Visible to the public Botnets

SoS Newsletter- Advanced Book Block


Botnets, a common security threat, are used for a variety of attacks: spam, distributed denial of service (DDOS), ad and spyware, scareware and brute forcing services. Their reach and the challenge of detecting and neutralizing them is compounded in the cloud and on mobile networks. Research presented in the first half of 2014 shows several approaches to meeting the challenge botnets pose.

  • Lu, Zhuo; Wang, Wenye; Wang, Cliff, "How Can Botnets Cause Storms? Understanding the Evolution And Impact Of Mobile Botnets," INFOCOM, 2014 Proceedings IEEE, vol., no., pp.1501,1509, April 27, 2014-May 2, 2014. A botnet in mobile networks is a collection of compromised nodes due to mobile malware, which are able to perform coordinated attacks. Different from Internet botnets, mobile botnets do not need to propagate using centralized infrastructures, but can keep compromising vulnerable nodes in close proximity and evolving organically via data forwarding. Such a distributed mechanism relies heavily on node mobility as well as wireless links, therefore breaks down the underlying premise in existing epidemic modeling for Internet botnets. In this paper, we adopt a stochastic approach to study the evolution and impact of mobile botnets. We find that node mobility can be a trigger to botnet propagation storms: the average size (i.e., number of compromised nodes) of a botnet increases quadratically over time if the mobility range that each node can reach exceeds a threshold; otherwise, the botnet can only contaminate a limited number of nodes with average size always bounded above. This also reveals that mobile botnets can propagate at the fastest rate of quadratic growth in size, which is substantially slower than the exponential growth of Internet botnets. To measure the denial-of-service impact of a mobile botnet, we define a new metric, called last chipper time, which is the last time that service requests, even partially, can still be processed on time as the botnet keeps propagating and launching attacks. The last chipper time is identified to decrease at most on the order of 1/B, where B is the network bandwidth. This result reveals that although increasing network bandwidth can help with mobile services; at the same time, it can indeed escalate the risk for services being disrupted by mobile botnets.
    Keywords: Internet; Malware; Mobile computing; Mobile nodes; Peer-to-peer computing (ID#:14-2055)
  • Arora, D.; Verigin, A; Godkin, T.; Neville, S.W., "Statistical Assessment of Sybil-Placement Strategies within DHT-Structured Peer-to-Peer Botnets," Advanced Information Networking and Applications (AINA), 2014 IEEE 28th International Conference on , vol., no., pp.821,828, 13-16 May 2014. Botnets are a well recognized global cyber-security threat as they enable attack communities to command large collections of compromised computers (bots) on-demand. Peer to-peer (P2P) distributed hash tables (DHT) have become particularly attractive botnet command and control (C & C) solutions due to the high level resiliency gained via the diffused random graph overlays they produce. The injection of Sybils, computers pretending to be valid bots, remains a key defensive strategy against DHT-structured P2P botnets. This research uses packet level network simulations to explore the relative merits of random, informed, and partially informed Sybil placement strategies. It is shown that random placements perform nearly as effectively as the tested more informed strategies, which require higher levels of inter-defender co-ordination. Moreover, it is shown that aspects of the DHT-structured P2P botnets behave as statistically nonergodic processes, when viewed from the perspective of stochastic processes. This suggests that although optimal Sybil placement strategies appear to exist they would need carefully tuning to each specific P2P botnet instance.
