analysis to detect the intruder to the Response Agent.

iii. Signature Analysis AgentAt this stage the signature analysis agent is responsible for examination ofpackages received at the filtering process. The collected packets are formattedso that attack patterns can be identified and subsequently confirm an attack.For this, we use the intrusion signatures database. These signatures are com-posed of rules to detect Botnet attacks.The most prevalent Botnets a based on IRC protocol [1] as a mechanism forcommand and control. IRC protocol was originally designed for large socialchat rooms to allow multiple forms of communication and dissemination ofdata among large numbers of hosts. The high prevalence of Botnets based IRCis due the inherent flexibility and scalability of the protocol, this type ofprotocol usually uses ports 6667, 6668, 6669 and 7000. These features con-tribute to build a signature database, which are collected relevant informationto each type of Botnet.The intruders are detected by this agent are informed to the reaction agent andthe packets that not match with any signature are referred for further review byanomaly analysis agent.

iv. Anomaly Analysis AgentThis agent receives the filtered packets and not detected by Signature Analysis,these packages will be analyzed to detect the activities of intruders accordingto the anomalous behavior.This agent uses anomaly detection algorithms applied on DNS traffic. Asmentioned in Sect. 2, the bots begin the connection with the C & C server toreceive commands. To access the C & C server, they perform DNS queries tolocate their server. Thus, it is possible to detect the Botnet DNS traffic bymonitoring and detection of anomalies in the DNS traffic [1]. The activities ofintruders are forwarded to the agent response, so actions can be taken toprevent and protect the wireless network.

Intrusion Detection System for Botnet Attacks in Wireless Networks 697

v. Response AgentThis agent aims to take countermeasures if a security incident is detected basedon the evaluation of the BlackList, Signature Analysis, and Anomaly Analysisagents. These countermeasures are taken in accordance with the ReactionDatabase, notifying or even blocking the signal from an attacker.

vi. Administrative AgentThe administrative agent integrates all agents of WIDS. It is responsible forupdating the information databases. Queries can be made directly to any layer,but insertions must be made only through this layer. It will also have theresponsibility of maintaining the integrity and consistency of storedinformation.

vii. DatabaseThe database is responsible for maintaining the persistent information fromeach agent. In this, we have the databases used by WIDS. Below is adescription of them:

1. Collection Database stores the packets collected during the capture oftraffic from the wireless network.

2. WhiteList Database stores the DNS allowed to travel across the network.This information is supplied by the administrator of WIDS.

3. BlackList Database stores the data containing suspicious IPs. These dataare exported from existing blacklists.

4. Signature Database is the database responsible for storing all informationconcerning the signatures of Botnets.

5. Knowledge Database stores information about the existent hosts in thewireless network in order to identify devices that are suspected of attacksor were possible turned in bots.

List 1 List C & C server active

"IP Address", "Port", "Channel", "Country", "Region", "State", "Domain", "ASN", "AS Name", "AS Description"

"81.211.7.122 69.18.206.194",3267,"#B#t[r2]N#t","RU US","MOSCOW | COMMACK","MOSKVA | NEW YORK","GLDN.NET INVISION.COM","3216 12251","SOVAM INVISION","AS Golden Telecom, Moscow, Russia | Invision.com, Inc."

"81.211.7.122 69.18.206.194",3267,"#B.tN.t[r3]","RU US","MOSCOW | COMMACK","MOSKVA | NEW YORK","GLDN.NET INVISION.COM","3216 12251","SOVAM INVISION","AS Golden Telecom, Moscow, Russia | Invision.com, Inc."

"213.234.193.74 85.21.82.55",6667,"#secured","RU RU","MOSCOW | MOSCOW","MOSKVA | MOSKVA","NET.RU -","39442 8402","UNICO CORBINA","AS JSC UNICO | AS Corbina Telecom"

698 R. P. da Cunha Neto et al.

6. Reactions Database contains the information concerning the actions thatcould be taken according to the intrusions detection. It is adaptedaccording to the policy of each organization.

