Global ETD Search

11	Covert Botnet Design and Defense Analysis Shirley, Brandon Lyle 01 December 2009 (has links) Intrusion defense system (IDS) development has been largely reactionary in nature. This is especially troubling given that botnets are capable of compromising and controlling thousands of computers before security professionals develop a mitigation technique. As new exploits are created, new mitigation techniques are developed to detect infections and, where possible, remove them. This thesis breaks from this tradition of reacting to malware. Instead, it looks at possible malicious software models through analyzing existing defense systems for exploitable weaknesses. First, this thesis presents a new specialized botnet that circumvents current network intrusion detection mechanisms. The proposed botnet coordinates external communication among bots located within the same switched network. This model is designed to prevent a perimeter-based IDS from adequately correlating external communication for a given internal host. The idea is to localize botnet communication, thus enabling a portion of the compromised systems to hide from existing detection techniques without a significant increase in network monitoring points - an increase that currently has not been effectively addressed. Second, this thesis presents a prototype of an IDS that addresses the aforementioned weakness in current IDSs. The proposed method augments existing IDSs in order to efficiently detect this new botnet specialization or "sub-botnet''. Our method has added lightweight monitoring points within its switched network. These points relay necessary information back to a centralized perimeter-based IDS instance for bot detection. The IDS is also able to effectively relay signature information to the additional monitoring points for analysis. botnet computer covert network security Computer Sciences
12	Detecting Botnet-based Joint Attacks by Hidden Markov Model Yu Yang, Peng 06 September 2012 (has links) We present a new detection model include monitoring network perimeter and hosts logs to counter the new method of attacking involve different hosts source during an attacking sequence. The new attacking sequence we called ¡§Scout and Intruder¡¨ involve two separate hosts. The scout will scan and evaluate the target area to find the possible victims and their vulnerability, and the intruder launch the precision strike with login activities looked as same as authorized users. By launching the scout and assassin attack, the attacker could access the system without being detected by the network and system intrusion detection system. In order to detect the Scout and intruder attack, we correlate the netflow connection records, the system logs and network data dump, by finding the states of the attack and the corresponding features we create the detection model using the Hidden Markov Chain. With the model we created, we could find the potential Scout and the Intruder attack in the initial state, which gives the network/system administrator more response time to stop the attack from the attackers. Intrusion Detection System Botnet Hidden Markov Chain
13	Web-based Botnet Detection Based on Flow Information Tsai, Yu-Chou 08 September 2009 (has links) Botnet is a combination of Cyber Attack, infection, and dissemination. Cross the Internet, the infected hosts might launch DDoS (Distributed Denial-of-Service) Attack, become a proxy sending SPAM according to commands from botmasters via some public services such as IRC, P2P or Web (HTTP) protocol. Among these command and control channel, Web-based Botnet is much difficult to detect because the command and control messages of Web-based Botnet are spread through HTTP protocol and hide behind normal Flows. In this research, we focus on analysis and detection of Web-based Botnet, detection by features - Timeslot, calculation of NetFlow, B2S(Bot to Server) and S2B(Server to Bot) of Web-based Botnet. The experimental result shows the proposed approach which uses the features mention above is good in many different topology designs. In addition, we also got nice detection rate in real network design. DDoS(Distributed Denial-of-Service) Web-based Botnet
14	Evaluating the Effectiveness of Sybil Attacks Against Peer-to-Peer Botnets Verigin, Adam Louis 18 December 2013 (has links) Botnets are networks of computers which have been compromised by malicious software which enables a remotely located adversary to control them and focus their collective power on specific tasks. Botnets pose a significant global threat, with tangible political, economic and military ramifications and have resultingly become a field of significant interest within the cyber-security research community. While a number of effective defence techniques have been devised for botnets utilizing centralized command and control infrastructures, few of these techniques are suitable for defending against larger-scale peer-to-peer (P2P) botnets. In contrast, the sybil attack, combined with index poisoning is an established defence technique for P2P botnets. During a sybil attack, fake bots (\ie sybils) are inserted into the botnet. These sybils distribute fake commands to bots, causing them not to carry out illicit activities. Bots also then unwittingly redistribute the fake commands to other bots in the botnet. This work uses packet-level simulation of a Kademlia-based P2P botnet to evaluate 1) the impact that the location of sybils within the underlying network topology can have on the effectiveness of sybil attacks and 2) several potential optimizations to the placement of sybils within the underlying network topology. / Graduate / 0537 / 0544 / 0984 botnet cybersecurity peer-to-peer sybil attack