    Keywords: command and control systems; computer network security; invasive software; peer-to-peer computing; statistical analysis; stochastic processes; C&C solutions; DHT-structured P2P botnets; DHT-structured peer-to-peer botnets; Sybil placement strategy statistical assessment; botnet command and control solution; compromised computer on-demand collections; cyber security threat; diffused random graph; interdefender coordination; packet level network simulation; peer-to-peer distributed hash tables; stochastic process; Computational modeling; Computers; Internet; Network topology; Peer-to-peer computing; Routing; Topology (ID#:14-2056)
  • Derhab, A; Bouras, A; Bin Muhaya, F.; Khan, M.K.; Yang Xiang, "Spam Trapping System: Novel security framework to fight against spam botnets," Telecommunications (ICT), 2014 21st International Conference on , vol., no., pp.467,471, 4-7 May 2014. In this paper, we inspire from two analogies: the warfare kill zone and the airport check-in system, to tackle the issue of spam botnet detection. We add a new line of defense to the defense-in-depth model called the third line. This line is represented by a security framework, named the Spam Trapping System (STS) and adopts the prevent-then-detect approach to fight against spam botnets. The framework exploits the application sandboxing principle to prevent the spam from going out of the host and detect the corresponding malware bot. We show that the proposed framework can ensure better security against malware bots. In addition, an analytical study demonstrates that the framework offers optimal performance in terms of detection time and computational cost in comparison to intrusion detection systems based on static and dynamic analysis.
    Keywords: invasive software; program diagnostics; unsolicited e-mail; STS; airport check-in system; computational cost; defense-in-depth model; dynamic analysis; intrusion detection system; malware bot; prevent-then-detect approach; sandboxing principle; security framework; spam botnet detection; spam botnets; spam trapping system ;static an analysis; warfare kill zone; Airports; Charge carrier processes; Cryptography; Malware; Unsolicited electronic mail (ID#:14-2057)
  • Rrushi, Julian L., "A Steganographic Approach to Localizing Botmasters," Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on , vol., no., pp.852,859, 13-16 May 2014. Law enforcement employs an investigative approach based on marked money bills to track illegal drug dealers. In this paper we discuss research that aims at providing law enforcement with the cyber counterpart of that approach in order to track perpetrators that operate botnets. We have devised a novel steganographic approach that generates a watermark hidden within a honey token, i.e. A decoy Word document. The covert bits that comprise the watermark are carried via secret interpretation of object properties in the honey token. The encoding and decoding of object properties into covert bits follow a scheme based on bijective functions generated via a chaotic logistic map. The watermark is retrievable via a secret cryptographic key, which is generated and held by law enforcement. The honey token is leaked to a botmaster via a honey net. In the paper, we elaborate on possible means by which law enforcement can track the leaked honey token to the IP address of a botmaster's machine.
    Keywords: botnets; computer security; steganography (ID#:14-2058)
  • Stevanovic, M.; Pedersen, J.M., "An efficient flow-based botnet detection using supervised machine learning," Computing, Networking and Communications (ICNC), 2014 International Conference on , vol., no., pp.797,801, 3-6 Feb. 2014. Botnet detection represents one of the most crucial prerequisites of successful botnet neutralization. This paper explores how accurate and timely detection can be achieved by using supervised machine learning as the tool of inferring about malicious botnet traffic. In order to do so, the paper introduces a novel flow-based detection system that relies on supervised machine learning for identifying botnet network traffic. For use in the system we consider eight highly regarded machine learning algorithms, indicating the best performing one. Furthermore, the paper evaluates how much traffic needs to be observed per flow in order to capture the patterns of malicious traffic. The proposed system has been tested through the series of experiments using traffic traces originating from two well-known P2P botnets and diverse non-malicious applications. The results of experiments indicate that the system is able to accurately and timely detect botnet traffic using purely flow-based traffic analysis and supervised machine learning. Additionally, the results show that in order to achieve accurate detection traffic flows need to be monitored for only a limited time period and number of packets per flow. This indicates a strong potential of using the proposed approach within a future on-line detection framework.
