As She Grows – Creative Writing

â€Å"And it's another thing to have that one person not love you back, not the way you want them to. † (Cowan 106). As She Grows by Lesley Anne Cowan tells us the story of a teenaged girl, Snow, who grew up with no mother or father. The person that acted as her â€Å"parent† was her grandmother, a drunkard. Growing up with no love at home, she leaves for a group home. It is there she makes her life changing decision. To keep her child and to give her a home showered with love and happiness. Throughout this book, the author shows Snow's journey, separation when she leaves her grandmother, initiation when she gets pregnant and decides to keep the child, and return, when she decides to return to her former life in order to raise Betty. In As She Grows, Snow struggles to show her daughter the love that she had never experienced, so that her child might have the life she never had, filled with love and care, demonstrating the power of love to transform lives. The most significant reason for this was the lack of family love for Snow. Snow grows up with her grandmother, an alcoholic. Her mother drowned and her father is unknown. She grows up used to feeling needed by her grandmother, but she is tired of following her grandmother's crazy antics. She finally decides to leave her grandmother and moves into a group home. â€Å"I wait to feel something, anything other than this blankness inside. † (Cowan 277). Snow leaves her grandmother, hoping for a better future, away from her grandmother. When she first arrives at the group home, she finds some bad in each person, giving her a reason for her to hate them at first sight. Yet soon, she discovers that she was wrong and finds qualities in them for her to appreciate. Her â€Å"parents† are now composed of a group of people called â€Å"Staff†. The way Staff acts like a parental figure makes Snow feel a deficiency of love, even away from her grandmother. â€Å"At some point, I saw them differently and I actually wanted to belong. † (Cowan 207). Even though she did not like the group home or the people living there at first, she learns that they were good friends to her when she needed them to be there for her. Another reason for her change is that Snow slowly learns to put trust in her friends. When Snow finds out that she is pregnant, she tries to accept the truth by herself. Yet, she soon finds out that this is too much for her to carry by herself, so she tells this secret to one person. Each person living in a group home is assigned to a counselor. To Snow, going to a counselor is her price to stay in a group home. Her counselor, Eric, slowly persuades her to tell him about her reasons of leaving her grandmother. Soon, she breaks down and tells him why she left and even about her pregnancy. â€Å"Some words spill out of me and other are forced through my throat. † (Cowan 178). At thins point, Snow tells Eric that she is tired, that she does not want to plan her next step in life. She tells him, â€Å"I have no fight left in me. † (Cowan 179). After her friend Jasmyn's persuasion, she tells the group home and Staff that she is pregnant. Soon, Snow learns that sometimes outsiders that are not related to you in any way can become the closest people in the world, the ones you can rely on most. To Snow, going to this group home was her life-changing decision that altered her future for the better. The final reason for this change is to show the maternal love she never received in her childhood to her baby daughter, Betty. Snow struggles to understand the meaning of maternal love. In the very last line of the book, â€Å"If I rise in you, bury me. † (Cowan 289). She tells her daughter that if Snow's life is going to be seen in Betty, she must somehow break away from it. A couple weeks after Betty's birth, she tells her daughter, â€Å"People are afraid I won't know how to love you. (Cowan 225). Snow believes that she will find that courage and bravery in her that is needed to take care of her. Snow is a perfect portrayal of a victim of a society. Society thinks that all teenaged mothers will not know how to love their children. â€Å"Moments when I think, I can actually do this. † (Cowan 126). Snow sometimes has doubts about her ability to raise her daughter, but she also has times where she knows that she can raise her daughter, and not allow her to relive her own life's journey. Yet Snow is not so confident for the majority of the time. â€Å"Look away from her piercing eyes and whisper, ‘I'm sorry', into her soft skin. † (Cowan 277). Snow worries that her daughter's present and future. In the present, Snow is afraid she will not know how and when to love her. In the future, Snow is afraid about what life her daughter will choose to take. She wants the best life possible for Betty, and Snow thinks the life she had was the worst life imaginable, a kind of life she doesn't want Betty to have. In the last two lines of As She Grows, â€Å"If I rise, bury me. If I rise in you, bury me. † (Cowan 289). Snow's difficulties in raising Betty are shown. Her lack of parental love in her childhood has caused Snow to learn maternal love for her child, because she does not want Betty following in her old steps. Even near death, Snow still wants the best for her daughter. She loves her and says that if her bad characteristics or her life ever appear to surface in Betty's life, she is to bury all of this.

Classical Criminology Theory Essay

What is the classical school of criminology and what are the main points of this theory. Cesare Beccaria was a key thinker of this theory and is also considered by some the founder of modern criminology. Classical school of criminology theory placed emphasis on human rationality and free will. Second off this theory unlike the others researched the prevention of crime not the criminals. Also, according to this theory, crime was the result of people choosing to do so with the possibility of the consequences be evident. The classical theory of Beccaria and others is what our constitution was based upon so as you can see, it has great significance to our society. Humans are believed to act in their own best interests. We have our own free will and we also have a rational side to us. This was the basis of the classical criminology theory. Being the case, this theory emphasized laws that would stress non criminal actions would be in the best interest of society. Punishment and deterrence was an important factor in this theory because the punishment had to reinforce deterrence so people could rationalize the self benefits of criminality from the consequences of criminality. Due to the fact that Beccaria believed that bad laws led to criminality, a lot of his emphasis was based on preventing crime and swift punishment when crime was committed. In his eyes punishment is justified only to defend the peace of society and that society would be motivated to abide by it. This meant that punishment was to treat the criminal, incapacitate them from repeating criminal acts and deter would be criminals. To incorporate these ideas Beccaria believed that punishment should be swift, certain, deterrence, proportional to the crime, clear and based on positive and negative reinforcement. Swift punishment is believed to deter the most. According to Beccaria, when punishment promptly follows the crime, the punishment will be reinforced in a persons mind before they act criminally. A certain punishment is also a form of deterrence because the less would be criminals think they can get a way with, the more they will weigh in the consequences of that action. General deterrence is used for the purpose of setting and example for society. Laws should also be clear I defining  crimes. This will prevent judges from interpreting the law and only allow them to decide if the law has been broken. Lastly, the most effective way in preventing crime is to enact clear laws that reward good behavior and punish bad behavior. The theory of proportionality is another relationship between crime and punishment. The belief is that punishment can only deter if the punishment is proportional to the crime. The punishment must coincide with the crime in that the more serious the crime the more serious the punishment. Lastly, punishment existed to deter people from committing crime and the punishment should out way the gains of committing the act. Beccaria was a believer in that crime was due to unjust laws not because of the people committing the acts. fit the crime. He argued that if the punishment was more excessive than the crime it would be an abuse of power by the state and it would also create more crime. Beccaria was considered the founder of the classical school of criminology. He emphasized human rationality and free will, preventing crime and deterrence of crime. The classical criminology theory was different from the other theories that were introduced to us because it focused on the reasons why people commit crimes not on the deviant behaviors themselves. Beccaria and his followers had a great impact on our country it is what our constitution and current laws are based upon. Internet Encyclopedia of Philosophy. â€Å"Cesare Beccaria†. http://www.utm.edu/research/iep/b/beccaria.htm Keel, Robert. â€Å"Rational Choice and Deterrence Theory†. http://www.umsl.edu/~rkeel/200/ratchoc.html Siegel, Larry. â€Å"Criminology†. Canada: Thomas Learning, Inc, 2003.

Provoking Uncommon breakthrough

Introduction Everyone at some point in their lives have that one thing that bothers them so deeply that they would only wish they happen by magic. There are uncommon problems that have limited many from advancing to a higher level where God wants us to be. It is God's will and desire that His children are blessed beyond measure, Irrespective of our color, background and beliefs. If not so, why does God allow the sun to shine on the good and on the evil?God truly desires that we should be blessed In all works of fife, in marriage: He desires that we are fruitful, in business and career He desires that we expand and break out from the North to the South, East and west, in Ministry; He desires that we reach out to millions of souls and depopulate hell, etc. Why then is it almost impossible and difficult for many to attain the height that God wants them In? Breakthrough Is quite easy to understand, It is an act of breaking through and obstacle.For a great door and effectual Is opened unt o me, and there are many adversaries – 1 Corinthians 1619 Abraham was in a predicament that many would eve considered shameful, he was mocked, he was questioned, he was cheated, he was manipulated, and he was threatened. Though he had all things, but he had no child of His own. He needed an uncommon breakthrough for that uncommon problem. The predicament of Abraham and his wife Sarah was such that everything around them proved Impossible that even Sarah lost hope. She was no longer Like other women. I bet she no longer saw her period. He had lost the fire In ever young woman, she had lost the passion to meet with her husband, she was completely hopeless. Uncommon problems need uncommon breakthrough that can only be rough about by the hand of God. If you need the hand of God to move on your behalf today, there are certain steps to take. Tonight, Ill be pointing out three steps that have worked in the bible, In my life and will forever deliver to you If you believes things were written In the scriptures long ago to teach us. And the scriptures give us hope and encouragement as we wait patiently for God's promises to be fulfilled.Whatever must deliver, has already delivered for someone in the time past, only follow the same steps and you'll command the same result. 1. SACRIFICIAL GIVING Isaiah 51:1 â€Å"Listen to me, all who hope for deliverance?all who seek the LORDS Consider the rock from which you were cut, the quarry from which you were mined. Yes, think about Abraham, your ancestor, and Sarah, who gave birth to your nation. Abraham was only one man when I called him. But when I blessed him, he became a great nation. † (NIL) Look to Abraham, what was it that Abraham did that brought about the uncommon breakthrough?Remember, he was promised by God he would have a child, when the father, son and Holy Spirit, did not come for that purpose, they were on their way to esters Stood†¦.. Abraham saw them, he could have ignored them, even though he knew who they were but he chose to welcome them and offered hospitality†¦.. Abraham gave from his Abraham did not Just say, well God promised me that I'll have a child, so I do not have to labor for it. The earth belongs to the Lord, etc he does not need my offering†¦Ã¢â‚¬ ¦ Abraham, gave voluntarily. I want this blessing so I must give. I have to let something leave to create room for something tangible to come in.Proverbs 18:16 A man's gift make room for him, and bringing him before great men†¦Ã¢â‚¬ ¦. Share your green card story†¦. Never get tire of giving sacrificially, you may have been giving, don't worry how that can provoke God to action Why sacrificial giving does not produce†¦Ã¢â‚¬ ¦ Sow on a fertile ground, give to vessels that God knows and relates with. If giving, sacrificial giving that is, brings about uncommon breakthrough, why have my savings not yielded any fruit? When a farmer sows a seed on an infertile soil, not only will the seed die, b ut the farmer will have nothing to harvest.If the farmer sows a bad seed, it will be impossible to reap a good seed. If the ground is not well prepared, the outcome may come out deformed. So also is giving, Don't Just sow a seed because you want something to leave your hand†¦.. A little boy of about 2-3 years old, gave a seed that turned his health around. (Tell Chiders story). 2 Kings 3:17-18; 26-27 Sacrificial giving can turn the hand of God around instantly. God looks at the heart of the giver. He saw that Abraham gave from all he had, He could not have left without blessing His household. ————Fertile ground for example, ————-The poor in the land (Duet. 15:11) †¦.. Servants of God Kings 4 – Allies, because of hospitality, the equanimities son was brought back to life. What is that hopeless case in your life, I charge you tonight to go out there and do someone a huge blessing. I charge you to locate someone i n dire need and bless them sacrificially. I charge you to surprise someone with a gift. Don't bring me a gift because you desire to have me in your bed, or you desire a favor from the leader or you desire a rich message from prophet Moses or Keen.