15	Design of a hybrid command and control mobile botnet Pieterse, Heloise January 2014 (has links) Mobile devices have excelled in the 21st century due to the increasing popularity and continuous improvement of mobile technology. Today mobile devices have become all-in-one portable devices, providing inter-connectivity, device-to-device communication and the capability to compete with personal computers. The improved capabilities and popularity of mobile devices have, however, caught the attention of botnet developers, allowing the threat of botnets to move into the mobile environment. A mobile botnet is de fined as a collection of compromised mobile devices, controlled by a botmaster through a command and control (C&C) network to serve a malicious purpose. Previous studies of mobile botnet designs focused mostly on the C&C structure, investigating other mechanisms as potential C&C channels. None of these studies dealt with the use of a hybrid C&C structure within a mobile botnet design. This research consequently examines the problem of designing a new mobile botnet that uses a hybrid C&C structure. A model of this new hybrid design is proposed, describing the propagation vectors, C&C channels, and the topology. This hybrid design, called the Hybrid Mobile Botnet, explores the efficiency of multiple C&C channels against the following characteristics: no single point of failure must exist in the topology, low cost for command dissemination, limited network activities and low battery consumption per bot. The objectives were measured by using a prototype built according to the Hybrid Mobile Botnet model. The prototype was deployed on a small collection of mobile devices running the Android operating system. In addition, the prototype allowed for the design of a physical Bluetooth C&C channel, showing that such a channel is feasible, able to bypass security and capable of establishing a stealthy C&C channel. The successful execution of the prototype shows that a hybrid C&C structure is possible, allowing for a stealthy and cost-eff ective design. It also revels that current mobile technology is capable of supporting the development and execution of hybrid mobile botnets. Finally, this dissertation concludes with an exploration of the future of mobile botnets and the identifi cation of security steps users of mobile devices can follow to protect against their attacks. / Dissertation (MSc)--University of Pretoria, Pretoria 2014 / Computer Science / unrestricted Mobile botnet UCTD M14/9/456s/gm
16	Empirical Analysis of a Cybersecurity Scoring System Ahmed, Jaleel 19 March 2019 (has links) In the field of cybersecurity, the top-level management make use of metrics to decide if the organization is doing well to protect itself from cyber attacks or is in tatters leaving itself susceptible against the vast threats looming around. Not only that but metrics are even used to measure the performance of the security team. The aim of this thesis is to show how economics is closely related to cybersecurity and how metrics play an important role in policy making of an organization. Furthermore, I scrutinize one of the leading security score providers for the way they detect botnet infection. Botnet infection is a part of compromised system group in their score card categories that amounts to 55\% of the total security score. So, it becomes essential for the security score providers to have the right method of grading a company since it will have an impact on how they use their resources to protect itself from outside threat and the insurance premium they pay to cover any successful cyber attacks. I have found out that the data on which the botnet infection vector is graded has false positives. I shed light on security analyst and security team on a whole in their role in making decisions according to the security score. It is even the duty of the security team to work ethically, that is, the aim should not be to improve the security score rather the aim should be to protect the organization from outside attacks and if it happens to increase the security rating then be it so. BitSight Botnet Metrics Sinkhole Computer Sciences
17	HTTP botnet detection using passive DNS analysis and application profiling Alenazi, Abdelrahman Aziz 15 December 2017 (has links) HTTP botnets are currently the most popular form of botnets compared to IRC and P2P botnets. This is because, they are not only easier to implement, operate, and maintain, but they can easily evade detection. Likewise, HTTP botnets flows can easily be buried in the huge volume of legitimate HTTP traffic occurring in many organizations, which makes the detection harder. In this thesis, a new detection framework involving three detection models is proposed, which can run independently or in tandem. The first detector profiles the individual applications based on their interactions, and isolates accordingly the malicious ones. The second detector tracks the regularity in the timing of the bot DNS queries, and uses this as basis for detection. The third detector analyzes the characteristics of the domain names involved in the DNS, and identifies the algorithmically generated and fast flux domains, which are staples of typical HTTP botnets. Several machine learning classifiers are investigated for each of the detectors. Experimental evaluation using public datasets and datasets collected in our testbed yield very encouraging performance results. / Graduate HTTP botnet Botnet detection Machine learning Passive DNS DGA domains Malicious fast flux DNS