    Keywords: computer network security ;invasive software; learning (artificial intelligence); peer-to-peer computing; telecommunication traffic; P2P botnets; botnet neutralization; flow-based botnet detection; flow-based traffic analysis; malicious botnet network traffic identification; nonmalicious applications; packet flow; supervised machine learning; Accuracy; Bayes methods; Feature extraction; Protocols; Support vector machines; Training; Vegetation; Botnet; Botnet detection; Machine learning; Traffic analysis; Traffic classification (ID#:14-2059)
  • Dainotti, A; King, A; Claffy, K.; Papale, F.; Pescape, A, "Analysis of a "/0" Stealth Scan From a Botnet," Networking, IEEE/ACM Transactions on, vol. PP, no.99, pp.1, 1, January 2014. Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial-of-service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, including searching for vulnerable machines to infect and recruit into the botnet, probing networks for enumeration or penetration, etc. We present the measurement and analysis of a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February 2011. This 12-day scan originated from approximately 3 million distinct IP addresses and used a heavily coordinated and unusually covert scanning strategy to try to discover and compromise VoIP-related (SIP server) infrastructure. We observed this event through the UCSD Network Telescope, a /8 darknet continuously receiving large amounts of unsolicited traffic, and we correlate this traffic data with other public sources of data to validate our inferences. Sality is one of the largest botnets ever identified by researchers. Its behavior represents ominous advances in the evolution of modern malware: the use of more sophisticated stealth scanning strategies by millions of coordinated bots, targeting critical voice communications infrastructure. This paper offers a detailed dissection of the botnet's scanning behavior, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.
    Keywords: Animation; Geology; IP networks; Internet; Ports (Computers);Servers; Telescopes; Botnet; Internet background radiation; Internet telephony; Network Telescope; VoIP; communication system security; darknet; network probing; scanning (ID#:14-2060)
  • Alomari, E.; Manickam, S.; Gupta, B.B.; Singh, P.; Anbar, M., "Design, Deployment And Use Of HTTP-Based Botnet (HBB) Testbed," Advanced Communication Technology (ICACT), 2014 16th International Conference on, vol., no., pp.1265,1269, 16-19 Feb. 2014. Botnet is one of the most widespread and serious malware which occur frequently in today's cyber attacks. A botnet is a group of Internet-connected computer programs communicating with other similar programs in order to perform various attacks. HTTP-based botnet is most dangerous botnet among all the different botnets available today. In botnets detection, in particularly, behavioural-based approaches suffer from the unavailability of the benchmark datasets and this lead to lack of precise results evaluation of botnet detection systems, comparison, and deployment which originates from the deficiency of adequate datasets. Most of the datasets in the botnet field are from local environment and cannot be used in the large scale due to privacy problems and do not reflect common trends, and also lack some statistical features. To the best of our knowledge, there is not any benchmark dataset available which is infected by HTTP-based botnet (HBB) for performing Distributed Denial of Service (DDoS) attacks against Web servers by using HTTP-GET flooding method. In addition, there is no Web access log infected by botnet is available for researchers. Therefore, in this paper, a complete test-bed will be illustrated in order to implement a real time HTTP-based botnet for performing variety of DDoS attacks against Web servers by using HTTP-GET flooding method. In addition to this, Web access log with http bot traces are also generated. These real time datasets and Web access logs can be useful to study the behaviour of HTTP-based botnet as well as to evaluate different solutions proposed to detect HTTP-based botnet by various researchers.
    Keywords: invasive software; DDoS attacks; HBB testbed; HTTP-GET flooding method; Internet-connected computer programs; Web access log; Web servers; behavioural-based approaches; botnet detection systems; cyber attacks; distributed denial of service attacks; http bot traces; malware; real time HTTP-based botnet; Computer crime; Floods; Intrusion detection; Web servers; Botnet; Cyber attacks; DDoS attacks; HTTP flooding; HTTP-based botnet (ID#:14-2061)
  • Haddadi, Fariba; Morgan, Jillian; Filho, Eduardo Gomes; Zincir-Heywood, ANur, "Botnet Behaviour Analysis Using IP Flows: With HTTP Filters Using Classifiers," Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on , vol., no., pp.7,12, 13-16 May 2014. Botnets are one of the most destructive threats against the cyber security. Recently, HTTP protocol is frequently utilized by botnets as the Command and Communication (C&C) protocol. In this work, we aim to detect HTTP based botnet activity based on botnet behaviour analysis via machine learning approach. To achieve this, we employ flow-based network traffic utilizing Net Flow (via Soft flowd). The proposed botnet analysis system is implemented by employing two different machine learning algorithms, C4.5 and Naive Bayes. Our results show that C4.5 learning algorithm based classifier obtained very promising performance on detecting HTTP based botnet activity.
