Characterizing InternetWorm Spatial-Temporal Infection Structures

Wang, Qian

15 October 2010

Since the Morris worm was released in 1988, Internet worms continue to be one of top security threats. For example, the Conficker worm infected 9 to 15 million machines in early 2009 and shut down the service of some critical government and medical networks. Moreover, it constructed a massive peer-to-peer (P2P) botnet. Botnets are zombie networks controlled by attackers setting out coordinated attacks. In recent years, botnets have become the number one threat to the Internet. The objective of this research is to characterize spatial-temporal infection structures of Internet worms, and apply the observations to study P2P-based botnets formed by worm infection. First, we infer temporal characteristics of the Internet worm infection structure, i.e., the host infection time and the worm infection sequence, and thus pinpoint patient zero or initially infected hosts. Specifically, we apply statistical estimation techniques on Darknet observations. We show analytically and empirically that our proposed estimators can significantly improve the inference accuracy. Second, we reveal two key spatial characteristics of the Internet worm infection structure, i.e., the number of children and the generation of the underlying tree topology formed by worm infection. Specifically, we apply probabilistic modeling methods and a sequential growth model. We show analytically and empirically that the number of children has asymptotically a geometric distribution with parameter 0.5, and the generation follows closely a Poisson distribution. Finally, we evaluate bot detection strategies and effects of user defenses in P2P-based botnets formed by worm infection. Specifically, we apply the observations of the number of children and demonstrate analytically and empirically that targeted detection that focuses on the nodes with the largest number of children is an efficient way to expose bots. However, we also point out that future botnets may self-stop scanning to weaken targeted detection, without greatly slowing down the speed of worm infection. We then extend the worm spatial infection structure and show empirically that user defenses, e.g., patching or cleaning, can significantly mitigate the robustness and the effectiveness of P2P-based botnets. To counterattack, we evaluate a simple measure by future botnets that enhances topology robustness through worm re-infection.

Internet worm tomography

Darknet

statistical estimation

host infection time

worm infection sequence

probabilistic modeling

worm infection family tree

botnet topology

detection

user defenses

Možnosti identifikace botnetové robotické aktivitiy / On possible approaches to detecting robotic activity of botnets

Prajer, Richard

January 2016

This thesis explores possible approaches to detecting robotic activity of botnets on network. Initially, the detection based on full packet analysis in consideration of DNS, HTTP and IRC communication, is described. However, this detection is found inapplicable for technical and ethical reasons. Then it focuses on the analysis based on network flow metadata, compiling them to be processable in machine learning. It creates detection models using different machine learning methods, to compare them with each other. Bayes net method is found to be acceptable for detecting robotic activity of botnets. The Bayesian model is only able to identify the botnet that already executes the commands sent by its C&C server. "Sleeping" botnets are not reliably detectable by this model.

Ochrana proti distribuovaným útokům hrubou silou / Distributed Brute Force Attacks Protection

Richter, Jan

January 2010

This project deals with analysis of brute force attacks focused on breaking authentication of common services (especially ssh) of Linux and xBSD operating systems. It also examines real attacks, actual tools and ways of detection of theese attacks. Finaly there are designed new mechanisms of coordination and evaluation of distributed brute force attacks in distributed environment. These mechanisms are then implemented in distributed system called DBFAP.

Detekce malware pomocí analýzy DNS provozu / Malware Detection Using DNS Traffic Analysis

Daniš, Daniel

January 2016

This master thesis deals with the design and implementation of a tool for malware detection using DNS traffic analysis. Text of the thesis is divided into theoretical and practical part. In theoretical part the reader will be acknowledged with the domain of malware and botnet detection. Consequently, various options and methods of malware detection will be described. Practical part of the thesis contains description of malware detection tool architecture as well as key aspects of its implementation. Moreover, the emphasis is being placed on testing and experiments. The result of the thesis is a tool, written in python, for malware detection using DNS traffic analysis, that uses a combination of several methods of detection.

E‐Shape Analysis

Sroufe, Paul

12 1900

The motivation of this work is to understand E-shape analysis and how it can be applied to various classification tasks. It has a powerful feature to not only look at what information is contained, but rather how that information looks. This new technique gives E-shape analysis the ability to be language independent and to some extent size independent. In this thesis, I present a new mechanism to characterize an email without using content or context called E-shape analysis for email. I explore the applications of the email shape by carrying out a case study; botnet detection and two possible applications: spam filtering and social-context based finger printing. The second part of this thesis takes what I apply E-shape analysis to activity recognition of humans. Using the Android platform and a T-Mobile G1 phone I collect data from the triaxial accelerometer and use it to classify the motion behavior of a subject.

Email shape

daily activities

accelerometer

botnet

spam

Spam filtering (Electronic mail)

Human activity recognition.

