Hybrid Botnet Detection

Huang, Ming-Zong

13 August 2010

There are three mail types of Botnet: IRC-based Botnet, P2P-based Botnet,Web-based Botnet and they have become major threat to the Internet recently. Web-based Botnet is popular and more harmful to users. The architecture of Web-based Botnet is simpler than P2P-based Botnet, and its malicious traffic can be hidden in a large number of normal traffic. In this study, we built an experimental environment of using malicious bot programs to detect suspicious traffic and malware features. Except network attacking and identity theft, Botnet could also be used by hackers to extend the life time of rouge websites by combining with the technology of Fast Flux Domain. Botnet and the technology of Fast Flux Domain closely link to each other in the real world. Both of Web-based Botnet and Fast Flux Domain technology use HTTP protocol to communicate, and Botnet provides a large number of infected hosts to be Fast Flux Agents which act like a relay station to block the direct link of malicious websites from clients, but completes the mutual connection. In the research, not only the analysis and detection of Web-based Botnet are focused, but also the impact of Fast Flux Domain technology is included. We expect to clear the architecture of Botnet and the technology of Fast Flux Domain, and make the detection mechanism more precisely.

Botnet

Web-based Botnet

Fast Flux Domain

IRC-Based Botnet Detection on IRC Server

Chen, Yi-ling

06 August 2009

Recently, Botnet has become one of the most severe threats on the Internet because it is hard to be prevented and cause huge losses. Prior intrusion detection system researches focused on traditional threats like virus, worm or Trojan. However, traditional intrusion detection system cannot detect Botnet activities before Botmasters launch final attack. In Botnet attack, in order to control a large amount of compromised hosts (bots), Botmasters use public internet service as communication and control channel (C&C Channel). IRC (Internet Relay Chat) is the most popular communication service which Botmasters use to send command to their bots. Once bots receive commands from Botmasters, they will do the corresponding abnormal action. It seems that Botnet activities could be detected by observing abnormal IRC traffic. In this paper, we will focus on IRC Server and, we will use four unique characteristics of abnormal channel, (1) the prefix of Botmaster communication in C&C channel, (2) the response messages of bots, (3) average response time from bots, and (4) average length of message, to detect abnormal Channel in IRC Server. We develop an on-line IRC IDS to detect abnormal IRC channel. In the proposed system, abnormal IRC channel can be detect and we can (1) identify the infected hosts (bots) and Botmaster in C&C Channel, (2) trackback the IP of Bots and Botmaster, (3) identify Bots before Botmasters launch final attack, and (4) find the pattern of abnormal channel. The experiments show that the proposed system can indeed detect abnormal IRC channel and find out bots and Botmaster.

IRC Sniffer

IRC-Based Botnet

Botnet

Ddos Defense Against Botnets in the Mobile Cloud

Jensen, David

05 1900

Mobile phone advancements and ubiquitous internet connectivity are resulting in ever expanding possibilities in the application of smart phones. Users of mobile phones are now capable of hosting server applications from their personal devices. Whether providing services individually or in an ad hoc network setting the devices are currently not configured for defending against distributed denial of service (DDoS) attacks. These attacks, often launched from a botnet, have existed in the space of personal computing for decades but recently have begun showing up on mobile devices. Research is done first into the required steps to develop a potential botnet on the Android platform. This includes testing for the amount of malicious traffic an Android phone would be capable of generating for a DDoS attack. On the other end of the spectrum is the need of mobile devices running networked applications to develop security against DDoS attacks. For this mobile, phones are setup, with web servers running Apache to simulate users running internet connected applications for either local ad hoc networks or serving to the internet. Testing is done for the viability of using commonly available modules developed for Apache and intended for servers as well as finding baseline capabilities of mobiles to handle higher traffic volumes. Given the unique challenge of the limited resources a mobile phone can dedicate to Apache when compared to a dedicated hosting server a new method was needed. A proposed defense algorithm is developed for mitigating DDoS attacks against the mobile server that takes into account the limited resources available on the mobile device. The algorithm is tested against TCP socket flooding for effectiveness and shown to perform better than the common Apache module installations on a mobile device.