Toasting the Rebellion Essay Example | Topics and Well Written Essays - 500 words - 1

Toasting the Rebellion - Essay Example In the eighteenth century, men were seen drinking socially, regularly and considered drinking as a part of healthy diet. For the women belonging to the elite class, drinking was limited to just the wine and the toast that was raised. Public consumption was seen as a taboo for the women. Taverns and coffeehouses were considered as the best places for the male guests to indulge in heavy drinking and exchange their ideas over drinks and music in the background. The colonial Americans introduced a concept of drinking songs which they brought along with them from the musical heritage of Europe, Africa and India. This traditional folk music became so popular because it was very easy to compose and sing; anybody who had a knack for rhyming and satire can very well compose the lyrics and come up with hummable tune. A perfect example of acquired musical tradition is the song â€Å"Yankee Doodle† which actually has its origin in the British Army but it is supposed to be the American qui ntessential patriotic song for generations now. America has been a witness to a series of event that brought about the revolution; The violent display of confrontation between the crowd and the British officials, the Riots that emerged due to the Stamp Act, the Boston Massacre, The Boston tea party are to name a few.

Building Services & Sustainable Engineering--Plant & Maintenance Essay

Building Services & Sustainable Engineering--Plant & Maintenance - Essay Example As for expected learning outcomes, we will be able to size heating and cooling plant; also, it will be possible to predict summertime temperature and design systems to reduce overheating risks; furthermore, it is needed to estimate the preheating period required and annual energy use and carbon emmission; finally, we would prepare effective preventive maintenance schedule, considering innovative systems. Building Renovation Case Study Initially, we need to represent client's requirements, task, and marking criteria. Accordingly, as for the client's reauirments, the amount of outdoor air is required to the first and second floors of the given building which needs renovation. (Temperature, relative humidity, wind speed, and wind direction are given properly in the Climate Record Data table.) Additionally, concerning the task, it is strongly recommended to review building regulation, suggesting some constructions which will meet building regulations for the room; then, it is needed to e stimate the operative temperature which is likely to occur in each of the rooms, calculating the cooling and heating loads for the building to keep the room operative temperature at a comfortable level; moreover, we have to select a heating and cooling plant capacity based on the design loads, showing the processes on psychometric charts for the summer season and proposing a maintenance procedure with estimation of a life cycle cost for the building owner to keep the system running. Therefore, to solve Problems 1 and 2 as they were represented by Figures 1 and 2, we might firstly state the most relevant points of the assignment: we have a task to reconstruct one of the two-storey buildings, which has a flat roof; running four production lines and having the width and length of respectively 150 and 100 metres, this first floor is shown in Figure 1; from the other perspective, as for the second floor, it has 60% of walls facing toward the South and East, being triple glazed with 6.4 m m air space, along with each window dimension as being estimated like 1.5x1x0.15 (respectively, its width, height, and thick); hovewer, the annual electricity supply fee to run the building is $20 per kilowatt, and the energy price is expected to increase 10% per year. So, due to the very hot temperature in the apartments during the summertime, it was suggested by the management that the building needs renovation concerning walls, windows, and ceiling: certainly, it must have been done according to Building Regulations' requirements. To conclude with, we are asked to estimate the capacities of the heating and cooling (see Appendix 1), keeping in view the sustainability and CO2 emmision issues. Review Building Regulation and Suggest the Constructions Which Will Meet Building Regulations for the Room We will start this sub-chapter with room conditions, then, will be analyzing current building regulations, being finally able to answer why the management wishes to renovate the building by reconstructing the walls, windows, and ceilings accordingly to the current building regulations, keeping in view the sustainability and CO2 emission issues. As we know, task is to reconstruct on

Assignment One Statistics Essay Example | Topics and Well Written Essays - 1000 words

Assignment One Statistics - Essay Example The researcher makes a general conclusion that all birds prefer to swim in the water. The researcher makes an error because the researcher was instructed to observe birds. Consequently, the researcher should have complied with the research conditions. The researcher should have observed all types of birds. For example, there are different types of birds. The seagulls fly over the waters to feed on fishes trying to take in air from the water’s surface. The monkey-eating eagles are eagles that eat monkeys for food. The swallow are small birds. The chickens prefer to stay on the ground, instead of swimming on the water. The Swan is a beautiful white bird that swims effortlessly inside a body of water. The ostrich is a bird that is as big a human being. Second, the researcher makes a general conclusion based on a certain group or community (Brady 138). For example, the researcher observes a group of Eskimo residents in their Igloo homes. The researcher, an Alaska resident, makes a n erroneous conclusion that human beings can freely live in an icy condition. The researcher makes general the conclusion that people are comfortable living and working in the subzero weather conditions. To correct the erroneous inquiry outcome, the researcher should have invited people to stay in Alaska, a subzero icy location. The African resident who arrives in Alaska’s subzero weather conditions will surely feel uncomfortable in the icy weather. The African resident is used to the hot 110 degree desert weather. The African resident will feel uncomfortable using the thick Eskimo dress. The same resident African resident will feel uncomfortable moving around the icy land surface using a sledge. Further, the rainforest resident would also feel uncomfortable living in the Igloos. The same rainforest would not engage in one’s favorite beach activities because the icy waters are too cold for human swimming. The rainforest citizen may not accept the sudden change of envir onment from the comfortable familiarity of the rains of the Amazon rainforest to the subzero weather condition. Third, the researcher makes illogical research reasoning (Schell 93). The researcher can make erroneous observation by implicating a wrong statistical procedure. For example, the total of the male count is erroneous written as 10 instead of the correct 1,000. If the true female count is 200, the wrong male count shows erroneous findings that the female respondents are more than the male respondents. Likewise, erroneous mixing up the data will generate a wrong research outcome. Consequently, the other research findings will erroneously crop up. The other research findings may include the erroneous finding that the males are erroneously better than females, in terms of making daily choices. Question 2. Inductive and deduction research. Deductive research starts from the general and finishes with the specific (Bachman 48). The researcher observes several animals. The research er observes that eagle has wings. The researcher also sees that the ostrich has wings. The researcher kingfisher bird has wings. Lastly, the researcher sees several ducks and swans effortlessly swimming in the nearby lake. Based on the researcher’s observation of the different types of birds, the researcher makes a concept or theory that all birds have wings. On the other hand, inductive research starts with the specific and finishes with

How might ttemperature differ between urban & rural areas Essay

How might ttemperature differ between urban & rural areas - Essay Example faces such as pavement store heat from the Sun during the day, which is then released at night, keeping cities hotter for longer periods of time† (Gillette & Hamilton, 2011, p. 74). Which setting tends to be warmer on a given day and why? On a given day, therefore, it could be warmer in rural areas because heat is immediately reflected back in the form of energy; as compared to urban areas which absorb heat during daytime, but releases the heat at night. Also, are there any factors other than albedo that might affect the temperature differences between the two settings? Aside from albedo, other factors that affect the temperature differences between urban and rural settings are: â€Å"weather conditions, urban thermophysical and geometrical characteristics, and anthropogenic moisture and heat sources present in the area† (Taha, 1997, p. 99). The findings from the author revealed that the capacities of urban areas to address albedo through effectively harnessing albedo of roofing in homes and buildings, as well as in paving materials, in conjunction with efforts to plant trees enable urban areas to reverse the immense heat and could therefore have greater potentials to affect and reverse temperatures in their

Sociology and Class Essay Example | Topics and Well Written Essays - 750 words

Sociology and Class - Essay Example However the Marxist theory of racism bases racism on another interesting premise. The class conflict where as the Proletariat (the working classes mainly composed of the Black and ethnic minorities) will be suppressed by the Bourgeoisie (the ruling classes primarily composed of the White majority who will be economically stronger and thus in a position to marginalize the "proletariat" i.e. the Black minorities) Today the modern African American can be identified with the likes of Opera Winfrey and Barrack Obama, as well as highly educated Hollywood stars like Will Smith etc.This denotes a respectable status for them but academics like in the Article at hand are quick to point to the reality of the ghettos and poor uneducated members of the ethnicity who live on low pay differentials. From the Marxist sociological perspective these economic and wage differentials are responsible for the continuous racial tensions in states like Los Angeles which have a large number of minorities settled there.Most of this crime and disorder is based upon race and ethnicity. The current racial tension is not just the usual white-black conflict but now statistics show that the local African American Population feels economically threatened by the immigrants that come from Latin America. As the article notes the root of most of the violence and unemployment in the Ghettos is poverty and increased immigration. Things are further complicated by racist judicial and law enforcement mechanisms which promote the gang culture and lure poverty stricken and suppressed young people into crime and disorder. The economic and sociological conflicts with in the "proletariat" (working classes) lead to ethnic squabbles between and with in the suppressed minorities in the over crowded metropolitan cities and it is worth noting from a political perspective that the black Latino rivalry for economic opportunities means that in 2008 presidential race there is not Latino support for Mr. Obama. Unemployment has caused a deterioration in race relations based on unequal wealth distribution and the fight for survival within the marginalized groups.As long as these minorities remain economically and socially suppressed there is little chance of reducing these tensions. There is a need for sustainable community measures to counter the problems in this area of racial economic conflict aimed at better race relations. All this however keeps us wondering whether these sociological conditions exist for their own sake or is the conflict theory " a Marxist ideological ploy" which divides the lower classes so that the White and Black and working classes from other races fight each other instead of the bourgeoisie.However one never fails to reflect on the political system and the society which seems to adhere to the well known rhetoric of George Orwell in his well known parody of the Communist Manifesto and the Marxist ideals of race and class i.e. the "Animal Farm" where he stated that , "All animals are equal but some animals are more equal than others". Source: Materials provided in

The Mysterious Death of Mary Rogers Sex and Culture in Essay

The Mysterious Death of Mary Rogers Sex and Culture in Nineteenth-Century New York - Essay Example The story is about a twenty one year old, beautiful woman called Mary Cecilia Rogers who used to live with her mother at the New York boarding house. Her father had been in a steamboat explosion which he had not survived when she was only seventeen years old. So she started working behind the counter as a clerk at a small cigar store called Anderson’s Liberty Street in Manhattan whose owner was John Anderson. He paid her an above than normal wages because her beauty brought in more customers than usual so sales were high. This was proven when fewer customers turned up on the day that she did not come for work. Mary had used her savings to buy her mother an Inn and it was there where the two resided. One of the customers living here was a young man called Alfred Crommelin who was a lawyer. He soon fell in love with Mary who rejected her, but he was gentleman enough to retreat without complaints. He moved out but the two remained friends despite his continuous love for the girl. The person who Mary did fall in love with despite his weakness of alcoholism was Daniel Payne who worked as a cork cutter. The two got engaged though the relationship was disapproved of by her mother Phoebe but life carried on. The first time Mary’s disappearance was reported was in the month of October in 1838 in the Sun. Phoebe had come across what seemed like a suicide note where Mary stated her wish to finish herself off. However, the young girl returned the next day saying that she had been only visiting a friend who lived in Brooklyn. It was said that the Sun had published a hoax to get some attention. Later, there were rumors that Anderson had created the story to gain more customers. She lived a normal life until the incident that took place during the summer of 1841 in New York City when she was announced missing from her mother’s home for the second time. After three days of search, her mutilated corpse was found. Her badly bruised body had been discovered f loating on the Hudson River near the Jersey shore, Crommelin having identified her. The hand prints around her neck proved that she had been murdered and not committed suicide. Investigations were carried out, several theories were provided by the police force as well as the journalists, and yet no one managed to discover for sure who exactly was responsible for such an act. Her fiance Payne was implicated but had an alibi to prove his innocence. Nonetheless, some weeks after Mary’s death, he took his life by drinking poison out of his love for his fiancee. The police thought that some members of a gang had tortured her, killed her and then dumped the woman in the River to rot. Later on, a woman called Mrs. Loss who was notorious in that area for her job of helping single pregnant women getting abortions made some revelations. She stated that Mary had conceived a child and had come to her with a dark, handsome man to get rid of the baby. This led to rumors that the abortion h ad led to complications leading to her death. However, questions were raised regarding the very obvious bruises on her bodies which showed that she had been killed in a very brutal and violent manner. During this time, New York was considered as the urban city where everyone was moving up to raise their social and living standards. The Rogers family had done the same. However, the security of the regions was not good, the police force just present for name, not doing any work. There were sets of officers whose duty was to patrol the city during the