    Keywords: botnet detection; machine learning based analysis ;traffic IP-flow analysis (ID#:14-2062)
  • Badis, Hammi; Doyen, Guillaume; Khatoun, Rida, "Understanding botclouds from a system perspective: A principal component analysis," Network Operations and Management Symposium (NOMS), 2014 IEEE , vol., no., pp.1,9, 5-9 May 2014. Cloud computing is gaining ground and becoming one of the fast growing segments of the IT industry. However, if its numerous advantages are mainly used to support a legitimate activity, it is now exploited for a use it was not meant for: malicious users leverage its power and fast provisioning to turn it into an attack support. Botnets supporting DDoS attacks are among the greatest beneficiaries of this malicious use since they can be setup on demand and at very large scale without requiring a long dissemination phase nor an expensive deployment costs. For cloud service providers, preventing their infrastructure from being turned into an Attack as a Service delivery model is very challenging since it requires detecting threats at the source, in a highly dynamic and heterogeneous environment. In this paper, we present the result of an experiment campaign we performed in order to understand the operational behavior of a botcloud used for a DDoS attack. The originality of our work resides in the consideration of system metrics that, while never considered for state-of-the-art botnets detection, can be leveraged in the context of a cloud to enable a source based detection. Our study considers both attacks based on TCP-flood and UDP-storm and for each of them, we provide statistical results based on a principal component analysis, that highlight the recognizable behavior of a botcloud as compared to other legitimate workloads.
    Keywords: Cloud computing; Computer crime; Context; Correlation; Measurement; Principal component analysis; Storms (ID#:14-2063)
  • Hammi, Badis; Khatoun, Rida; Doyen, Guillaume, "A Factorial Space for a System-Based Detection of Botcloud Activity," New Technologies, Mobility and Security (NTMS), 2014 6th International Conference on , vol., no., pp.1,5, March 30, 2014-April 2, 2014. Today, beyond a legitimate usage, the numerous advantages of cloud computing are exploited by attackers, and Botnets supporting DDoS attacks are among the greatest beneficiaries of this malicious use. Such a phenomena is a major issue since it strongly increases the power of distributed massive attacks while involving the responsibility of cloud service providers that do not own appropriate solutions. In this paper, we present an original approach that enables a source-based de- tection of UDP-flood DDoS attacks based on a distributed system behavior analysis. Based on a principal component analysis, our contribution consists in: (1) defining the involvement of system metrics in a botcoud's behavior, (2) showing the invariability of the factorial space that defines a botcloud activity and (3) among several legitimate activities, using this factorial space to enable a botcloud detection.
    Keywords: (not provided) (ID#:14-2064)
  • Sayed, Bassam; Traore, Issa, "Protection against Web 2.0 Client-Side Web Attacks Using Information Flow Control," Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on , vol., no., pp.261,268, 13-16 May 2014. The dynamic nature of the Web 2.0 and the heavy obfuscation of web-based attacks complicate the job of the traditional protection systems such as Firewalls, Anti-virus solutions, and IDS systems. It has been witnessed that using ready-made toolkits, cyber-criminals can launch sophisticated attacks such as cross-site scripting (XSS), cross-site request forgery (CSRF) and botnets to name a few. In recent years, cyber-criminals have targeted legitimate websites and social networks to inject malicious scripts that compromise the security of the visitors of such websites. This involves performing actions using the victim browser without his/her permission. This poses the need to develop effective mechanisms for protecting against Web 2.0 attacks that mainly target the end-user. In this paper, we address the above challenges from information flow control perspective by developing a framework that restricts the flow of information on the client-side to legitimate channels. The proposed model tracks sensitive information flow and prevents information leakage from happening. The proposed model when applied to the context of client-side web-based attacks is expected to provide a more secure browsing environment for the end-user.
