Visible to the public Biblio

Filters: Keyword is Botnet  [Clear All Filters]
Kesidis, G., Shan, Y., Fleck, D., Stavrou, A., Konstantopoulos, T..  2018.  An adversarial coupon-collector model of asynchronous moving-target defense against botnet reconnaissance*. 2018 13th International Conference on Malicious and Unwanted Software (MALWARE). :61–67.
We consider a moving-target defense of a proxied multiserver tenant of the cloud where the proxies dynamically change to defeat reconnaissance activity by a botnet planning a DDoS attack targeting the tenant. Unlike the system of [4] where all proxies change simultaneously at a fixed rate, we consider a more “responsive” system where the proxies may change more rapidly and selectively based on the current session request intensity, which is expected to be abnormally large during active reconnaissance. In this paper, we study a tractable “adversarial” coupon-collector model wherein proxies change after a random period of time from the latest request, i.e., asynchronously. In addition to determining the stationary mean number of proxies discovered by the attacker, we study the age of a proxy (coupon type) when it has been identified (requested) by the botnet. This gives us the rate at which proxies change (cost to the defender) when the nominal client request load is relatively negligible.
Viglianisi, Gabriele, Carminati, Michele, Polino, Mario, Continella, Andrea, Zanero, Stefano.  2018.  SysTaint: Assisting Reversing of Malicious Network Communications. Proceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop. :4:1–4:12.

The ever-increasing number of malware samples demands for automated tools that aid the analysts in the reverse engineering of complex malicious binaries. Frequently, malware communicates over an encrypted channel with external network resources under the control of malicious actors, such as Command and Control servers that control the botnet of infected machines. Hence, a key aspect in malware analysis is uncovering and understanding the semantics of network communications. In this paper we present SysTaint, a semi-automated tool that runs malware samples in a controlled environment and analyzes their execution to support the analyst in identifying the functions involved in the communication and the exchanged data. Our evaluation on four banking Trojan samples from different families shows that SysTaint is able to handle and inspect encrypted network communications, obtaining useful information on the data being sent and received, on how each sample processes this data, and on the inner portions of code that deal with the data processing.

Prokofiev, A. O., Smirnova, Y. S., Surov, V. A..  2018.  A method to detect Internet of Things botnets. 2018 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus). :105–108.

The main security problems, typical for the Internet of Things (IoT), as well as the purpose of gaining unauthorized access to the IoT, are considered in this paper. Common characteristics of the most widespread botnets are provided. A method to detect compromised IoT devices included into a botnet is proposed. The method is based on a model of logistic regression. The article describes a developed model of logistic regression which allows to estimate the probability that a device initiating a connection is running a bot. A list of network protocols, used to gain unauthorized access to a device and to receive instructions from common and control (C&C) server, is provided too.

Bapat, R., Mandya, A., Liu, X., Abraham, B., Brown, D. E., Kang, H., Veeraraghavan, M..  2018.  Identifying Malicious Botnet Traffic Using Logistic Regression. 2018 Systems and Information Engineering Design Symposium (SIEDS). :266-271.

An important source of cyber-attacks is malware, which proliferates in different forms such as botnets. The botnet malware typically looks for vulnerable devices across the Internet, rather than targeting specific individuals, companies or industries. It attempts to infect as many connected devices as possible, using their resources for automated tasks that may cause significant economic and social harm while being hidden to the user and device. Thus, it becomes very difficult to detect such activity. A considerable amount of research has been conducted to detect and prevent botnet infestation. In this paper, we attempt to create a foundation for an anomaly-based intrusion detection system using a statistical learning method to improve network security and reduce human involvement in botnet detection. We focus on identifying the best features to detect botnet activity within network traffic using a lightweight logistic regression model. The network traffic is processed by Bro, a popular network monitoring framework which provides aggregate statistics about the packets exchanged between a source and destination over a certain time interval. These statistics serve as features to a logistic regression model responsible for classifying malicious and benign traffic. Our model is easy to implement and simple to interpret. We characterized and modeled 8 different botnet families separately and as a mixed dataset. Finally, we measured the performance of our model on multiple parameters using F1 score, accuracy and Area Under Curve (AUC).