6 The Implementation

According to the proposed model we made a WIDS prototype and tests to validatethe tool were made, in the scenario showed in the Fig. 4.

The scenario was made in the Laboratório de Sistemas em ArquiteturasComputacionais, on the Universidade Federal do Maranhão. To the constructionwas necessary to implement an environment to Botnets actuation. We used RxBot,7.6 version [16], and a IRC channel, as C & C server, working on the Internet. Onthe wireless network we infected some machines to simulate the bots. Commandswere sent to the bots in order to execute the requested activities by the Botmaster.

The model components where implemented in Java using Java Server Pages todevelop the Web interfaces [17, 18], the Wincap library component was used tothe analysis an capture of network packets on Windows [19], and for the databasewas used MySQL5 [20].

During the infection process, maintenance and updating of the Botnet, the WIDSaccomplished the capture of the wireless network traffic in a promiscuous mode,without interfering with network traffic. The localization of the WIDS Server, closeto the Access Point, was due the centralized information exchanged with theexternal environment. The captured packets were filtered by the filtering agent andforwarded to the agent for signature analysis, the detected intruders were send to thereaction agent for taking the appropriate countermeasure for the type of the attack.The anomaly analysis agent is in development and was not initially tested.

Fig. 4 WIDS tests scenario

Intrusion Detection System for Botnet Attacks in Wireless Networks 699

7 Results

The prototype application, during the observation period, allowed getting impor-tant information about the Botnets behavior. The use of various commands of thebots were used; among them we can highlight the ‘‘pingflood’’ which consists of aflooding, a simple denial of service that overloads the victim’s system [19]. Theattack was observed as seen in the collected data in List 2.

In relation to the compromised machines, it was verified that even when is usedone unique C & C server, the Botnet assigns different communication IPs, asshown on the traffic collected by the WIDS on List 3.

List 2 Identified data on the denial of service pingflood attack

1285340472:662462 /10.0.2.15->/192.168.88.130 protocol(1) priority(0) hop(128) offset(0) ident(1818)type(8) code(0) SRC: /10.0.2.15DST: /192.168.88.130tam: 596

1285340473:163094 /10.0.2.15->/192.168.88.130 protocol(1) priority(0) hop(128) offset(0) ident(1819)type(8) code(0)SRC: /10.0.2.15DST: /192.168.88.130tam: 596

1285340473:664911 /10.0.2.15->/192.168.88.130 protocol(1) priority(0) hop(128) offset(0) ident(1820)type(8) code(0) SRC: /10.0.2.15DST: /192.168.88.130tam: 596

1285340474:164664 /10.0.2.15->/192.168.88.130 protocol(1) priority(0) hop(128) offset(0) ident(1821)type(8) code(0)

List 3 Collected data

Traffic Bot 1

SRC: 10.0.2.15:1075 DST: 158.38.8.251:6669 Size = 48 bytes SRC: 158.38.8.251:6669 DST: 10.0.2.15:1075 Size = 44 bytes SRC: 10.0.2.15:1075 DST: 158.38.8.251:6669 Size = 40 bytes SRC: 10.0.2.15:1075 DST: 158.38.8.251:6669 Size = 88 bytes SRC: 158.38.8.251:6669 DST: 10.0.2.15:1075 Size = 40 bytes

Traffic Bot 2

SRC: 192.168.88.130:1033 DST: 194.109.129.222:6669Size = 48 bytes SRC: 194.109.129.222:6669 DST: 192.168.88.130:1033Size = 44 bytes SRC: 192.168.88.130:1033 DST: 194.109.129.222:6669Size = 40 bytes SRC: 192.168.88.130:1033 DST: 194.109.129.222:6669Size = 87 bytes

700 R. P. da Cunha Neto et al.

The attacks were identified with great efficiency and speed, due the possibilityof eliminating packages not needed to evaluation, since the WhiteList removescommon packages of internal traffic, according to the security policy of theorganization. The traffic above, that was identified on the signature analysis agent,monitoring the 6669 port, used to IRC channel where the Botmaster establishedcommunication with the bots.