    Keywords: AJAX; Client-side web attacks; Information Flow Control; Web 2.0 (ID#:14-2065)
  • Wei Peng; Feng Li; Xukai Zou; Jie Wu, "Behavioral Malware Detection in Delay Tolerant Networks," Parallel and Distributed Systems, IEEE Transactions on , vol.25, no.1, pp.53,63, Jan. 2014. The delay-tolerant-network (DTN) model is becoming a viable communication alternative to the traditional infrastructural model for modern mobile consumer electronics equipped with short-range communication technologies such as Bluetooth, NFC, and Wi-Fi Direct. Proximity malware is a class of malware that exploits the opportunistic contacts and distributed nature of DTNs for propagation. Behavioral characterization of malware is an effective alternative to pattern matching in detecting malware, especially when dealing with polymorphic or obfuscated malware. In this paper, we first propose a general behavioral characterization of proximity malware which based on naive Bayesian model, which has been successfully applied in non-DTN settings such as filtering email spams and detecting botnets. We identify two unique challenges for extending Bayesian malware detection to DTNs ("insufficient evidence versus evidence collection risk" and "filtering false evidence sequentially and distributedly"), and propose a simple yet effective method, look ahead, to address the challenges. Furthermore, we propose two extensions to look ahead, dogmatic filtering, and adaptive look ahead, to address the challenge of "malicious nodes sharing false evidence." Real mobile network traces are used to verify the effectiveness of the proposed methods.
    Keywords: Bayes methods delay tolerant networks; filtering theory; invasive software; mobile radio; Bayesian malware detection; DTN model; adaptive look ahead; behavioral characterization; delay-tolerant-network model; dogmatic filtering; modern mobile consumer electronics; naive Bayesian model; obfuscated malware; polymorphic malware; proximity malware; short-range communication technologies; Aging; Bayesian methods; Bluetooth; Equations; Malware; Mathematical model; Silicon; Bayesian filtering; Delay-tolerant networks; behavioral malware characterization; proximity malware (ID#:14-2067)
  • Carter, K.; Idika, N.; Streilein, W., "Probabilistic Threat Propagation for Network Security," Information Forensics and Security, IEEE Transactions on, vol. PP, no.99, pp.1,1, July 2014. Techniques for network security analysis have historically focused on the actions of the network hosts. Outside of forensic analysis, little has been done to detect or predict malicious or infected nodes strictly based on their association with other known malicious nodes. This methodology is highly prevalent in the graph analytics world, however, and is referred to as community detection. In this paper, we present a method for detecting malicious and infected nodes on both monitored networks and the external Internet. We leverage prior community detection and graphical modeling work by propagating threat probabilities across network nodes, given an initial set of known malicious nodes. We enhance prior work by employing constraints that remove the adverse effect of cyclic propagation that is a byproduct of current methods. We demonstrate the effectiveness of Probabilistic Threat Propagation on the tasks of detecting botnets and malicious web destinations.
    Keywords: Communication networks; Communities; Peer-to-peer computing; Probabilistic logic; Probability; Security; Upper bound (ID#:14-2068)
  • Janbeglou, Maziar; Naderi, Habib; Brownlee, Nevil, "Effectiveness of DNS-Based Security Approaches in Large-Scale Networks," Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on , vol., no., pp.524,529, 13-16 May 2014. The Domain Name System (DNS) is widely seen as a vital protocol of the modern Internet. For example, popular services like load balancers and Content Delivery Networks heavily rely on DNS. Because of its important role, DNS is also a desirable target for malicious activities such as spamming, phishing, and botnets. To protect networks against these attacks, a number of DNS-based security approaches have been proposed. The key insight of our study is to measure the effectiveness of security approaches that rely on DNS in large-scale networks. For this purpose, we answer the following questions, How often is DNS used? Are most of the Internet flows established after contacting DNS? In this study, we collected data from the University of Auckland campus network with more than 33,000 Internet users and processed it to find out how DNS is being used. Moreover, we studied the flows that were established with and without contacting DNS. Our results show that less than 5 percent of the observed flows use DNS. Therefore, we argue that those security approaches that solely depend on DNS are not sufficient to protect large-scale networks.
    Keywords: DNS; large-scale network; network measurement; passive monitoring; statistical analysis (ID#:14-2069)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.