Lysenko, S., Bobrovnikova, K., Savenko, O..  2018.  A Botnet Detection Approach Based on the Clonal Selection Algorithm. 2018 IEEE 9th International Conference on Dependable Systems, Services and Technologies (DESSERT). :424-428.
The paper presents a new technique for the botnets' detection in the corporate area networks. It is based on the usage of the algorithms of the artificial immune systems. Proposed approach is able to distinguish benign network traffic from malicious one using the clonal selection algorithm taking into account the features of the botnet's presence in the network. An approach present the main improvements of the BotGRABBER system. It is able to detect the IRC, HTTP, DNS and P2P botnets.
Dong, X., Hu, J., Cui, Y..  2018.  Overview of Botnet Detection Based on Machine Learning. 2018 3rd International Conference on Mechanical, Control and Computer Engineering (ICMCCE). :476-479.

With the rapid development of the information industry, the applications of Internet of things, cloud computing and artificial intelligence have greatly affected people's life, and the network equipment has increased with a blowout type. At the same time, more complex network environment has also led to a more serious network security problem. The traditional security solution becomes inefficient in the new situation. Therefore, it is an important task for the security industry to seek technical progress and improve the protection detection and protection ability of the security industry. Botnets have been one of the most important issues in many network security problems, especially in the last one or two years, and China has become one of the most endangered countries by botnets, thus the huge impact of botnets in the world has caused its detection problems to reset people's attention. This paper, based on the topic of botnet detection, focuses on the latest research achievements of botnet detection based on machine learning technology. Firstly, it expounds the application process of machine learning technology in the research of network space security, introduces the structure characteristics of botnet, and then introduces the machine learning in botnet detection. The security features of these solutions and the commonly used machine learning algorithms are emphatically analyzed and summarized. Finally, it summarizes the existing problems in the existing solutions, and the future development direction and challenges of machine learning technology in the research of network space security.

Nan, Z., Zhai, L., Zhai, L., Liu, H..  2018.  Botnet Homology Method Based on Symbolic Approximation Algorithm of Communication Characteristic Curve. 2018 15th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS). :1-6.
The IRC botnet is the earliest and most significant botnet group that has a significant impact. Its characteristic is to control multiple zombies hosts through the IRC protocol and constructing command control channels. Relevant research analyzes the large amount of network traffic generated by command interaction between the botnet client and the C&C server. Packet capture traffic monitoring on the network is currently a more effective detection method, but this information does not reflect the essential characteristics of the IRC botnet. The increase in the amount of erroneous judgments has often occurred. To identify whether the botnet control server is a homogenous botnet, dynamic network communication characteristic curves are extracted. For unequal time series, dynamic time warping distance clustering is used to identify the homologous botnets by category, and in order to improve detection. Speed, experiments will use SAX to reduce the dimension of the extracted curve, reducing the time cost without reducing the accuracy.
Chen, S., Chen, Y., Tzeng, W..  2018.  Effective Botnet Detection Through Neural Networks on Convolutional Features. 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). :372-378.

Botnet is one of the major threats on the Internet for committing cybercrimes, such as DDoS attacks, stealing sensitive information, spreading spams, etc. It is a challenging issue to detect modern botnets that are continuously improving for evading detection. In this paper, we propose a machine learning based botnet detection system that is shown to be effective in identifying P2P botnets. Our approach extracts convolutional version of effective flow-based features, and trains a classification model by using a feed-forward artificial neural network. The experimental results show that the accuracy of detection using the convolutional features is better than the ones using the traditional features. It can achieve 94.7% of detection accuracy and 2.2% of false positive rate on the known P2P botnet datasets. Furthermore, our system provides an additional confidence testing for enhancing performance of botnet detection. It further classifies the network traffic of insufficient confidence in the neural network. The experiment shows that this stage can increase the detection accuracy up to 98.6% and decrease the false positive rate up to 0.5%.