Needs & Motivation Essay Example | Topics and Well Written Essays - 750 words

Needs & Motivation - Essay Example He moved to Wisconsin university later where he studied psychology and earned his MS, BS, and Ph.D. in 1934. He discovered his theory in which he called the hierarchy of needs in 1943. In Maslows theory, people are motivated to fulfill their own needs. Everybody starts at the foot of the pyramid and works hard to attain the goals of the next layer working to the top section. For one to move to the next level of the pyramid, he/she has to meet the needs of the first level. If these needs are not assembled, the person can fall back to the first level. The first level of the needs is psychological needs. These are basic needs that are to be met n order to continue surviving, including water, food, clothing, shelter and sleep. The next level of the needs is security. This means that the environment surround people are neither threatening to them nor their families. If the surrounding is safe, it means that there is a sense of foreseeability or stability in the environment. Security may also be financial security that means that there is no financial unreliability in the future. This security is achieved by creating a retirement package, securing positions in the work, and insurance. Third is the affiliation level which is the need required for one to feel a sense of belonging or loved. People need the urge to be accepted by the other people, especially those around them. This may be at work place, home or other places. The next level is esteem. This is the visibility that one has of themselves. People must have a high image of them self and encompass self respect in order to understand this level. This level contains two components that are feelings of self value and the need for courtesy by other people. The last level of requirements in the hierarchy is self-actualization. This stage explains as some being all they can be and they have got each of the foregone needs in the stages. A talent of a person in this level is utilized

Transport of gas Coursework Example | Topics and Well Written Essays - 500 words

Transport of gas - Coursework Example 89). This further buttresses the high affinity for oxygen of the fetal hemoglobin. Additionally, fetal hemoglobin lacks the interaction with 2,3-BPG. Due to a change on a single amino acid on the binding pocket of 2,3-BPG, it binds less to fetal hemoglobin (Hall, 2010, p.58). This phenomenon explains the high affinity of fetal hemoglobin for oxygen as compared to maternal adult hemoglobin. c) After birth, the fetal hemoglobin is replaced with adult hemoglobin. Therefore, the oxygen-dissociation curve shifts to the right. It confers advantage to the infant after birth because the adult hemoglobin readily gives out oxygen to the tissues as compared to fetal hemoglobin, despite the fact that fetal hemoglobin has a higher affinity for oxygen. It would prevent tissue ischemia (Maryland Department of Health and Mental Hygiene, 2013) b) An increase in the partial pressures of carbon dioxide will shift the curve to the right. Carbon dioxide reduces intracellular pH as a result of the formation of bicarbonate ion. Formation of bicarbonate releases a proton into plasma, therefore reducing pH which has an effect of shifting the curve to the right (Ganong, 2005, p. 90). Similarly, pH affects the oxygen-dissociation curve. A decrease in pH shifts the curve to the right. At molecular level, a high H+ concentration, some amino acids such as Histidine 164 exist in their protonated form predominantly. They; therefore, form ion pairs which maintains deoxyhaemoglobin in the T state. The T state of hemoglobin has a lower affinity for oxygen; therefore, with increased acidity levels, hemoglobin binds less oxygen. This phenomenon is known as the Bohr Effect(Hall, 2010, p.57).. Maryland Department of Health and Mental Hygiene. Fetal Hemoglobin (Hemoglobin F) Fact Sheet. Available from from Maryland Department of Health and Mental Hygiene: http://phpa.dhmh.maryland.gov/genetics/SitePages/hemo_f.aspx [Accessed:

Social Interaction in People with Autism Essay Example for Free

Social Interaction in People with Autism Essay People with Autism tend to face difficulties in social interaction. This study examined the possibility that the cause of these social difficulties is heightened anxiety in response to social situations. First year psychology students were asked to complete three surveys online, in order to test their anxiety levels, as well as the extent to which they demonstrate autistic-like traits. The results indicated a link between anxiety and autistic-like traits in the general population. Due to the fact that this study was based on the general population, further research using participants who have autism would be beneficial to ensure the validity of this link. If this link was reinforced in future studies, it could potentially have significant implications for the treatment of Autism. By developing ways to reduce anxiety, clinicians may be able to make patients more comfortable in social situations and improve their quality of life. Social Interaction in People With Autism: The Link Between Anxiety and Social Communication Deficits Individuals with Autism exhibit â€Å"abnormalities in social and communication development, in the presence of marked repetitive behavior and limited imagination† (American Psychiatric Association [APA], 1994). One of the most prominent issues for people with Autism is their tendency to experience difficulties in social interaction. They tend to lack conversational skills, find it difficult participate in social events and are often seen to behave in a generally strange manor (Kanne, Christ, Reiersen, 2009). The reason for this lack of social interaction is unclear. It is possible that people with Autism are simply not interested in social interaction, however it is more plausible that this lack of social interaction is due to heightened anxiety in social situations. Research has identified that those with significant Autistic-like traits are more prone to loneliness. Loneliness implies that these individuals are not content in being by themselves and are experiencing negative feelings as a result (Bauminger, Shulman, Agam, 2003). Furthermore, research has illustrated that many individuals with Autism have expressed a desire to develop friendships and sexual relationships (Jobe White, 2007). These results indicate a desire to engage in social activities; therefore it seems likely that this avoidance of social interactions is due to elevated anxiety rather than disinterest. One recent study compared the anxiety levels in children with autism, with the anxiety levels of two control groups. The results indicated that the children with autism had â€Å"considerably higher† anxiety than the control groups (Gillott, Furniss Walter, 2001). An alternative study examined the link between autism and anxiety in adolescents. Similarly, the results indicated significantly higher anxiety in people with autism. Both studies listed a limited sample size as a limitation, and suggested future research with a larger sample size (Bellini, 2004). This study will build upon the foundation provided by these and other studies and further examine the link between anxiety and autism with a larger sample size. Autism is often considered to be a â€Å"spectrum disorder. † This means that those with Autism are high in particular traits, which can be found to a lesser degree in all members of the general population (Jobe White, 2007). Therefore, the general population can be used to examine the link between autistic-like traits and elevated anxiety. This report will use three questionnaires, namely the Social Interaction Anxiety Scale (SIAS, Mattick Clarke, 1998), the Autism Quotient (AQ, (Baron-Cohen, Wheelwright, Skinner, Martin, Clubley, 2001) and the Brief Fear of Negative Evaluation (BFNE, Carleton, McCreary, Norton, Asmundson, 2006) to analyse the link between Autistic-like characteristics and anxious tendencies in the general population, which can then be related to people with Autism. The aim of this report is to clarify the cause of social deficits in people with Autism. It will examine the notion that these social difficulties are linked to heightened anxiety levels in response to social situations. It is expected that the data will reflect this link, and higher AQ scores will be positively related to higher scores in the BFNE and SIAS. Method Participants The research was based on a sample of first year psychology students studying at the University of Western Australia. There were 356 participants- both male and female- ranging from 17 to 56 years old. Participants were asked to take part in the study as a part of the course requirements for PSYC1102. There were no additional selection criteria; all students were invited to participate in the study regardless of age, sex or ethnicity. Materials The data was collected using three surveys: the Social Interaction Anxiety Scale (SIAS), the Autism- Spectrum Quotient (AQ) and the Brief Fear of Negative Evaluation (BFNE). The SIAS provides a list of social tendencies and skills and asks participants to identify whether the statement is characteristic of them. Participants are given 20 statements such as â€Å"I have difficulty making eye contact with others† and are asked to select the option that most accurately reflects them from a five-point Likert scale between â€Å"not at all† and â€Å"extremely. † Participants receive a score between 0 and 80 based on their answers. The BFNE seeks to assess participants’ fear of negative evaluation; it does this by providing 12 statements such as â€Å" I am afraid of other people knowing my shortcomings† and asking participants to select an answer on a five-point Likert scale from â€Å"not at all characteristic of me† to â€Å"extremely characteristic of me. † Participants receive a score between 0 and 60 based on their answers (Carleton, McCreary, Norton, Asmundson, 2006). Finally, the AQ is a 50-question questionnaire, which assesses where the participant lies on the Autism Spectrum. It assesses the participant on five areas: social skills, attention switching, attention to detail, communication and imagination (Baron-Cohen et al. 2001). It offers statements such as â€Å"I prefer to do things on my own rather than with others† and invites participants to select an answer on the five-point Likert scale from â€Å"definitely agree† to â€Å"definitely disagree. † Participants receive a score between 0 and 50 based on their answers. (Baron-Cohen et al. 2001) The current study aimed to clarify the cause of social deficit in people with Autism. It was hypothesised that these social difficulties are linked to elevated anxiety levels in response to social situations. It was expected that the data recorded from the AQ, BFNE and SIAS questionnaires would be consistent with this hypothesis and highlight the link between autistic-like traits and heightened anxiety. The results show no link between the AQ and the BFNE. However, they do indicate a positive relationship between the AQ and SIAS, and a positive relationship between the SIAS and BFNE, as expected. This indicates that there is some truth to the hypothesis that the social deficits faced by people with autism are linked to anxiety. This study has some limitations, which should be considered when discussing the results. Firstly, participants of this study were first year students, largely under the age of 20, and of similar level of intelligence. These factors make the sample somewhat limited, and it is unlikely to be a true refection of the general population. Future studies would benefit from conducting surveys with a more diverse sample group. A random sample of participants would provide a more rounded and accurate representation of the general population. In addition, this study assessed members of the general population, and most –if not all- participants do not have autism. Therefore, it could be argued that the results may not be entirely valid. While there is research to suggest that autistic-like traits are evident in the general population, this does not necessarily mean that the link between autistic-like characteristics and anxiety established in this study can be transferred to people with autism. Future studies may need to assess this hypothesis with people who have autism for more valid findings. A further possible limitation of this study is that of the 931 students, only 356 participated in the study. It is logical to expect that the students who completed the survey are likely to be the more diligent students. The more diligent students may share similar characteristics, and may have more autistic-like tendencies; this could indicate some bias in the sample group. This study indicates a link between autistic-like characteristics and anxiety in the general population. If this link was proven in future studies to be also relevant to people with Autism, the information could be used to improve the quality of their social interactions. Clinicians could potentially take this link into account when working with patients with Autism. By developing ways to reduce anxiety, clinicians may be able to make patients more comfortable in social situations. This study has supported the theory that there is a link between autistic-like characteristics and anxiety. This could be further developed with more extensive research into anxiety in people who have autism. With further research, clinicians may be able develop methods to target anxiety in people with Autism and reduce the severity of their social deficits.