18	Distributed denial of service attacks : Protection, Mitigation, and Economic Consequences Eklund, Martin, Ståhlberg, Patrik January 2015 (has links) Distributed Denial of Service attacks is a problem that constantly threatens companies that rely on the internet for major parts of their business. A successful DDoS attack that manages to penetrate a company’s network can lead to devastating damages in the form of lost income, reduced productivity, increase in costs, and damage to the company’s image and reputation. The different DDoS attacks are many and of different character and often Offer different parts of the network, which makes it very difficult to defend against. It is also very clear that DDoS attacks are increasing in both numbers and size every year. From our experiments we have proven that anyone with little knowledge and limited resources can perform DDoS attacks that will make a website unavailable. This fact should cause companies that base their business on the internet, aware that they are likely to someday be subject to a DDoS attack. From our research we have found a variety of different DDoS solutions on the market that promise to offer protection. Many of which claim to protect against all different types of DDoS attacks. In practice it is impossible to find something that guarantees 100% safety. According to earlier research in the field, there are many different ways of protecting a network against DDoS attacks, e.g. via Software Defined Networking, Hop-Count Filtering, or Kill-bots. Our own tests show that a virtual firewall can offer protection against DDoS attacks on a low scale, but that such a solution has a number of weaknesses. If the firewall does protect the website, the attacker could instead shift to attacking the firewall itself. Our research also shows that the most common motives behind DDoS attacks are criminal purposes. Criminals use DDoS attacks to earn money by offering directed DDoS attacks against websites or by trying to blackmail companies into paying a fee for not being attacked. We have also seen that the economic consequence of DDoS attacks are devastating if not handled with a sufficiently fast response. After investigating the e-commerce company CDON.com we learned that they could potentially lose roughly 36 410 SEK per minute when a DDoS attack is underway against them. In today’s business climate it is important for companies to be able to rely on the internet for their activity and for customers to have easy access to the company’s products and services. However, companies’ websites are being attacked and thus these companies need an explicit plan of how to mitigate such attacks. / Distributed Denial of Service (DDoS) attacker är ett problem som ständigt hotar företag, som förlitar sig till internet för centrala delar av sin verksamhet. En DDoS-attack som lyckas penetrerar ett företags nätverk kan medföra förödande skador i form av förlorade intäkter, minskad produktivitet, ökade kostnader samt skada på företagets rykte/varumärke. DDoS-attackerna är många och av olika karaktär, som attackerar olika delar av ett företags nätverk, vilket leder till att det är svårt att effektivt skydda sig mot DDoS-attacker. Det står också klart att DDoS-attacker ökar både till antalet och storleksmässigt för varje år som går. Utifrån våra egna experiment har vi kunnat bevisa att vem som helst med små medel och begränsade kunskaper kan utföra en DDoS-attack som sänker en webbsida. Ett faktum som gör att alla företag vars verksamhet är baserad på internet bör räkna med att de någon gång bli utsatta för en DDoS-attack. Utifrån våra undersökningar kan vi se att det finns en uppsjö av olika DDoS-skydd på marknaden, skydd som hanterar några problem som DDoS-attacker medför, men det finns inga kompletta skydd som kan garantera 100 % säkerhet. Utifrån tidigare forskning på området framgår det att det finns många olika sätt att skydda sig mot DDoS-attacker, t.ex. genom Software Defined Networks, Hop-Count Filtering eller Kill-bots. Våra egna tester visar på att en virtuell brandvägg kan vara ett sätt att skydda sig mot DDoS-attacker, men testerna visar också att en sådan lösning inte heller är säker då man kan förstöra åtkomsten till webbsidan genom att överbelasta brandväggen.<p> Undersökningen visar också att ett av de vanligaste motiven bakom DDoS-attacker är kriminella ändamål. Kriminella som använder DDoS-attacker för att tjäna pengar genom att erbjuda riktade DDoS-attacker mot websidor eller genom försök att utpressa till betalning med DDoS-attacker som ett hot. Vi har kommit fram till att de ekonomiska konsekvenserna av DDoS-attacker kan vara ödestigna för företag om det inte hanteras i tid. Genom våra egna beräkningar har vi visat att e-handelsföretaget CDON.com riskerar att förlora ca 36 415,90 kr per minut som en DDoS-attack pågår mot företaget. Anledningen till av vi valt att ägnad denna uppsats åt DDoS-problemet, är den skrämmande ökningen av DDoS-attacker som man kan se sker årligen. Attackerna blir flera, de ökar storleksmässigt och de blir allt mer sofistikerade. Attackerna utförs också tillsynes omotiverat i vissa fall, men också välplanerade attacker utförs för att skada företag ekonomiskt. I dagens företagsklimat är det viktigt att företaget har möjlighet att använda sig av internet för att driva verksamheten och göra det enkelt för kunder att ta del av företagets produkter/tjänster. Att företags webbsidor blir utslagen på grund av en DDoS-attacker är idag en verklighet, och en tydlig plan för att hur man ska hantera en sådan incident bör finns på plats inom företag. DDoS Zombie Botnet Botmaster Spoofing DDoS Zombie Botnet Botmaster Spoofing Communication Systems Kommunikationssystem