McDermott, C. D., Petrovski, A. V., Majdani, F..  2018.  Towards Situational Awareness of Botnet Activity in the Internet of Things. 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA). :1-8.
The following topics are dealt with: security of data; risk management; decision making; computer crime; invasive software; critical infrastructures; data privacy; insurance; Internet of Things; learning (artificial intelligence).
Orosz, P., Nagy, B., Varga, P., Gusat, M..  2018.  Low False Alarm Ratio DDoS Detection for ms-scale Threat Mitigation. 2018 14th International Conference on Network and Service Management (CNSM). :212–218.
The dynamically changing landscape of DDoS threats increases the demand for advanced security solutions. The rise of massive IoT botnets enables attackers to mount high-intensity short-duration ”volatile ephemeral” attack waves in quick succession. Therefore the standard human-in-the-loop security center paradigm is becoming obsolete. To battle the new breed of volatile DDoS threats, the intrusion detection system (IDS) needs to improve markedly, at least in reaction times and in automated response (mitigation). Designing such an IDS is a daunting task as network operators are traditionally reluctant to act - at any speed - on potentially false alarms. The primary challenge of a low reaction time detection system is maintaining a consistently low false alarm rate. This paper aims to show how a practical FPGA-based DDoS detection and mitigation system can successfully address this. Besides verifying the model and algorithms with real traffic ”in the wild”, we validate the low false alarm ratio. Accordingly, we describe a methodology for determining the false alarm ratio for each involved threat type, then we categorize the causes of false detection, and provide our measurement results. As shown here, our methods can effectively mitigate the volatile ephemeral DDoS attacks, and accordingly are usable both in human out-of-loop and on-the-loop next-generation security solutions.
Jerkins, James A., Stupiansky, Jillian.  2018.  Mitigating IoT Insecurity with Inoculation Epidemics. Proceedings of the ACMSE 2018 Conference. :4:1–4:6.

Compromising IoT devices to build botnets and disrupt critical infrastructure is an existential threat. Refrigerators, washing machines, DVRs, security cameras, and other consumer goods are high value targets for attackers due to inherent security weaknesses, a lack of consumer security awareness, and an absence of market forces or regulatory requirements to motivate IoT security. As a result of the deficiencies, attackers have quickly assembled large scale botnets of IoT devices to disable Internet infrastructure and deny access to dominant web properties with near impunity. IoT malware is often transmitted from host to host similar to how biological viruses spread in populations. Both biological viruses and computer malware may exhibit epidemic characteristics when spreading in populations of vulnerable hosts. Vaccines are used to stimulate resistance to biological viruses by inoculating a sufficient number of hosts in the vulnerable population to limit the spread of the biological virus and prevent epidemics. Inoculation programs may be viewed as a human instigated epidemic that spreads a vaccine in order to mitigate the damage from a biological virus. In this paper we propose a technique to create an inoculation epidemic for IoT devices using a novel variation of a SIS epidemic model and show experimental results that indicate utility of the approach.

Venkatesan, R., Kumar, G. Ashwin, Nandhan, M. R..  2018.  A NOVEL APPROACH TO DETECT DDOS ATTACK THROUGH VIRTUAL HONEYPOT. 2018 IEEE International Conference on System, Computation, Automation and Networking (ICSCA). :1-6.
Distributed denial-of-service (DDoS) attack remains an exceptional security risk, alleviating these digital attacks are for all intents and purposes extremely intense to actualize, particularly when it faces exceptionally well conveyed attacks. The early disclosure of these attacks, through testing, is critical to ensure safety of end-clients and the wide-ranging expensive network resources. With respect to DDoS attacks - its hypothetical establishment, engineering, and calculations of a honeypot have been characterized. At its core, the honeypot consists of an intrusion prevention system (Interruption counteractive action framework) situated in the Internet Service Providers level. The IPSs then create a safety net to protect the hosts by trading chosen movement data. The evaluation of honeypot promotes broad reproductions and an absolute dataset is introduced, indicating honeypot's activity and low overhead. The honeypot anticipates such assaults and mitigates the servers. The prevailing IDS are generally modulated to distinguish known authority level system attacks. This spontaneity makes the honeypot system powerful against uncommon and strange vindictive attacks.
Mishra, A., Dixit, A..  2018.  Resolving Threats in IoT: ID Spoofing to DDoS. 2018 9th International Conference on Computing, Communication and Networking Technologies (ICCCNT). :1–7.