Disney Corporation Through The Eyes Of A Marxist

Disney Corporation Through The Eyes Of A Marxist The Walt Disney Corporation has just about dipped its fingers within everything consumer based. To give you a picture of just how much Disney is involved in our society, here is exactly where Disney has its foot in the door. From Walt Disney studios (who owns Walt Disney Pictures, Pixar, Touchstone Pictures, Miramax Films); to Walt Disney studios Home Entertainment; to Disney Theatrical Productions (who is one of the largest producers of Broadway musicals, including Disney Live Family Entertainment and Disney on Ice); to the music within their motion pictures (including Walt Disney Records, Hollywood Records, and Lyric Street Records) (8). That is all only within the Walt Disney Studios department of the Disney Corporation. There is also the Disney theme parks and resorts. Since its first park, Disneyland Park in Anaheim, California opened, the Parks and Resorts department has grown to encompass the world-class Disney Cruise Line, eight Disney Vacation Club resorts (with more than 100,000 members), Adventures by Disney (immersive Disney-guided travel around the world), and five resort locations (encompassing 11 theme parks, including some owned or co-owned by independent entities) on three continents (8). There are also the Disney consumer products, which extend the Disney brand to merchandise ranging from apparel, toys, home dà ©cor and books and magazines to interactive games, foods and beverages, stationery, electronics and fine art. [Disneys publishing company,] Disney Publishing Worldwide is the worlds largest publisher of childrens books and magazines, reaching more than 100 million readers each month in 75 countries. Disneys imprints include Disney Libri, Hyperion Books for Children, Jump at the Sun, Disney Press, and Disney Editions (8). Disneys official shopping source is disneystore.com. The Disney stores retail chain is owned and operated by an unaffiliated third party in Japan under a license agreement with The Walt Disney Company. [However,] Disney owns and operates the Disney Store chain in North America and Europe. (8) There are also the various media networks that Disney owns or is majorly affiliated with. From broadcast, to cable, to radio, to publishing and internet business, Disney is tuned into everything. Their keys networks are Disney-ABC Television Group, ESPN Inc., Walt Disney Internet Group, and ABC owned television stations. (8) The Disney-ABC Television Group is home to the ABC Television Network, the Disney Channel, ABC Family, SOAPnet, AE Television, and the Radio Disney Network. When it comes to ESPN, however, with its six domestic cable television networks (ESPN, ESPN2, ESPN Classic, ESPNEWS, ESPN Deportes, and ESPNU) along with ESPN International; ESPN Radio; ESPN.com; ESPN The Magazine; ESPN Enterprises; ESPN Zones (their restaurants); ESPN360.com; ESPN Mobile Wireless; ESPN On Demand; ESPN Interactive; and ESPN PPV; the Disney-ABC Television Group only owns 80%, whereas a separate company (The Hearst Corporation) owns the other 20%.(8) So, who is at the top of this money making consumer machine? His name is Robert A. Iger, and in 2008 alone he grossed $51,072,580 (3). A merchandise hostess intern makes about $6.50 per hour. A research specialist, PhotoPass photographer, and guest relations hostess makes an average of $10.00 per hour. Managers make about $29.00 per hour, whereas a ride show technician makes about $23.00 per hour. (4) Why is it that there is such a gap in pay between employees and employers? What would Karl Marx think? With all of the profit the Disney accrues annually from its vast consumerism, the distribution of its profit amongst its employees is greatly skewed. Marx would say that Disney is exploiting its employees and the Disney has far too much excess profit. He would argue that Disney pays its customer service employees close to minimum wage when they are more than capable to be paying their workers a lot more. Disney also pays its managers and supervisors a little more than who they oversee so they will still stick up for their bosses and keep the repression of the workers stable. Also, those who earn the minimum paid work may also be keeping themselves down by working these jobs because they think they too may climb the ladder to success (class reading The Origin and Context of Karl Marxs Thought). If we were to classify people into Marxs two social classes, he would describe the top Disney executives as the bourgeoisie, and the laborers (their maintenance team, retail clerks, park ride o perators, restaurant employees, etc.) are the proletariat. Alienation can be observed on both sides of the spectrum, whether were looking at the top executives or the laborers of Disney. In this quote from The Holy Family, Marx says that the bourgeoisie and proletarians are equally alienated, but experience their alienation in different ways. The propertied class and the class of the proletariat present the same human self-estrangement. But the former class feels at ease and strengthened in this self-estrangement, it recognizes estrangement as its own power and has in it the semblance of a human existence. The class of the proletariat feels annihilated in estrangement; it sees in it its own powerlessness and the reality of an inhuman existence (Engels Marx, 1845). This may be seen that as the Disney executives are alienated, they feel strengthened by this with their own power, whereas the Disney laborers feel their alienation as a form of powerlessness. Marx may also believe that Disney laborers are alienated for many other reasons. He would say that they are operating things that they, in turn, would never own themselves. For example, employees who work at the theme parks will never experience what it is like to be at the park for leisure, unless its a free ticket every once in a while from corporate. Even then, the ticket has restrictions for certain days and seasons. Also, he would say that the Disney laborers inevitably lose control of their lives and selves, in not having any control of their work. They would never become autonomous, self-realized human beings except in how the bourgeois want the workers to be realized (class reading The Origin and Context of Karl Marxs Thought). Within the corporations hiring practices, Disney is not very open to negotiations. They just pitch a package to you, which the prospective cast member can either accept or decline. Marx would probably use this modern day analogy, if he could, that Disney is a 750 pound gorilla in the marketplace and that they know it and arent afraid to use it. For its customers Disney is a place of Imagination, magic, fantasy, romance, adventure, inspiration, family, and so much more. These are the feelings we encounter when we experience anything Disney as a society. Disneys goal for its consumers is to be seen as the happiest place (and products) on earth. The Walt Disney Corporation has been a powerful force in creating childhood culture around the world. Disneys massive success is based on images of innocence, magic, and fun. Its animated films in particular are praised as wholesome family entertainment endorsed by teachers and parents, and immensely popular with children (Feng Sun, 2001). Childrens imaginations have been the product of Disney for many generations now. Its become the ultimate form of fantasy, one that never needs to be questioned. Marx would say that we, as a society, are fools. He would argue that Disneys bourgeois philosophy has clouded our minds to see our world as they want us to see it. The messages of innocence are really messages of passivity, domesticity, and frailty for woman; while messages of adventure and fun really have underlying tones of power, violence, and a false notions of hope in the eyes of our little boys. In a sense, the Disney Corporation perpetuates the ideas of achieving the traditional American dream, while these executives know full well that the society they wish to see has been lost to time for quite a while now. Marx would describe the societal image of Disney as a secular opiate for the people (7). He would argue by saying that this state and this society produce[d Disney], which is an inverted consciousness of the world, because they are an inverted world (7). This meaning that the aspects to which Disney is fantasy ridden is opposite from what our society is. Disney has become an escape for us. He would go on by explaining that Disney is the fantastic realization of the human essence since the human essence has not acquired any true reality (7). Meaning that Disney is our imagination come to life. Disney is everything we wish could be within our world in regards to fantasy, and its everything they wish our value system would be. So who else could possibly shed some light on this subject but Max Weber? He would argue with Marx, saying that his thoughts of social stratification do not apply to Disney because there are many other jobs that are affiliated with Disney, but not of Disney, like independent contractors that are virtually ambiguous to the Disney executives. Weber would most likely believe that what Disney is doing is efficient and fair because what theyve been doing is the most effective for them. In the social world, Disney is all about family. They have been trying to uphold and instill the values of the past within virtually all of their consumer products. For Weber, this has a hint of value rationality. He would think that Disney executives utilize this bottom line thinking. They have weighed the costs and benefits of their choices and have gone with whatever brings them the most profit (Phillips). However, Weber would explain that the Disney executives would not apply to his traditional rationality approach because aspects of their corporation are continually changing. From the switch to digital animation from analog animation; updating their amusement park rides to fit todays technology; and even answering to the calls of society to finally create an animated film featuring an African American princess. Theyre not sticking with what theyve always known. Disney is constantly innovating to keep up with technology. Socially, however, Weber would agree with Marx by saying that Disney is sticking to its traditional roots by trying to uphold what they view as good moral values (class reading on Weber). Weber would also argue with Marx about how our society works. Marx says that we are all under control by the bourgeoisie: seeing our society in the ways they want us to view it. Disney wants us to see our society through the messages they imbed in their products. Weber would say that our society should be value free and to just let the chips fall where they may (Phillips). Disney is just doing what it wants to do: it is up to us to determine what way we perceive their messages. Weber would also say that Disney is a business bureaucracy: its goal is to maximize its profit. He would describe Disney within his ideas of social stratification: a combination of class, status, and party (class reading on Weber). These three are independent, yet linked (Phillips). Disney has class in the form of having an exorbitant amount of money; status in the way that virtually everyone knows of Disney, and its usually a good notion; and party in the way the Disney has tremendous power within the market and media (class reading on Weber). Within certain aspects of Disney, Marx and Weber share similar ideologies and in others they are on completely separate pages. Both theorists serve valid, rational points. There is no bias within this research: all ideas of Disney are objective and may not be what the theorists may view. All inquiries are based on their prior ideologies.