The study confirmed the effectiveness of the tool detecting Botnets, and that it isnot necessary to collect a great amount of data internally on the organizations, sincethe Botnets action do not take very long internally on the network, specially theattack activities, what make necessary the real time identification of the intruder.

8 Conclusion

In the proposed architecture of this work, it is possible to detect Botnets on realtime, based on data different packet filtering, since the amount of information isreduced to the analysis process.

The use of hybrid detection, signature an anomaly based, improves the toolpotentially with a low level of false positives. The latest detection techniques basedon DNS can detect bots on real world, regardless of its structure. It is veryimportant mainly because the increase of new Botnets based on P2P protocols.

Thus, the use of signature-based techniques, anomaly and DNS used together todetect bots on wireless networks is a promising approach to combat new Botnets inonline ecosystems and active computers.

Acknowledgments The work described in this paper is financed by Fundo Setorial de Tecno-logia da Informação (CT-Info), MCT, CNPq (CT-Info/MCT/CNPq).

References

1. Feily M, Shahrestani A, Ramadass S (2009) A survey of botnet and botnet detection. In:Third international conference on emerging security information, systems and technologies

2. Zhu Z, Lu G, Chen Y, Fu ZJ, Roberts P, Han K (2008) Botnet research survey. Annual IEEEinternational computer software and applications conference

3. Schiller CA, Binkley J, Harley D, Evron G, Bradley T, Willems C, Cross M (2007) Botnets:the killer web app. Syngress, Burlington

4. Szymczyk M (2009) Detecting botnets in computer networks using multi-agent technology.In: Fourth international conference on dependability of computer systems

5. Wang H, Gong Z (2009) Collaboration-based botnet detection architecture. In: Secondinternational conference on intelligent computation technology and automation

6. Zeidanloo HR, Manaf ABA (2010) Botnet detection by monitoring similar communicationpatterns. Int J Comput Sci Inf Secur 7:36–45

Intrusion Detection System for Botnet Attacks in Wireless Networks 701

7. Zeidanloo HR, Shooshtari MJZ, Amoli PV, Safari M, Zamani M (2010) A taxonomy ofbotnet detection techniques. In: International conference on computer science andinformation technology (ICCSIT)

8. Govil J, Govil J (2007) Criminology of botnets and their detection and defense methods.IEEE international conference on EIT

9. Choi H, Lee H, Lee H, Kim H (2007) Botnet detection by monitoring group activities in DNStraffic. In: Seventh international conference on computer and information technology

10. Sabahi F, Movaghar A (2008) Intrusion detection: a survey. In: The third internationalconference on systems and networks communications

11. Garuba M, Liu C, Fraites D (2008) Intrusion techniques: comparative study of networkintrusion detection systems. In: Fifth international conference on information technology:new generations

12. Anjum F, Mouchtaris P (2007) Security for wireless ad hoc networks. Wiley, New York13. García TP, Díaz VJ, Maciá FG, Vázquez E (2009) Anomaly-based network intrusion

detection: techniques, systems and challenges. Comput Secur 43(3):15–1914. Northcutt S, Alder R, Babbin J, Beale J, Doxtater A, Foster JC, Kohlenberg T, Rash M (2004)

Snort intrusion detection. Syngress, Burlington15. Shadowserver. http://www.shadowserver.org/. Accessed 20/out/201016. NetCop Security. http://www.netcopsecurity.com/. Accessed 21/out/201017. Oracle. http://www.java.sun.com/. Accessed 21/out/201018. Downey T (2007) Web development with java: using hibernate, JSPs and Servlets. Syngress,

Burlington19. Wincap. http://www.winpcap.org/. Accessed 22/out/201020. Mysql. http://www.dev.mysql.com/. Accessed 22/out/2010

702 R. P. da Cunha Neto et al.