Internet-of-Things (IoT) is a resource-constrained network with machines low on power, processing and memory capabilities. Resource constraints in IoT impact the adoption of protocols for design and validation of unique identity (ID) for every machine. Malicious machines spoof ID to pose as administrative machines and program their neighbour systems in the network with malware. The cycle of ID spoofing and infecting the IP-enabled devices with malware creates an entire network popularly termed as the Botnet. In this paper, we study 6LoWPAN and ZigBee for DDoS and ID spoofing vulnerabilities. We propose a design for generation and validation of ID on such systems called Pseudo Random Identity Generator (PRIG). We compare the performance of PRIG-adapted 6LoWPAN with 6LoWPAN in a simulated personal area network (PAN) model under DDoS stress and demonstrate a 93% reduction in ID validation time as well as an improvement of 67% in overall throughput.

Eskandari, S., Leoutsarakos, A., Mursch, T., Clark, J..  2018.  A First Look at Browser-Based Cryptojacking. 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS PW). :58–66.
In this paper, we examine the recent trend to- wards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code- bases. In this model, a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency - typically without her consent or knowledge - and pays out the seigniorage to the website. Websites may consciously employ this as an alternative or to supplement advertisement revenue, may offer premium content in exchange for mining, or may be unwittingly serving the code as a result of a breach (in which case the seigniorage is collected by the attacker). The cryptocurrency Monero is preferred seemingly for its unfriendliness to large-scale ASIC mining that would drive browser-based efforts out of the market, as well as for its purported privacy features. In this paper, we survey this landscape, conduct some measurements to establish its prevalence and profitability, outline an ethical framework for considering whether it should be classified as an attack or business opportunity, and make suggestions for the detection, mitigation and/or prevention of browser-based mining for non- consenting users.
Acarali, D., Rajarajan, M., Komninos, N., Herwono, I..  2017.  Event graphs for the observation of botnet traffic. 2017 8th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON). :628–634.

Botnets are a growing threat to the security of data and services on a global level. They exploit vulnerabilities in networks and host machines to harvest sensitive information, or make use of network resources such as memory or bandwidth in cyber-crime campaigns. Bot programs by nature are largely automated and systematic, and this is often used to detect them. In this paper, we extend upon existing work in this area by proposing a network event correlation method to produce graphs of flows generated by botnets, outlining the implementation and functionality of this approach. We also show how this method can be combined with statistical flow-based analysis to provide a descriptive chain of events, and test on public datasets with an overall success rate of 94.1%.

Jonsdottir, G., Wood, D., Doshi, R..  2017.  IoT network monitor. 2017 IEEE MIT Undergraduate Research Technology Conference (URTC). :1–5.
IoT Network Monitor is an intuitive and user-friendly interface for consumers to visualize vulnerabilities of IoT devices in their home. Running on a Raspberry Pi configured as a router, the IoT Network Monitor analyzes the traffic of connected devices in three ways. First, it detects devices with default passwords exploited by previous attacks such as the Mirai Botnet, changes default device passwords to randomly generated 12 character strings, and reports the new passwords to the user. Second, it conducts deep packet analysis on the network data from each device and notifies the user of potentially sensitive personal information that is being transmitted in cleartext. Lastly, it detects botnet traffic originating from an IoT device connected to the network and instructs the user to disconnect the device if it has been hacked. The user-friendly IoT Network Monitor will enable homeowners to maintain the security of their home network and better understand what actions are appropriate when a certain security vulnerability is detected. Wide adoption of this tool will make consumer home IoT networks more secure.
McLaren, P., Russell, G., Buchanan, B..  2017.  Mining Malware Command and Control Traces. 2017 Computing Conference. :788–794.

Detecting botnets and advanced persistent threats is a major challenge for network administrators. An important component of such malware is the command and control channel, which enables the malware to respond to controller commands. The detection of malware command and control channels could help prevent further malicious activity by cyber criminals using the malware. Detection of malware in network traffic is traditionally carried out by identifying specific patterns in packet payloads. Now bot writers encrypt the command and control payloads, making pattern recognition a less effective form of detection. This paper focuses instead on an effective anomaly based detection technique for bot and advanced persistent threats using a data mining approach combined with applied classification algorithms. After additional tuning, the final test on an unseen dataset, false positive rates of 0% with malware detection rates of 100% were achieved on two examined malware threats, with promising results on a number of other threats.