Analysis of Botnet Security Threats

Analysis of Botnet Security Threats CHAPTER 1 INTRODUCTION 1.1 Introduction During the last few decades, we have seen the dramatically rise of the Internet and its applications to the point which they have become a critical part of our lives. Internet security in that way has become more and more important to those who use the Internet for work, business, entertainment or education. Most of the attacks and malicious activities on the Internet are carried out by malicious applications such as Malware, which includes viruses, trojan, worms, and botnets. Botnets become a main source of most of the malicious activities such as scanning, distributed denial-of-service (DDoS) activities, and malicious activities happen across the Internet. 1.2 Botnet Largest Security Threat A bot is a software code, or a malware that runs automatically on a compromised machine without the users permission. The bot code is usually written by some criminal groups. The term â€Å"bot† refers to the compromised computers in the network. A botnet is essentially a network of bots that are under the control of an attacker (BotMaster). Figure 1.1 illustrates a typical structure of a botnet. A bot usually take advantage of sophisticated malware techniques. As an example, a bot use some techniques like keylogger to record user private information like password and hide its existence in the system. More importantly, a bot can distribute itself on the internet to increase its scale to form a bot army. Recently, attackers use compromised Web servers to contaminate those who visit the websites through drive-by download [6]. Currently, a botnet contains thousands of bots, but there is some cases that botnet contain several millions of bots [7]. Actually bots differentiate themselves from other kind of worms by their ability to receive commands from attacker remotely [32]. Attacker or better call it botherder control bots through different protocols and structures. The Internet Relay Chat (IRC) protocol is the earliest and still the most commonly used CC channel at present. HTTP is also used because Http protocol is permitted in most networks. Centralized structure botnets was very successful in the past but now botherders use decentralized structure to avoid single point of failure problem. Unlike previous malware such as worms, which are used probably for entertaining, botnets are used for real financial abuse. Actually Botnets can cause many problems as some of them listed below: i. Click fraud. A botmaster can easily profit by forcing the bots to click on advertisement for the purpose of personal or commercial abuse. ii. Spam production. Majority of the email on the internet is spam. iii. DDoS attacks. A bot army can be commanded to begin a distributed denial-of-service attack against any machine. iv. Phishing. Botnets are widely used to host malicious phishing sites. Criminals usually send spam messages to deceive users to visit their forged web sites, so that they can obtain users critical information such as usernames, passwords. 1.3 Botnet in-Depth Nowadays, the most serious manifestation of advanced malware is Botnet. To make distinction between Botnet and other kinds of malware, the concepts of Botnet have to understand. For a better understanding of Botnet, two important terms, Bot and BotMaster have been defined from another point of views. Bot Bot is actually short for robot which is also called as Zombie. It is a new type of malware [24] installed into a compromised computer which can be controlled remotely by BotMaster for executing some orders through the received commands. After the Bot code has been installed into the compromised computers, the computer becomes a Bot or Zombie [25]. Contrary to existing malware such as virus and worm which their main activities focus on attacking the infecting host, bots can receive commands from BotMaster and are used in distributed attack platform. BotMaster BotMaster is also known as BotHerder, is a person or a group of person which control remote Bots. Botnets- Botnets are networks consisting of large number of Bots. Botnets are created by the BotMaster to setup a private communication infrastructure which can be used for malicious activities such as Distributed Denial-of-Service (DDoS), sending large amount of SPAM or phishing mails, and other nefarious purpose [26, 27, 28]. Bots infect a persons computer in many ways. Bots usually disseminate themselves across the Internet by looking for vulnerable and unprotected computers to infect. When they find an unprotected computer, they infect it and then send a report to the BotMaster. The Bot stay hidden until they are announced by their BotMaster to perform an attack or task. Other ways in which attackers use to infect a computer in the Internet with Bot include sending email and using malicious websites, but common way is searching the Internet to look for vulnerable and unprotected computers [29]. The activities associated with Botnet can be classified into three parts: (1) Searching searching for vulnerable and unprotected computers. (2) Dissemination the Bot code is distributed to the computers (targets), so the targets become Bots. (3) sign-on the Bots connect to BotMaster and become ready to receive command and control traffic. The main difference between Botnet and other kind of malwares is the existence of Command-and-Control (CC) infrastructure. The CC allows Bots to receive commands and malicious capabilities, as devoted by BotMaster. BotMaster must ensure that their CC infrastructure is sufficiently robust to manage thousands of distributed Bots across the globe, as well as resisting any attempts to shutdown the Botnets. However, detection and mitigation techniques against Botnets have been increased [30,31]. Recently, attackers are also continually improving their approaches to protect their Botnets. The first generation of Botnets utilized the IRC (Internet Relay Chat) channels as their Common-and-Control (CC) centers. The centralized CC mechanism of such Botnet has made them vulnerable to being detected and disabled. Therefore, new generation of Botnet which can hide their CC communication have emerged, Peer-to-Peer (P2P) based Botnets. The P2P Botnets do not experience from a single point of failur e, because they do not have centralized CC servers [35]. Attackers have accordingly developed a range of strategies and techniques to protect their CC infrastructure. Therefore, considering the CC function gives better understanding of Botnet and help defenders to design proper detection or mitigation techniques. According to the CC channel we categorize Botnets into three different topologies: a) Centralized; b) Decentralized and c) Hybrid. In Section 1.1.4, these topologies have been analyzed and completely considered the protocols that are currently being used in each model. 1.4 Botnet Topologies According to the Command-and-Control(CC) channel, Botnet topology is categorized into three different models, the Centralized model, the Decentralized model and Hybrid model. 1.4.1 Centralized Model The oldest type of topology is the centralized model. In this model, one central point is responsible for exchanging commands and data between the BotMaster and Bots. In this model, BotMaster chooses a host (usually high bandwidth computer) to be the central point (Command-and-Control) server of all the Bots. The CC server runs certain network services such as IRC or HTTP. The main advantage of this model is small message latency which cause BotMaster easily arranges Botnet and launch attacks. Since all connections happen through the CC server, therefore, the CC is a critical point in this model. In other words, CC server is the weak point in this model. If somebody manages to discover and eliminates the CC server, the entire Botnet will be worthless and ineffective. Thus, it becomes the main drawback of this model. A lot of modern centralized Botnets employed a list of IP addresses of alternative CC servers, which will be used in case a CC server discovered and has been taken offline. Since IRC and HTTP are two common protocols that CC server uses for communication, we consider Botnets in this model based on IRC and HTTP. Figure 1.2 shows the basic communication architecture for a Centralized model. There are two central points that forward commands and data between the BotMaster and his Bots. 1.4.1.1 Botnets based on IRC The IRC is a type of real-time Internet text messaging or synchronous conferencing [36]. IRC protocol is based on the Client Server model that can be used on many computers in distributed networks. Some advantages which made IRC protocol widely being used in remote communication for Botnets are: (i) low latency communication; (ii) anonymous real-time communication; (iii) ability of Group (many-to-many) and Private (one-to-one) communication; (iv) simple to setup and (v) simple commands. The basic commands are connect to servers, join channels and post messages in the channels; (vi) very flexibility in communication. Therefore IRC protocol is still the most popular protocol being used in Botnet communication. In this model, BotMasters can command all of their Bots or command a few of the Bots using one-to-one communication. The CC server runs IRC service that is the same with other standard IRC service. Most of the time BotMaster creates a channel on the IRC server that all the bots can connect, which instruct each connected bot to do the BotMasters commands. Figure 1.3 showed that there is one central IRC server that forwards commands and data between the BotMaster and his Bots. Puri [38] presented the procedures and mechanism of Botnet based on IRC, as shown in Figure. 1.4. Bots infection and control process [38]: i. The attacker tries to infect the targets with Bots. ii. After the Bot is installed on target machine, it will try to connect to IRC server. In this while a random nickname will be generate that show the bot in attackers private channel. iii. Request to the DNS server, dynamic mapping IRC servers IP address. iv. The Bot will join the private IRC channel set up by the attacker and wait for instructions from the attacker. Most of these private IRC channel is set as the encrypted mode. v. Attacker sends attack instruction in private IRC channel. vi. The attacker tries to connect to private IRC channel and send the authentication password. vii. Bots receive instructions and launch attacks such as DDoS attacks. 1.4.1.2 Botnet based on HTTP The HTTP protocol is an additional well-known protocol used by Botnets. Because IRC protocol within Botnets became well-known, internet security researchers gave more consideration to monitoring IRC traffic to detect Botnet. Consequently, attackers started to use HTTP protocol as a Command-and-Control communication channel to make Botnets become more difficult to detect. The main advantage of using the HTTP protocol is hiding Botnets traffics in normal web traffics, so it can easily passes firewalls and avoid IDS detection. Usually firewalls block incoming and outgoing traffic to not needed ports, which usually include the IRC port. 1.4.2 Decentralized model Due to major disadvantage of Centralized model-Central Command-and-Control (CC)-attackers tried to build another Botnet communication topology that is harder to discover and to destroy. Hence, they decided to find a model in which the communication system does not heavily depending on few selected servers and even discovering and destroying a number of Bots. As a result, attackers take advantage of Peer-to-Peer (P2P) communication as a Command-and-Control (CC) pattern which is much harder to shut down in the network. The P2P based CC model will be used considerably in Botnets in the future, and definitely Botnets that use P2P based CC model impose much bigger challenge for defense of networks. In the P2P model, as shown in Fig. 1.6, there is no Centralized point for communication. Each Bot have some connections to the other Bots of the same Botnet and Bots act as both Clients and servers. A new Bot must know some addresses of the Botnet to connect there. If Bots in the Botnet are taken offline, the Botnet can still continue to operate under the control of BotMaster. P2P Botnets aim at removing or hiding the central point of failure which is the main weakness and vulnerability of Centralized model. Some P2P Botnets operate to a certain extent decentralized and some completely decentralized. Those Botnets that are completely decentralized allow a BotMaster to insert a command into any Bots. Since P2P Botnets usually allow commands to be injected at any node in the network, the authentication of commands become essential to prevent other nodes from injecting incorrect commands. For a better understanding in this model, some characteristics and important features of famous P2P Botnets have been mentioned: Slapper: Allows the routing of commands to distinct nodes. Uses Public key and private key cryptography to authenticate commands. BotMasters sign commands with private key and only those nodes which has corresponding public key can verify the commands [42]. Two important weak points are: (a) its list of known Bots contains all (or almost all) of the Botnet. Thus, one single captured Bot would expose the entire Botnet to defenders [42] (b) its sophisticated communication mechanism produces lot traffic, making it vulnerable to monitoring via network flow analysis. Sinit: This Bot uses random searching to discove other Bots to communicate with. It can results in an easy detection due to the extensive probing traffic [34]. Nugache: Its weakness is based on its reliance on a seed list of 22 IP addresses during its bootstrap process [47]. Phatbot: Uses Gnutella cache server for its bootstrap process which can be easily shutdown. Also its WASTE P2P protocol has a scalability problem across a long network [48]. Strom worm: it uses a P2p overnet protocl to control compromised hosts. The communication protocol for this Bot can be classified into five steps, as describes below :[37] i. Connect to Overnet Bots try to join Overnet network. Each Bot initially has hard-coded binary files which is included the IP addresses of P2P-based Botnet nodes. ii. Search and Download Secondary Injection URL Bot uses hard-coded keys to explore for and download the URL on the Overnet network [37]. iii. Decrypt Secondary Injection URL compromised hosts take advantages of a key(hard coded) to decrypt the URL. iv. Download Secondary Injection compromised hosts attempt to download the second injection from a server(probably web server). It could be infected files or updated files or list of the P2P nodes [37]. 1.4.3 Hybrid model The Bots in the Hybrid Botnet are categorized into two groups: 1) Servant Bots Bots in the first group are called as servant Bots, because they behave as both clients and servers, which have static, routable IP addresses and are accessible from the entire Internet. 2) Client Bots Bots in the second group is called as client Bots since they do not accept incoming connections. This group contains the remaining Bots, including:- (a) Bots with dynamically designated IP addresses; (b) Bots with Non-routable IP addresses; and (c) Bots behind firewalls which they cannot be connected from the global Internet. 