Detektionsmetoder för skadlig kod i IoT-baserat smart hem : En systematisk litteraturstudie / IoT-malware detection methods in smart home : A systematic literature review

Saxmark, William

January 2023

IoT devices are being widely deployed within smart homes. Most of these devices are mass-produced at a low cost. As a result, due to the lack of security mechanisms, IoT devices become vulnerable to malware. As more IoT devices are connected to the internet, and given their inability to maintain robust security, these devices are at an increased risk of being infected with malware. Compromised IoT devices enhance the capabilities of cybercriminals and threat actors to perform attacks and distribute malware. To prevent this, proper detection mechanisms are needed. However, traditional malware detection approaches are often not feasible in an IoT environment. This study compiles current detection methods used to detect IoT-malware in smart homes. Existing malware detection solutions will be included to demonstrate the methods, usage, and effectiveness in a specific context. This was achieved by performing a qualitative systematic literature review of articles from two databases with high technological relevance. In total, 12 articles were utilized for the study. The data from these articles were subject to a thematic analysis, yielding two main themes: method and placement. The “method” theme consists of four categories: anomaly detection, signature detection, statistical analysis, and combination of methods. The “placement” theme consists of two categories: device-based and network-based. The study results indicate that both standalone methods and a combination of multiple methods are being employed for the detection of IoT-malware in smart home environments. Based on the results, anomaly-based detection emerges as the most used method for detecting IoT-malware, both on the device and within the network. / IoT-enheter implementeras i allt större utsträckning inom smarta hem. Många av dessa enheter massproduceras till låg kostnad. Som ett resultat blir IoT-enheter, på grund av bristande säkerhetsmekanismer, sårbara för skadlig kod. När fler IoT-enheter ansluts till internet, och med tanke på deras oförmåga att upprätthålla god säkerhet, löper dessa enheter en ökad risk för att infekteras med skadlig kod. Infekterade IoT-enheter ökar förmågan hos cyberkriminella och hotaktörer att utföra attacker och sprida skadlig kod. För att förhindra detta krävs lämpliga detektionsmekanismer. Traditionella metoder för att detektera skadlig kod är ofta inte genomförbara i en IoT-miljö. Denna studie sammanställer aktuella detekteringsmetoder som används för att upptäcka skadlig kod som riktas mot IoT-enheter inom smarta hem. Existerande lösningar för att detektera skadlig kod inom smarta hem kommer att inkluderas för att demonstrera metoderna, användningen och effektiviteten i ett specifikt sammanhang. Detta uppnåddes genom att utföra en kvalitativ systematisk litteraturstudie av artiklar från två databaser med hög teknologisk relevans. Totalt användes 12 artiklar för att utföra studien. Data från dessa artiklar analyserades med tematisk kodning, som resulterade i två huvudteman, metod och placering. Temat ”metod” består av fyra kategorier: anomalibaserad detektion, signaturbaserad detektion, statistisk analys och kombination av metoder. Temat ”placering” består av två kategorier: enhetsbaserad och nätverksbaserad. Resultatet från studien indikerar på att både självständiga metoder och en kombination av flera metoder används för att upptäcka skadlig kod riktat mot IoT-enheter inom smarta hem. Baserat på resultatet framträder anomalibaserad detektion som den vanligaste metoden för att detektera skadlig kod riktat mot IoT-enheter, både på enheten och inom nätverket.

Malware

botnet

detection

IoT

smart home

methods

Skadlig kod

botnät

detektion

IoT

smarta hem

metoder

Information Systems, Social aspects

SISTEMA DE DETECÇÃO DE INTRUSOS EM ATAQUES ORIUNDOS DE BOTNETS UTILIZANDO MÉTODO DE DETECÇÃO HÍBRIDO / Intrusion Detection System in Attacks Coming from Botnets Using Method Hybrid Detection

CUNHA NETO, Raimundo Pereira da

28 July 2011

Made available in DSpace on 2016-08-17T14:53:19Z (GMT). No. of bitstreams: 1 dissertacao Raimundo.pdf: 3146531 bytes, checksum: 40d7a999c6dda565c6701f7cc4a171aa (MD5) Previous issue date: 2011-07-28 / The defense mechanisms expansion for cyber-attacks combat led to the malware evolution, which have become more structured to break these new safety barriers. Among the numerous malware, Botnet has become the biggest cyber threat due to its ability of controlling, the potentiality of making distributed attacks and because of the existing structure of control. The intrusion detection and prevention has had an increasingly important role in network computer security. In an intrusion detection system, information about the current situation and knowledge about the attacks contribute to the effectiveness of security process against this new cyber threat. The proposed solution presents an Intrusion Detection System (IDS) model which aims to expand Botnet detectors through active objects system by proposing a technology with collect by sensors, preprocessing filter and detection based on signature and anomaly, supported by the artificial intelligence method Particle Swarm Optimization (PSO) and Artificial Neural Networks. / A ampliação dos mecanismos de defesas no uso do combate de ataques ocasionou a evolução dos malwares, que se tornaram cada vez mais estruturados para o rompimento destas novas barreiras de segurança. Dentre os inúmeros malwares, a Botnet tornou-se uma grande ameaça cibernética, pela capacidade de controle e da potencialidade de ataques distribuídos e da estrutura de controle existente. A detecção e a prevenção de intrusão desempenham um papel cada vez mais importante na segurança de redes de computadores. Em um sistema de detecção de intrusão, as informações sobre a situação atual e os conhecimentos sobre os ataques tornam mais eficazes o processo de segurança diante desta nova ameaça cibernética. A solução proposta apresenta um modelo de Sistema de Detecção de Intrusos (IDS) que visa na ampliação de detectores de Botnet através da utilização de sistemas objetos ativos, propondo uma tecnologia de coleta por sensores, filtro de pré-processamento e detecção baseada em assinatura e anomalia, auxiliado pelo método de inteligência artificial Otimização de Enxame da Partícula (PSO) e Redes Neurais Artificiais.

Segurança de Redes

Botnets

Sistema de Detecção de Intrusos - IDS

Redes Neurais Artificiais

Network Security

Botnet

Intrusion Detection System - IDS

Particle Swarm Optimization - PSO

Artificial Neural Networks