Denial of service

Botnet

mobile

Robustesse et identification des applications communicantes / Robustness and Identification of Communicating Applications

François, Jérôme

07 December 2009

La popularité des réseaux informatiques et d'Internet s'accompagne d'un essor des applications communicantes et de la multiplication des protocoles dont le fonctionnement est plus ou moins compliqué, ce qui implique également des performances différentes en termes de robustesse. Un premier objectif de cette thèse est d'approfondir plus en détails la robustesse de protocoles s'illustrant par d'extraordinaires performances empiriques tels que les botnets. De plus, l'essor et la diversité des protocoles peut s'accompagnee d'un manque de spécification que la rétro-ingénierie tente de retrouver. Une première phase essentielle est de découvrir les types de messages. La technique mise en oeuvre dans cette étude s'appuie sur les machines à vecteurs de supports tout en ayant au préalable spécifié de nouvelles représentations des messages dont la complexité de calcul est très réduite par rapport aux autres techniques existantes. Enfin, il existe généralement un grand nombre d'applications distinctes pour un même protocole et identifier précisément le logiciel ou le type d'équipement utilisé est un atout essentiel dans plusieurs domaines tels que la supervision ou la sécurité des réseaux. S'appuyant uniquement sur les types de messages, le comportement d'un équipement, c'est-à-dire la manière dont il interagit avec les autres, est une information très avantageuse lorsqu'elle est couplée avec les délais entre les messages. Enfin, la grammaire d'un protocole connu permet de construire les arbres syntaxiques des messages, dont le contenu et la structure sémantiquement riche, avaient peu été étudiés jusqu'à maintenant dans le cadre de l'identification des équipements. / The growth of computer networks like the Internet entailed a huge increase of networked applications and the apparition of multiple, various protocols. Their functioning complexity is very variable implying diverse performances. The first objective of this PhD thesis is to evaluate precisely the robustness of those networked applications, which are known to be very efficient and seem scalable, like for instance, the botnets. Hence, several botnets protocols are imitated. Furthermore, protocol reverse engineering has skyrocketed because many protocols are not always well documented. In this domain, the first necessary step is to discover the message types and this work introduces a novel technique based on support vector machines and new simple message representations in order to reduce the complexity. Finally, there are many distinct applications for a single protocol which can be identified thanks to device fingerprinting techniques whose the domain of application is related to security and network management. The first technique proposed in this PhD thesis can work with the previous contribution about reverse engineering because the devices could be identified only based on the types of messages exchanged which are aggregated into a temporal behavioral tree including message delays. Besides, the syntactic tree structure of a message is also a good discriminative feature to distinguish the different devices but was very little considered until now.

Botnet

Robustesse

Fingerprinting

Problematika sítí typu botnet

Klubal, Martin

January 2013

No description available.

zombie; DDoS; botnet

Análise de botnet utilizando plataforma de simulação com máquinas virtuais visando detecção e contenção. / Analysis of botnet using simulation platform with virtual machines for detection and containment.

Muzzi, Fernando Augusto Garcia

09 December 2010

As redes de computadores e a internet são ambientes cada vez mais complexos e surgem a cada dia novos serviços, usuários e infraestruturas. A segurança e a privacidade da Informação tornam-se fundamentais para a evolução desses ambientes. O anonimato, a fragilidade da segurança e outros fatores muitas vezes estimulam indivíduos mal-intencionados a criarem ferramentas e técnicas de ataque a sistemas computacionais, resultando em prejuízos de diversas naturezas. A internet cresceu muito nos últimos anos e junto com esse crescimento surgiram novas ameaças, por exemplo, as botnets. Botnet é uma rede formada por bots (robôs), que tornam o computador da vítima infectado e monitorado por agente externo. O grande problema das botnets é que podem ser usadas por grupos mal-intencionados para promover ataques, com efeito prejudicial às pessoas, entidades, organizações e nações. Todavia, apesar de uma grande quantidade de estudos realizados pela comunidade de segurança nos últimos anos, há necessidade de mais estudos sobre o comportamento, propagação e contenção, até pelo fato de haver uma grande variação de métodos de infecção e propagação nesse tipo de ataque. Nesse contexto, esta tese analisa o comportamento da botnet Rxbot e implementa serviços de segurança, como IDS, regras de filtro de pacotes, para analisar e conter a propagação das botnets. É utilizada para análise uma plataforma de simulação, utilizando máquinas virtuais que provêem um ambiente com sistema operacional Windows. As principais contribuições são a detecção e contenção da propagação da botnet utilizando diversos serviços de segurança e análise da propagação dos pacotes do tipo SMTP, por meio da utilização da plataforma de simulação. / Computer networks and the Internet are increasingly complex and new services, users and infrastructure appear every day. The security and privacy of information become critical for the evolution of these infrastructures and services. The anonymity, the fragility of security, and other factors often encourage the malintentioned persons to create tools and techniques to attack computer systems, resulting in losses of various kinds. The Internet has grown in recent years and along with this growth come new threats, such as botnets. Botnet is a network of bots (robots) that make the victim\'s computer become infected and monitored or controled by an external agent. The big problem of botnets is that they can be used by groups to promote malicious attacks, with detrimental effect to people, groups, organizations and nations. However, despite a large amount of studies conducted by the security community in recent years, there is need for further studies on the behavior, spread and containment, due to variation of methods of infection and spread in such attacks. In this context, this thesis analyzes the behavior of botnet Rxbot and implements security services such as IDS, packet filter rules, to analyze and contain the spread of botnets. A simulation platform with virtual machine, providing Windows operating system environment is used. The main contributions are the detection and containment of the spread of botnet using various security services and propagation analysis packages like SMTP by using the simulation platform.