19	Lutte contre les botnets : analyse et stratégie / The fight against botnets : from observation to strategy Freyssinet, Eric 12 November 2015 (has links) Les botnets, ou réseaux d’ordinateurs infectés par un code malveillant et connectés à un système de commande et de contrôle, constituent le premier outil de la délinquance sur Internet. Ils permettent de concrétiser le développement d’un nouveau type d’activités criminelles: le crime comme un service (CaaS). Ils constituent un défi en matière de répression. D’abord par l’importance de leur impact sur la sécurité des réseaux et la commission d’infractions sur Internet. Ensuite par la dimension extrêmement internationale de leur diffusion et donc une certaine difficulté à mener des investigations. Enfin, par le grand nombre des acteurs qui peuvent être impliqués (codeurs, maîtres de botnets, intermédiaires financiers). Cette thèse porte sur l’étude des botnets (composantes, fonctionnement, acteurs), la proposition d’une méthode de collecte de données sur les activités liées aux botnets et les dispositifs techniques et organisationnels de lutte contre les botnets ; elle conclut sur des propositions en matière de stratégie pour cette lutte. Les travaux menés ont permis de confirmer la pertinence, pour l’étude efficace des botnets, d’un modèle englobant l’ensemble de leurs composants, y compris les infrastructures et les acteurs. Outre un effort de définition, la thèse apporte un modèle complet du cycle de vie d’un botnet et propose des méthodes de catégorisation de ces objets. Il en ressort la nécessité d’une stratégie partagée qui doit comporter les éléments de détection, de coordination et la possibilité, voire l’obligation, pour les opérateurs de mettre en œuvre des mesures de mitigation. / Botnets, or networks of computers infected with malware and connected to a command and control system, is one of the main tools for criminal activities on the Internet today. They allow the development of a new type of crime: crime as a service (CaaS). They are a challenge for law enforcement. First by the importance of their impact on the security of networks and the commission of crimes on the Internet. Next, with regards to the extremely international dimension of their dissemination and therefore the enhanced difficulty in conducting investigations. Finally, through the large number of actors that may be involved (software developers, botnet masters, financial intermediaries, etc.). This thesis proposes a thorough study of botnets (components, operation, actors), the specificaion of a data collection method on botnet related activities and finally the technical and organizational arrangements in the fight against botnets; it concludes on proposals on the strategy for this fight. The work carried out has confirmed the relevance, for the effective study of botnets, of a model encompassing all their components, including infrastructure and actors. Besides an effort in providing definitions, the thesis describes a complete model of the life cycle of a botnet and offers methods for categorization of these objects. This work shows the need for a shared strategy which should include the detection elements, coordination between actors and the possibility or even the obligation for operators to implement mitigation measures. Botnet Cybercriminalité Logiciel malveillant Réseau Sécurité des systèmes d’information Renseignement sur la menace Botnet Cybercrime 005.8
20	Fast Identification of Structured P2P Botnets Using Community Detection Algorithms Venkatesh, Bharath January 2013 (has links) (PDF) Botnets are a global problem, and effective botnet detection requires cooperation of large Internet Service Providers, allowing near global visibility of traffic that can be exploited to detect them. The global visibility comes with huge challenges, especially in the amount of data that has to be analysed. To handle such large volumes of data, a robust and effective detection method is the need of the hour and it must rely primarily on a reduced or abstracted form of data such as a graph of hosts, with the presence of an edge between two hosts if there is any data communication between them. Such an abstraction would be easy to construct and store, as very little of the packet needs to be looked at. Structured P2P command and control have been shown to be robust against targeted and random node failures, thus are ideal mechanisms for botmasters to organize and command their botnets effectively. Thus this thesis develops a scalable, efficient and robust algorithm for the detection of structured P2P botnets in large traffic graphs. It draws from the advances in the state of the art in Community Detection, which aim to partition a graph into dense communities. Popular Community Detection Algorithms with low theoretical time complexities such as Label Propagation, Infomap and Louvain Method have been implemented and compared on large LFR benchmark graphs to study their efficiency. Louvain method is found to be capable of handling graphs of millions of vertices and billions of edges. This thesis analyses the performance of this method with two objective functions, Modularity and Stability and found that neither of them are robust and general. In order to overcome the limitations of these objective functions, a third objective function proposed in the literature is considered. This objective function has previously been used in the case of Protein Interaction Networks successfully, and used in this thesis to detect structured P2P botnets for the first time. Further, the differences in the topological properties - assortativity and density, of structured P2P botnet communities and benign communities are discussed. In order to exploit these differences, a novel measure based on mean regular degree is proposed, which captures both the assortativity and the density of a graph and its properties are studied. This thesis proposes a robust and efficient algorithm that combines the use of greedy community detection and community filtering using the proposed measure mean regular degree. The proposed algorithm is tested extensively on a large number of datasets and found to be comparable in performance in most cases to an existing botnet detection algorithm called BotGrep and found to be significantly faster. Botnets Botnet Detection P2P Botnets Community Detection Algorithms Botnet Detection Algorithms Louvain Method, P2P Botnets P2P Botnet Detection BotGrep Peer-to-peer Botnets Computer Science

Search results