1.5 Background of the Problem Botnets which are controlled remotely by BotMasters can launch huge denial of service attacks, several infiltration attacks, can be used to spread spam and also conduct malicious activities [115]. While bot army activity has, so far, been limited to criminal activity, their potential for causing large- scale damage to the entire internet is immeasurable [115]. Therefore, Botnets are one of the most dangerous types of network-based attack today because they involve the use of very large, synchronized groups of hosts for their malicious activities. Botnets obtain their power by size, both in their increasing bandwidth and in their reach. As mentioned before Botnets can cause severe network disruptions through huge denial- of-service attacks, and the danger of this interruption can charge enterprises big sums in extortion fees. Botnets are also used to harvest personal, corporate, or government sensitive information for sale on a blooming organized crime market. 1.6 Statement of the Problem Recently, botnets are using new type of command-and-control(CC) communication which is totally decentralized. They utilize peer-to-peer style communication. Tracking the starting point and activity of this botnet is much more complicated due to the Peer-to-Peer communication infrastructure. Combating botnets is usually an issue of discovering their weakness: their central position of command, or CC server. This is typically an IRC network that all bots connect to central point, however with the use of P2P method; we cannot find any central point of command. In the P2P networks each bots in searching to connect other peers which can receive or broadcast commands through network. Therefore, an accurate detection and fighting method is required to prevent or stop such dangerous networks. 1.7 Research Questions a. What are the main differences between centralized and decentralized botnets? b. What is the best and efficient general extensible solution for detecting non-specific Peer-to- Peer botnets? 1.8 Objectives of the Study i. To develop a network-based framework for Peer-to-Peer botnets detection by common behavior in network communication. ii. To study the behavior of bots and recognizing behavioral similarities across multiple bots in order to develop mentioned framework. 1.9 Scope of the Study The project scope is limited to developing some algorithms pertaining to our proposed framework. This algorithms are using for decreasing traffics by filtering it, classifying intended traffics, monitoring traffics and the detection of malicious activities. 1.10 Significance of the study Peer-to-Peer botnets are one of the most sophisticated types of cyber crime today. They give the full control of many computers around to world to exploit them for malicious activities purpose such as spread of virus and worm, spam distribution and DDoS attack. Therefore, studying the behavior of P2P botnets and develop a technique that can detect them is important and high-demanded. 1.11 Summary Understanding the Botnet Command-and-Control(CC) is a critical part in recognizing how to best protect against the overall botnet threat. The CC channels utilized by the Botnets will often show the type and degree of actions an enterprise can follow in either blocking or shutting down a botnet, and the probability of success. It is also obvious that attackers have been trying for years to move away from Centralized CC channels, and are achieving some success using Decentralized(P2P) CC channels over the last 5 or so years. Therefore in this chapter we have defined a classification for better understanding of Botnets CC channels, which is included Centralized, Decentralized, and Hybrid model and tried to evaluate recognized protocols in each of them. Understanding the communication topologies in Botnets is essential to precisely identify, detect and mitigate the ever-increasing Botnets threats. CHAPTER 2 LITERATURE REVIEW 2.1 Introduction Before majority of botnets was using IRC (Internet Relay Chat) as a communication protocol for Command and Control(CC) mechanism. Therefore, many researches tried to develop botnet detection scheme which was based on analysis of IRC traffic [50]. As a result, attackers decided to develop more sophisticated botnets, such as Storm worm and Nugache toward the utilization of P2P networks for CC infrastructures. In response to this movement, researches have proposed various models of botnets detection that are based on P2P infrastructure [5]. One key advantage of both IRC and HTTP Botnet is the use of central Command and Control. This characteristic provides the attacker with very well-organized communication. However, the assets also considers as a main disadvantage to the attacker [8]. The threat of the Botnet can be decreased and possibly omitted if the central CC is taken over or taken down [8]. The method that is starting to come out is P2P structure for Botnet interaction. There is not any centralized centre for P2P botnets. Any nodes in P2P botnet behave as client and server as well. If any point in the network is shut down the botnet still can continue its operation. The storm botnet is one of the main and recognized recent P2P botnets. It customized the overnet P2P file-sharing application which is based on the Kademlia distributed hash table algorithm [55] and exploit it for its CC infrastructure. Recently many researchers specially in the anti-virus community and electronic media concentrated on storm worm [56,57]. 2.2 Background and History A peer-to-peer network is a network of computers that any computer in the network can behave as both a client and a server. Some explanation of peer-to-peer networks does not need any form of centralized coordination. This definition is more comfortable because the attacker may be interested in hybrid architectures [8]. 2.2.1 History The table 2.1 shows a summary of some well-known bots and P2P protocols. The range of time from the first bots, EggDrop, until the Storm Worm P2P bot is newly released. The first non-malicious bot was EggDrop that came up many years ago, and we know it as one of the first IRC bots that came to market. GTBot that have many other categories is another well-known malicious bot, that its variants are IRC client, mIRC.exe[61]. After a while, P2P protocols have been used for Botnet activities. Napster is one of the first bot that used P2P as its communication. Napster built an platform that permit all bots can find each other and share files with each other in the network. In this bot, file sharing has been done in the centralized server that we can say it was not completely a P2P botnet. Therefore, all bots have to upload an index of their files to the centralized server and also if they are looking for other files among all bots, have to search in centralized server. If it can find any file that looking for, then can directly connect to that bot and download what they want. Nowadays, because Napster has been shutdown as their service recognized as illegal service, many other P2P service focusing on avoiding such finding. After few years after Napster, Gnutella protocol came up as the first completely P2P services. Actually after Gnutellas , as shown in Table 2.1, many other P2P protocols have been released, such as Kademilia and Chord. This two new p2p service are using distributed hash table as a method for finding information in the peer-to-peer networks. Agobot is another malicious P2P bot that came up recently and become widespread because of good design and modular code base [61]. Nowadays many researchers are concentrating on P2P bots and there is an anticipation that P2P bots will reach to the stage that Centralized botnets will not been used any more in the future. Table 2.1: P2P based Botnets 2.3 Peers-to-Peer Overlay Networks Overlay networks are categorized into two categories: Structured and Unstructured. All nodes in first category can connect to most X peers regarding some conditions for identification of nodes that those peers want to connect. However in unstructured type there is not any specified limit for the number of peers that they can connect, in spite of the fact that there is not any condition for connecting to other peers. Overnet is a good example of structured p2p networks and Chorf is a good example of unstructured P2P networks. 2.3.1 Brief overview of Overnet One of the popular file sharing networks is Overnet that use for their design use distributed hash table (DHT) algorithm that called Kademlia[55]. Each node produces a 128-bit id for joining the network and also use for sending to other node for introducing itself. Actually each node in the network saves the information about other nodes in order to route query messages. 2.3.2 Brief overview of Gnutella Gnutellas is a unstructured file sharing network. In this network, when a node like n want to connect to a node like m, use a ping message to inform the other node for its presence. As long as node m received ping message, then send it back to other nodes in its neighbor and also send a Pong message to the sender of ping message that was node n. this transaction among node let them to learn about each other. 2.4 Botnet Detection In particular, to compare existing botnet detection techniques, different methods are described and then disadvantages of each method are mentioned respectively. 2.4.1 Honeypot-based tracking Honeypot can be used to collect bots for analyzing its behavior and signatures and also for tracking botnets. But using honeypots have several limitations. The most important limitation is because of limited scale of exploited activities that can track. And also it cannot capture the bots that use the method of propagation other than scanning, such as spam. And finally it can only give report for infection machines that are anticipated and put in the network as trap system. So it means that it can not give a report for those computers that are infected with bot in the network but are not devoted as trap machines. So we can come to this conclusion that generally in this technique we have to wait until one bot in the network infect our system and then we can track or analyze the machine. 2.4.2 Intrusion detection systems Intrusion detection techniques can be categorized into two categories: host-based and network-based solution. Host-based techniques are used for recognizing malware binaries such as viruses. A good example of this type is anti-virus detection systems. However, we know that anti-virus are good for just virus detection. The most important disadvantages of anti-virus are that bots can easily evade the detection technique by changing their signatures easily, because the detection system cannot update their databases consistency. And also bots can disable any anti-virus tools in the system to protect themselves from detection. Network- based intrusion detection system is another method for detection that is used in the field of botnet detection. Snort[67] and Bro[68] are the two well-known signature based detection system that are used currently. They use a database as signatures of famous malicious activities to detect botnets or any other malware. Actually if our objective is using this technique for botnet detection, we have to keep updating the database and recognizing all malware quickly to make a signature of it and add to our database. For solving this solving this problem recently researchers are using anomaly based IDS that can detect malicious activities based on behavior of malware or detection techniques. 2.4.3 Bothunter : Dialog correlation-based Botnet detection This technique developed an evidence-trail approach for detecting successful bot infection with patterns during communication for infection process. In this strategy, bot infection pattern are modeled to use for recognizing the whole process of infection of botnet in the network. All behavior that occur the bot infection such as target scanning, CC establishment, binary downloading and outbound propagation have to model by this method. This method gathers an evidence-trail of connected infection process for each internal machine and then tries to look for a threshold combination of sequences that will convince the condition for bot infection [32]. The BotHunter use snort with adding two anomaly-detection components to it that are SLADE (Statistical payLoad Anomaly Detection Engine) and SCADE (Statistical scan Anomaly Detection Engine). SCADE produce internal and external scan detection warnings that are weighted for criticality toward malware scanning patterns. SLADE perform a byte-distribution payload anomaly detection of incoming packets, providing a matching non-signature approach in inbound exploit detection [32 ]. Slade use an n-gram payload examination of traffics that have typical malware intrusions. SCADE execute some port scan analysis for incoming and outgoing traffics. Actually BotHunter has a link between scan and alarm intrusion that shows a host has been infected. When a adequate sequence of alerts is established to match BotHunters infection dialog model, a comprehensive report is created to get all the related events participants that have a rule in infection dialog [32]. This method provides some important features: i. This technique concentrates on malware detection by IDS-driven dialog correlation. This model shows an essential network processes that occur during a successful bot infection. ii. This technique has one IDS-independent dialog correlation engine and three bot-specific sensors. This technique can automatically produce a report of whole detection of bot, as well as the infection of agent, identification of the computer that has been infected and source of Command and Control centre. 2.4.3.1 Bot infection sequences Actually understanding bot infection life processes is a challenging work for protection of network in the future. The major work in this area is differentiating between successful bot infection and background exploit attempt. For reaching to this point analysis of two-way dialog flow between internal hosts and external hosts (internet) is needed. In a good design network which uses filtering at gateway, the threats of direct exploitations are limited. However, contemporary malware families are highly flexible in their ability to attack vulnerable hosts through email attachments, infected P2P media, and drive-by download infections [32]. 2.4.3.2 Modeling the infection dialog process The bot distribution model can conclude by an analysis of external communication traffics that shows the behavior of relevant botnet. Incoming scan and utilize alarms are not enough to state a winning malware infection, as are assumed that a stable stream of scan and exploit signals will be observed from the way out monitor [32]. Figure 2.1 shows the process of bot infection in BotHunter that used for evaluating network flows through eight stages. This model is almost similar with the model that Rajab et al. presented for IRC detection model. The model that they proposed has early initial scanning that is a preceding consideration happen in form of IP exchange and pointing vulnerable ports. Actually figure 2.1 is not aimed for a strict ordering of infection events that happen during bot infection. The important issue here is that bot dialog processes analysis have to be strong to the absence of some dialog events and must not need strong sequencing on the order in bound dialog is conducted. One solution to solve the problem of sequence order and event is to use a weighted event threshold system that take smallest essential sparse sequences of events under which bot profile statement can be initiated [32]. For instance, it is possible put weighting and threshold system for the look of each event in a way that a smallest set of event is important prior of bot detection. 