Botnet

Botnet

Máquina virtual

Simulação

Simulation

Virtual machine

Análise de botnet utilizando plataforma de simulação com máquinas virtuais visando detecção e contenção. / Analysis of botnet using simulation platform with virtual machines for detection and containment.

Fernando Augusto Garcia Muzzi

09 December 2010

As redes de computadores e a internet são ambientes cada vez mais complexos e surgem a cada dia novos serviços, usuários e infraestruturas. A segurança e a privacidade da Informação tornam-se fundamentais para a evolução desses ambientes. O anonimato, a fragilidade da segurança e outros fatores muitas vezes estimulam indivíduos mal-intencionados a criarem ferramentas e técnicas de ataque a sistemas computacionais, resultando em prejuízos de diversas naturezas. A internet cresceu muito nos últimos anos e junto com esse crescimento surgiram novas ameaças, por exemplo, as botnets. Botnet é uma rede formada por bots (robôs), que tornam o computador da vítima infectado e monitorado por agente externo. O grande problema das botnets é que podem ser usadas por grupos mal-intencionados para promover ataques, com efeito prejudicial às pessoas, entidades, organizações e nações. Todavia, apesar de uma grande quantidade de estudos realizados pela comunidade de segurança nos últimos anos, há necessidade de mais estudos sobre o comportamento, propagação e contenção, até pelo fato de haver uma grande variação de métodos de infecção e propagação nesse tipo de ataque. Nesse contexto, esta tese analisa o comportamento da botnet Rxbot e implementa serviços de segurança, como IDS, regras de filtro de pacotes, para analisar e conter a propagação das botnets. É utilizada para análise uma plataforma de simulação, utilizando máquinas virtuais que provêem um ambiente com sistema operacional Windows. As principais contribuições são a detecção e contenção da propagação da botnet utilizando diversos serviços de segurança e análise da propagação dos pacotes do tipo SMTP, por meio da utilização da plataforma de simulação. / Computer networks and the Internet are increasingly complex and new services, users and infrastructure appear every day. The security and privacy of information become critical for the evolution of these infrastructures and services. The anonymity, the fragility of security, and other factors often encourage the malintentioned persons to create tools and techniques to attack computer systems, resulting in losses of various kinds. The Internet has grown in recent years and along with this growth come new threats, such as botnets. Botnet is a network of bots (robots) that make the victim\'s computer become infected and monitored or controled by an external agent. The big problem of botnets is that they can be used by groups to promote malicious attacks, with detrimental effect to people, groups, organizations and nations. However, despite a large amount of studies conducted by the security community in recent years, there is need for further studies on the behavior, spread and containment, due to variation of methods of infection and spread in such attacks. In this context, this thesis analyzes the behavior of botnet Rxbot and implements security services such as IDS, packet filter rules, to analyze and contain the spread of botnets. A simulation platform with virtual machine, providing Windows operating system environment is used. The main contributions are the detection and containment of the spread of botnet using various security services and propagation analysis packages like SMTP by using the simulation platform.

Botnet

Máquina virtual

Simulação

Botnet

Simulation

Virtual machine

Botnet Detection Based on Ant Colony

Li, Yu-Yun

14 September 2012

Botnet is the biggest threaten now. Botmasters inject bot code into normal computers so that computers become bots under control by the botmasters. Every bot connect to the botnet coordinator called Command and control server (C&C), the C&C delivers commands to bots, supervises the states of bots and keep bots alive. When C&C delivers commands from the botmasters to bots, bots have to do whatever botmasters want, such as DDoS attack, sending spam and steal private information from victims. If we can detect where the C&C is, we can prevent people from network attacking. Ant Colony Optimization (ACO) studies artificial systems that take inspiration from the behavior of real ant colonies and which are used to solve discrete optimization problems. When ants walk on the path, it will leave the pheromone on the path; more pheromone will attract more ants to walk. Quick convergence and heuristic are two main characteristics of ant algorithm, are adopted in the proposed approach on finding the C&C node. According to the features of connection between C&C and bots, ants select nodes by these features in order to detect the location of C&C and take down the botnet.

Ant algorithm

IP detection

Botnet

Early detection of spam-related activity

Hao, Shuang

12 January 2015

Spam, the distribution of unsolicited bulk email, is a big security threat on the Internet. Recent studies show approximately 70-90% of the worldwide email traffic—about 70 billion messages a day—is spam. Spam consumes resources on the network and at mail servers, and it is also used to launch other attacks on users, such as distributing malware or phishing. Spammers have increased their virulence and resilience by sending spam from large collections of compromised machines (“botnets”). Spammers also make heavy use of URLs and domains to direct victims to point-of-sale Web sites, and miscreants register large number of domains to evade blacklisting efforts. To mitigate the threat of spam, users and network administrators need proactive techniques to distinguish spammers from legitimate senders and to take down online spam-advertised sites. In this dissertation, we focus on characterizing spam-related activities and developing systems to detect them early. Our work builds on the observation that spammers need to acquire attack agility to be profitable, which presents differences in how spammers and legitimate users interact with Internet services and exposes detectable during early period of attack. We examine several important components across the spam life cycle, including spam dissemination that aims to reach users' inboxes, the hosting process during which spammers set DNS servers and Web servers, and the naming process to acquire domain names via registration services. We first develop a new spam-detection system based on network-level features of spamming bots. These lightweight features allow the system to scale better and to be more robust. Next, we analyze DNS resource records and lookups from top-level domain servers during the initial stage after domain registrations, which provides a global view across the Internet to characterize spam hosting infrastructure. We further examine the domain registration process and present the unique registration behavior of spammers. Finally, we build an early-warning system to identify spammer domains at time-of-registration rather than later at time-of-use. We have demonstrated that our detection systems are effective by using real-world datasets. Our work has also had practical impact. Some of the network-level features that we identified have since been incorporated into spam filtering products at Yahoo! and McAfee, and our work on detecting spammer domains at time-of-registration has directly influenced new projects at Verisign to investigate domain registrations.

Detection

Measurement

Spam

Botnet

Domain

Impact of mobile botnet on long term evolution networks: a distributed denial of service attack perspective

Kitana, Asem

31 March 2021

In recent years, the advent of Long Term Evolution (LTE) technology as a prominent component of 4G networks and future 5G networks, has paved the way for fast and new mobile web access and application services. With these advantages come some security concerns in terms of attacks that can be launched on such networks. This thesis focuses on the impact of the mobile botnet on LTE networks by implementing a mobile botnet architecture that initiates a Distributed Denial of Service (DDoS) attack. First, in the quest of understanding the mobile botnet behavior, a correlation between the mobile botnet impact and different mobile device mobility models, is established, leading to the study of the impact of the random patterns versus the uniform patterns of movements on the mobile botnet’s behavior under a DDoS attack. Second, the impact of two base transceiver station selection mechanisms on a mobile botnet behavior launching a DDoS attack on a LTE network is studied, the goal being to derive the effect of the attack severity of the mobile botnet. Third, an epidemic SMS-based cellular botnet that uses an epidemic command and control mechanism to initiate a short message services (SMS) phishing attack, is proposed and its threat impact is studied and simulated using three random graphs models. The simulation results obtained reveal that (1) in terms of users’ mobility patterns, the impact of the mobile botnet behavior under a DDoS attack on a victim web server is more pronounced when an asymmetric mobility model is considered compared to a symmetric mobility model; (2) in terms of base transceiver station selection mechanisms, the Distance-Based Model mechanism yields a higher threat impact on the victim server compared to the Signal Power Based Model mechanism; and (3) under the Erdos-and-Reyni Topology, the proposed epidemic SMS-based cellular botnet is shown to be resistant and resilient to random and selective cellular device failures. / Graduate

Mobile Botnet

LTE

Long Term Evolution Network

Distributed Denial of Service Attack

DDoS

Cellular Botnet

Botnet

Cybersecurity

Cyber Security

Cyber Attacks