2.4.3.3 Design and implementation More attention devoted for designing a passive network monitoring system in this part which be able of identifying the bidirectional warning signs when internal hosts are infected with b Analysis of Botnet Security Threats Analysis of Botnet Security Threats CHAPTER 1 INTRODUCTION 1.1 Introduction During the last few decades, we have seen the dramatically rise of the Internet and its applications to the point which they have become a critical part of our lives. Internet security in that way has become more and more important to those who use the Internet for work, business, entertainment or education. Most of the attacks and malicious activities on the Internet are carried out by malicious applications such as Malware, which includes viruses, trojan, worms, and botnets. Botnets become a main source of most of the malicious activities such as scanning, distributed denial-of-service (DDoS) activities, and malicious activities happen across the Internet. 1.2 Botnet Largest Security Threat A bot is a software code, or a malware that runs automatically on a compromised machine without the users permission. The bot code is usually written by some criminal groups. The term â€Å"bot† refers to the compromised computers in the network. A botnet is essentially a network of bots that are under the control of an attacker (BotMaster). Figure 1.1 illustrates a typical structure of a botnet. A bot usually take advantage of sophisticated malware techniques. As an example, a bot use some techniques like keylogger to record user private information like password and hide its existence in the system. More importantly, a bot can distribute itself on the internet to increase its scale to form a bot army. Recently, attackers use compromised Web servers to contaminate those who visit the websites through drive-by download [6]. Currently, a botnet contains thousands of bots, but there is some cases that botnet contain several millions of bots [7]. Actually bots differentiate themselves from other kind of worms by their ability to receive commands from attacker remotely [32]. Attacker or better call it botherder control bots through different protocols and structures. The Internet Relay Chat (IRC) protocol is the earliest and still the most commonly used CC channel at present. HTTP is also used because Http protocol is permitted in most networks. Centralized structure botnets was very successful in the past but now botherders use decentralized structure to avoid single point of failure problem. Unlike previous malware such as worms, which are used probably for entertaining, botnets are used for real financial abuse. Actually Botnets can cause many problems as some of them listed below: i. Click fraud. A botmaster can easily profit by forcing the bots to click on advertisement for the purpose of personal or commercial abuse. ii. Spam production. Majority of the email on the internet is spam. iii. DDoS attacks. A bot army can be commanded to begin a distributed denial-of-service attack against any machine. iv. Phishing. Botnets are widely used to host malicious phishing sites. Criminals usually send spam messages to deceive users to visit their forged web sites, so that they can obtain users critical information such as usernames, passwords. 1.3 Botnet in-Depth Nowadays, the most serious manifestation of advanced malware is Botnet. To make distinction between Botnet and other kinds of malware, the concepts of Botnet have to understand. For a better understanding of Botnet, two important terms, Bot and BotMaster have been defined from another point of views. Bot Bot is actually short for robot which is also called as Zombie. It is a new type of malware [24] installed into a compromised computer which can be controlled remotely by BotMaster for executing some orders through the received commands. After the Bot code has been installed into the compromised computers, the computer becomes a Bot or Zombie [25]. Contrary to existing malware such as virus and worm which their main activities focus on attacking the infecting host, bots can receive commands from BotMaster and are used in distributed attack platform. BotMaster BotMaster is also known as BotHerder, is a person or a group of person which control remote Bots. Botnets- Botnets are networks consisting of large number of Bots. Botnets are created by the BotMaster to setup a private communication infrastructure which can be used for malicious activities such as Distributed Denial-of-Service (DDoS), sending large amount of SPAM or phishing mails, and other nefarious purpose [26, 27, 28]. Bots infect a persons computer in many ways. Bots usually disseminate themselves across the Internet by looking for vulnerable and unprotected computers to infect. When they find an unprotected computer, they infect it and then send a report to the BotMaster. The Bot stay hidden until they are announced by their BotMaster to perform an attack or task. Other ways in which attackers use to infect a computer in the Internet with Bot include sending email and using malicious websites, but common way is searching the Internet to look for vulnerable and unprotected computers [29]. The activities associated with Botnet can be classified into three parts: (1) Searching searching for vulnerable and unprotected computers. (2) Dissemination the Bot code is distributed to the computers (targets), so the targets become Bots. (3) sign-on the Bots connect to BotMaster and become ready to receive command and control traffic. The main difference between Botnet and other kind of malwares is the existence of Command-and-Control (CC) infrastructure. The CC allows Bots to receive commands and malicious capabilities, as devoted by BotMaster. BotMaster must ensure that their CC infrastructure is sufficiently robust to manage thousands of distributed Bots across the globe, as well as resisting any attempts to shutdown the Botnets. However, detection and mitigation techniques against Botnets have been increased [30,31]. Recently, attackers are also continually improving their approaches to protect their Botnets. The first generation of Botnets utilized the IRC (Internet Relay Chat) channels as their Common-and-Control (CC) centers. The centralized CC mechanism of such Botnet has made them vulnerable to being detected and disabled. Therefore, new generation of Botnet which can hide their CC communication have emerged, Peer-to-Peer (P2P) based Botnets. The P2P Botnets do not experience from a single point of failur e, because they do not have centralized CC servers [35]. Attackers have accordingly developed a range of strategies and techniques to protect their CC infrastructure. Therefore, considering the CC function gives better understanding of Botnet and help defenders to design proper detection or mitigation techniques. According to the CC channel we categorize Botnets into three different topologies: a) Centralized; b) Decentralized and c) Hybrid. In Section 1.1.4, these topologies have been analyzed and completely considered the protocols that are currently being used in each model. 1.4 Botnet Topologies According to the Command-and-Control(CC) channel, Botnet topology is categorized into three different models, the Centralized model, the Decentralized model and Hybrid model. 1.4.1 Centralized Model The oldest type of topology is the centralized model. In this model, one central point is responsible for exchanging commands and data between the BotMaster and Bots. In this model, BotMaster chooses a host (usually high bandwidth computer) to be the central point (Command-and-Control) server of all the Bots. The CC server runs certain network services such as IRC or HTTP. The main advantage of this model is small message latency which cause BotMaster easily arranges Botnet and launch attacks. Since all connections happen through the CC server, therefore, the CC is a critical point in this model. In other words, CC server is the weak point in this model. If somebody manages to discover and eliminates the CC server, the entire Botnet will be worthless and ineffective. Thus, it becomes the main drawback of this model. A lot of modern centralized Botnets employed a list of IP addresses of alternative CC servers, which will be used in case a CC server discovered and has been taken offline. Since IRC and HTTP are two common protocols that CC server uses for communication, we consider Botnets in this model based on IRC and HTTP. Figure 1.2 shows the basic communication architecture for a Centralized model. There are two central points that forward commands and data between the BotMaster and his Bots. 1.4.1.1 Botnets based on IRC The IRC is a type of real-time Internet text messaging or synchronous conferencing [36]. IRC protocol is based on the Client Server model that can be used on many computers in distributed networks. Some advantages which made IRC protocol widely being used in remote communication for Botnets are: (i) low latency communication; (ii) anonymous real-time communication; (iii) ability of Group (many-to-many) and Private (one-to-one) communication; (iv) simple to setup and (v) simple commands. The basic commands are connect to servers, join channels and post messages in the channels; (vi) very flexibility in communication. Therefore IRC protocol is still the most popular protocol being used in Botnet communication. In this model, BotMasters can command all of their Bots or command a few of the Bots using one-to-one communication. The CC server runs IRC service that is the same with other standard IRC service. Most of the time BotMaster creates a channel on the IRC server that all the bots can connect, which instruct each connected bot to do the BotMasters commands. Figure 1.3 showed that there is one central IRC server that forwards commands and data between the BotMaster and his Bots. Puri [38] presented the procedures and mechanism of Botnet based on IRC, as shown in Figure. 1.4. Bots infection and control process [38]: i. The attacker tries to infect the targets with Bots. ii. After the Bot is installed on target machine, it will try to connect to IRC server. In this while a random nickname will be generate that show the bot in attackers private channel. iii. Request to the DNS server, dynamic mapping IRC servers IP address. iv. The Bot will join the private IRC channel set up by the attacker and wait for instructions from the attacker. Most of these private IRC channel is set as the encrypted mode. v. Attacker sends attack instruction in private IRC channel. vi. The attacker tries to connect to private IRC channel and send the authentication password. vii. Bots receive instructions and launch attacks such as DDoS attacks. 1.4.1.2 Botnet based on HTTP The HTTP protocol is an additional well-known protocol used by Botnets. Because IRC protocol within Botnets became well-known, internet security researchers gave more consideration to monitoring IRC traffic to detect Botnet. Consequently, attackers started to use HTTP protocol as a Command-and-Control communication channel to make Botnets become more difficult to detect. The main advantage of using the HTTP protocol is hiding Botnets traffics in normal web traffics, so it can easily passes firewalls and avoid IDS detection. Usually firewalls block incoming and outgoing traffic to not needed ports, which usually include the IRC port. 1.4.2 Decentralized model Due to major disadvantage of Centralized model-Central Command-and-Control (CC)-attackers tried to build another Botnet communication topology that is harder to discover and to destroy. Hence, they decided to find a model in which the communication system does not heavily depending on few selected servers and even discovering and destroying a number of Bots. As a result, attackers take advantage of Peer-to-Peer (P2P) communication as a Command-and-Control (CC) pattern which is much harder to shut down in the network. The P2P based CC model will be used considerably in Botnets in the future, and definitely Botnets that use P2P based CC model impose much bigger challenge for defense of networks. In the P2P model, as shown in Fig. 1.6, there is no Centralized point for communication. Each Bot have some connections to the other Bots of the same Botnet and Bots act as both Clients and servers. A new Bot must know some addresses of the Botnet to connect there. If Bots in the Botnet are taken offline, the Botnet can still continue to operate under the control of BotMaster. P2P Botnets aim at removing or hiding the central point of failure which is the main weakness and vulnerability of Centralized model. Some P2P Botnets operate to a certain extent decentralized and some completely decentralized. Those Botnets that are completely decentralized allow a BotMaster to insert a command into any Bots. Since P2P Botnets usually allow commands to be injected at any node in the network, the authentication of commands become essential to prevent other nodes from injecting incorrect commands. For a better understanding in this model, some characteristics and important features of famous P2P Botnets have been mentioned: Slapper: Allows the routing of commands to distinct nodes. Uses Public key and private key cryptography to authenticate commands. BotMasters sign commands with private key and only those nodes which has corresponding public key can verify the commands [42]. Two important weak points are: (a) its list of known Bots contains all (or almost all) of the Botnet. Thus, one single captured Bot would expose the entire Botnet to defenders [42] (b) its sophisticated communication mechanism produces lot traffic, making it vulnerable to monitoring via network flow analysis. Sinit: This Bot uses random searching to discove other Bots to communicate with. It can results in an easy detection due to the extensive probing traffic [34]. Nugache: Its weakness is based on its reliance on a seed list of 22 IP addresses during its bootstrap process [47]. Phatbot: Uses Gnutella cache server for its bootstrap process which can be easily shutdown. Also its WASTE P2P protocol has a scalability problem across a long network [48]. Strom worm: it uses a P2p overnet protocl to control compromised hosts. The communication protocol for this Bot can be classified into five steps, as describes below :[37] i. Connect to Overnet Bots try to join Overnet network. Each Bot initially has hard-coded binary files which is included the IP addresses of P2P-based Botnet nodes. ii. Search and Download Secondary Injection URL Bot uses hard-coded keys to explore for and download the URL on the Overnet network [37]. iii. Decrypt Secondary Injection URL compromised hosts take advantages of a key(hard coded) to decrypt the URL. iv. Download Secondary Injection compromised hosts attempt to download the second injection from a server(probably web server). It could be infected files or updated files or list of the P2P nodes [37]. 1.4.3 Hybrid model The Bots in the Hybrid Botnet are categorized into two groups: 1) Servant Bots Bots in the first group are called as servant Bots, because they behave as both clients and servers, which have static, routable IP addresses and are accessible from the entire Internet. 2) Client Bots Bots in the second group is called as client Bots since they do not accept incoming connections. This group contains the remaining Bots, including:- (a) Bots with dynamically designated IP addresses; (b) Bots with Non-routable IP addresses; and (c) Bots behind firewalls which they cannot be connected from the global Internet. 1.5 Background of the Problem Botnets which are controlled remotely by BotMasters can launch huge denial of service attacks, several infiltration attacks, can be used to spread spam and also conduct malicious activities [115]. While bot army activity has, so far, been limited to criminal activity, their potential for causing large- scale damage to the entire internet is immeasurable [115]. Therefore, Botnets are one of the most dangerous types of network-based attack today because they involve the use of very large, synchronized groups of hosts for their malicious activities. Botnets obtain their power by size, both in their increasing bandwidth and in their reach. As mentioned before Botnets can cause severe network disruptions through huge denial- of-service attacks, and the danger of this interruption can charge enterprises big sums in extortion fees. Botnets are also used to harvest personal, corporate, or government sensitive information for sale on a blooming organized crime market. 1.6 Statement of the Problem Recently, botnets are using new type of command-and-control(CC) communication which is totally decentralized. They utilize peer-to-peer style communication. Tracking the starting point and activity of this botnet is much more complicated due to the Peer-to-Peer communication infrastructure. Combating botnets is usually an issue of discovering their weakness: their central position of command, or CC server. This is typically an IRC network that all bots connect to central point, however with the use of P2P method; we cannot find any central point of command. In the P2P networks each bots in searching to connect other peers which can receive or broadcast commands through network. Therefore, an accurate detection and fighting method is required to prevent or stop such dangerous networks. 1.7 Research Questions a. What are the main differences between centralized and decentralized botnets? b. What is the best and efficient general extensible solution for detecting non-specific Peer-to- Peer botnets? 1.8 Objectives of the Study i. To develop a network-based framework for Peer-to-Peer botnets detection by common behavior in network communication. ii. To study the behavior of bots and recognizing behavioral similarities across multiple bots in order to develop mentioned framework. 1.9 Scope of the Study The project scope is limited to developing some algorithms pertaining to our proposed framework. This algorithms are using for decreasing traffics by filtering it, classifying intended traffics, monitoring traffics and the detection of malicious activities. 1.10 Significance of the study Peer-to-Peer botnets are one of the most sophisticated types of cyber crime today. They give the full control of many computers around to world to exploit them for malicious activities purpose such as spread of virus and worm, spam distribution and DDoS attack. Therefore, studying the behavior of P2P botnets and develop a technique that can detect them is important and high-demanded. 1.11 Summary Understanding the Botnet Command-and-Control(CC) is a critical part in recognizing how to best protect against the overall botnet threat. The CC channels utilized by the Botnets will often show the type and degree of actions an enterprise can follow in either blocking or shutting down a botnet, and the probability of success. It is also obvious that attackers have been trying for years to move away from Centralized CC channels, and are achieving some success using Decentralized(P2P) CC channels over the last 5 or so years. Therefore in this chapter we have defined a classification for better understanding of Botnets CC channels, which is included Centralized, Decentralized, and Hybrid model and tried to evaluate recognized protocols in each of them. Understanding the communication topologies in Botnets is essential to precisely identify, detect and mitigate the ever-increasing Botnets threats. CHAPTER 2 LITERATURE REVIEW 2.1 Introduction Before majority of botnets was using IRC (Internet Relay Chat) as a communication protocol for Command and Control(CC) mechanism. Therefore, many researches tried to develop botnet detection scheme which was based on analysis of IRC traffic [50]. As a result, attackers decided to develop more sophisticated botnets, such as Storm worm and Nugache toward the utilization of P2P networks for CC infrastructures. In response to this movement, researches have proposed various models of botnets detection that are based on P2P infrastructure [5]. One key advantage of both IRC and HTTP Botnet is the use of central Command and Control. This characteristic provides the attacker with very well-organized communication. However, the assets also considers as a main disadvantage to the attacker [8]. The threat of the Botnet can be decreased and possibly omitted if the central CC is taken over or taken down [8]. The method that is starting to come out is P2P structure for Botnet interaction. There is not any centralized centre for P2P botnets. Any nodes in P2P botnet behave as client and server as well. If any point in the network is shut down the botnet still can continue its operation. The storm botnet is one of the main and recognized recent P2P botnets. It customized the overnet P2P file-sharing application which is based on the Kademlia distributed hash table algorithm [55] and exploit it for its CC infrastructure. Recently many researchers specially in the anti-virus community and electronic media concentrated on storm worm [56,57]. 2.2 Background and History A peer-to-peer network is a network of computers that any computer in the network can behave as both a client and a server. Some explanation of peer-to-peer networks does not need any form of centralized coordination. This definition is more comfortable because the attacker may be interested in hybrid architectures [8]. 2.2.1 History The table 2.1 shows a summary of some well-known bots and P2P protocols. The range of time from the first bots, EggDrop, until the Storm Worm P2P bot is newly released. The first non-malicious bot was EggDrop that came up many years ago, and we know it as one of the first IRC bots that came to market. GTBot that have many other categories is another well-known malicious bot, that its variants are IRC client, mIRC.exe[61]. After a while, P2P protocols have been used for Botnet activities. Napster is one of the first bot that used P2P as its communication. Napster built an platform that permit all bots can find each other and share files with each other in the network. In this bot, file sharing has been done in the centralized server that we can say it was not completely a P2P botnet. Therefore, all bots have to upload an index of their files to the centralized server and also if they are looking for other files among all bots, have to search in centralized server. If it can find any file that looking for, then can directly connect to that bot and download what they want. Nowadays, because Napster has been shutdown as their service recognized as illegal service, many other P2P service focusing on avoiding such finding. After few years after Napster, Gnutella protocol came up as the first completely P2P services. Actually after Gnutellas , as shown in Table 2.1, many other P2P protocols have been released, such as Kademilia and Chord. This two new p2p service are using distributed hash table as a method for finding information in the peer-to-peer networks. Agobot is another malicious P2P bot that came up recently and become widespread because of good design and modular code base [61]. Nowadays many researchers are concentrating on P2P bots and there is an anticipation that P2P bots will reach to the stage that Centralized botnets will not been used any more in the future. Table 2.1: P2P based Botnets 2.3 Peers-to-Peer Overlay Networks Overlay networks are categorized into two categories: Structured and Unstructured. All nodes in first category can connect to most X peers regarding some conditions for identification of nodes that those peers want to connect. However in unstructured type there is not any specified limit for the number of peers that they can connect, in spite of the fact that there is not any condition for connecting to other peers. Overnet is a good example of structured p2p networks and Chorf is a good example of unstructured P2P networks. 2.3.1 Brief overview of Overnet One of the popular file sharing networks is Overnet that use for their design use distributed hash table (DHT) algorithm that called Kademlia[55]. Each node produces a 128-bit id for joining the network and also use for sending to other node for introducing itself. Actually each node in the network saves the information about other nodes in order to route query messages. 2.3.2 Brief overview of Gnutella Gnutellas is a unstructured file sharing network. In this network, when a node like n want to connect to a node like m, use a ping message to inform the other node for its presence. As long as node m received ping message, then send it back to other nodes in its neighbor and also send a Pong message to the sender of ping message that was node n. this transaction among node let them to learn about each other. 2.4 Botnet Detection In particular, to compare existing botnet detection techniques, different methods are described and then disadvantages of each method are mentioned respectively. 2.4.1 Honeypot-based tracking Honeypot can be used to collect bots for analyzing its behavior and signatures and also for tracking botnets. But using honeypots have several limitations. The most important limitation is because of limited scale of exploited activities that can track. And also it cannot capture the bots that use the method of propagation other than scanning, such as spam. And finally it can only give report for infection machines that are anticipated and put in the network as trap system. So it means that it can not give a report for those computers that are infected with bot in the network but are not devoted as trap machines. So we can come to this conclusion that generally in this technique we have to wait until one bot in the network infect our system and then we can track or analyze the machine. 2.4.2 Intrusion detection systems Intrusion detection techniques can be categorized into two categories: host-based and network-based solution. Host-based techniques are used for recognizing malware binaries such as viruses. A good example of this type is anti-virus detection systems. However, we know that anti-virus are good for just virus detection. The most important disadvantages of anti-virus are that bots can easily evade the detection technique by changing their signatures easily, because the detection system cannot update their databases consistency. And also bots can disable any anti-virus tools in the system to protect themselves from detection. Network- based intrusion detection system is another method for detection that is used in the field of botnet detection. Snort[67] and Bro[68] are the two well-known signature based detection system that are used currently. They use a database as signatures of famous malicious activities to detect botnets or any other malware. Actually if our objective is using this technique for botnet detection, we have to keep updating the database and recognizing all malware quickly to make a signature of it and add to our database. For solving this solving this problem recently researchers are using anomaly based IDS that can detect malicious activities based on behavior of malware or detection techniques. 2.4.3 Bothunter : Dialog correlation-based Botnet detection This technique developed an evidence-trail approach for detecting successful bot infection with patterns during communication for infection process. In this strategy, bot infection pattern are modeled to use for recognizing the whole process of infection of botnet in the network. All behavior that occur the bot infection such as target scanning, CC establishment, binary downloading and outbound propagation have to model by this method. This method gathers an evidence-trail of connected infection process for each internal machine and then tries to look for a threshold combination of sequences that will convince the condition for bot infection [32]. The BotHunter use snort with adding two anomaly-detection components to it that are SLADE (Statistical payLoad Anomaly Detection Engine) and SCADE (Statistical scan Anomaly Detection Engine). SCADE produce internal and external scan detection warnings that are weighted for criticality toward malware scanning patterns. SLADE perform a byte-distribution payload anomaly detection of incoming packets, providing a matching non-signature approach in inbound exploit detection [32 ]. Slade use an n-gram payload examination of traffics that have typical malware intrusions. SCADE execute some port scan analysis for incoming and outgoing traffics. Actually BotHunter has a link between scan and alarm intrusion that shows a host has been infected. When a adequate sequence of alerts is established to match BotHunters infection dialog model, a comprehensive report is created to get all the related events participants that have a rule in infection dialog [32]. This method provides some important features: i. This technique concentrates on malware detection by IDS-driven dialog correlation. This model shows an essential network processes that occur during a successful bot infection. ii. This technique has one IDS-independent dialog correlation engine and three bot-specific sensors. This technique can automatically produce a report of whole detection of bot, as well as the infection of agent, identification of the computer that has been infected and source of Command and Control centre. 2.4.3.1 Bot infection sequences Actually understanding bot infection life processes is a challenging work for protection of network in the future. The major work in this area is differentiating between successful bot infection and background exploit attempt. For reaching to this point analysis of two-way dialog flow between internal hosts and external hosts (internet) is needed. In a good design network which uses filtering at gateway, the threats of direct exploitations are limited. However, contemporary malware families are highly flexible in their ability to attack vulnerable hosts through email attachments, infected P2P media, and drive-by download infections [32]. 2.4.3.2 Modeling the infection dialog process The bot distribution model can conclude by an analysis of external communication traffics that shows the behavior of relevant botnet. Incoming scan and utilize alarms are not enough to state a winning malware infection, as are assumed that a stable stream of scan and exploit signals will be observed from the way out monitor [32]. Figure 2.1 shows the process of bot infection in BotHunter that used for evaluating network flows through eight stages. This model is almost similar with the model that Rajab et al. presented for IRC detection model. The model that they proposed has early initial scanning that is a preceding consideration happen in form of IP exchange and pointing vulnerable ports. Actually figure 2.1 is not aimed for a strict ordering of infection events that happen during bot infection. The important issue here is that bot dialog processes analysis have to be strong to the absence of some dialog events and must not need strong sequencing on the order in bound dialog is conducted. One solution to solve the problem of sequence order and event is to use a weighted event threshold system that take smallest essential sparse sequences of events under which bot profile statement can be initiated [32]. For instance, it is possible put weighting and threshold system for the look of each event in a way that a smallest set of event is important prior of bot detection. 2.4.3.3 Design and implementation More attention devoted for designing a passive network monitoring system in this part which be able of identifying the bidirectional warning signs when internal hosts are infected with b