Guri, M., Mirsky, Y., Elovici, Y..  2017.  9-1-1 DDoS: Attacks, Analysis and Mitigation. 2017 IEEE European Symposium on Security and Privacy (EuroS P). :218–232.

The 911 emergency service belongs to one of the 16 critical infrastructure sectors in the United States. Distributed denial of service (DDoS) attacks launched from a mobile phone botnet pose a significant threat to the availability of this vital service. In this paper we show how attackers can exploit the cellular network protocols in order to launch an anonymized DDoS attack on 911. The current FCC regulations require that all emergency calls be immediately routed regardless of the caller's identifiers (e.g., IMSI and IMEI). A rootkit placed within the baseband firmware of a mobile phone can mask and randomize all cellular identifiers, causing the device to have no genuine identification within the cellular network. Such anonymized phones can issue repeated emergency calls that cannot be blocked by the network or the emergency call centers, technically or legally. We explore the 911 infrastructure and discuss why it is susceptible to this kind of attack. We then implement different forms of the attack and test our implementation on a small cellular network. Finally, we simulate and analyze anonymous attacks on a model of current 911 infrastructure in order to measure the severity of their impact. We found that with less than 6K bots (or \$100K hardware), attackers can block emergency services in an entire state (e.g., North Carolina) for days. We believe that this paper will assist the respective organizations, lawmakers, and security professionals in understanding the scope of this issue in order to prevent possible 911-DDoS attacks in the future.

Fraunholz, D., Zimmermann, M., Anton, S. D., Schneider, J., Schotten, H. Dieter.  2017.  Distributed and highly-scalable WAN network attack sensing and sophisticated analysing framework based on Honeypot technology. 2017 7th International Conference on Cloud Computing, Data Science Engineering - Confluence. :416–421.

Recently, the increase of interconnectivity has led to a rising amount of IoT enabled devices in botnets. Such botnets are currently used for large scale DDoS attacks. To keep track with these malicious activities, Honeypots have proven to be a vital tool. We developed and set up a distributed and highly-scalable WAN Honeypot with an attached backend infrastructure for sophisticated processing of the gathered data. For the processed data to be understandable we designed a graphical frontend that displays all relevant information that has been obtained from the data. We group attacks originating in a short period of time in one source as sessions. This enriches the data and enables a more in-depth analysis. We produced common statistics like usernames, passwords, username/password combinations, password lengths, originating country and more. From the information gathered, we were able to identify common dictionaries used for brute-force login attacks and other more sophisticated statistics like login attempts per session and attack efficiency.

Alejandre, F. V., Cortés, N. C., Anaya, E. A..  2017.  Feature selection to detect botnets using machine learning algorithms. 2017 International Conference on Electronics, Communications and Computers (CONIELECOMP). :1–7.

In this paper, a novel method to do feature selection to detect botnets at their phase of Command and Control (C&C) is presented. A major problem is that researchers have proposed features based on their expertise, but there is no a method to evaluate these features since some of these features could get a lower detection rate than other. To this aim, we find the feature set based on connections of botnets at their phase of C&C, that maximizes the detection rate of these botnets. A Genetic Algorithm (GA) was used to select the set of features that gives the highest detection rate. We used the machine learning algorithm C4.5, this algorithm did the classification between connections belonging or not to a botnet. The datasets used in this paper were extracted from the repositories ISOT and ISCX. Some tests were done to get the best parameters in a GA and the algorithm C4.5. We also performed experiments in order to obtain the best set of features for each botnet analyzed (specific), and for each type of botnet (general) too. The results are shown at the end of the paper, in which a considerable reduction of features and a higher detection rate than the related work presented were obtained.

Tran, Manh Cong, Nakamura, Yasuhiro.  2016.  Web Access Behaviour Model for Filtering Out HTTP Automated Software Accessed Domain. Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication. :67:1–67:4.

In many decades, due to fast growth of the World Wide Web, HTTP automated software/applications (auto-ware) are blooming for multiple purposes. Unfortunately, beside normal applications such as virus defining or operating system updating, auto-ware can also act as abnormal processes such as botnet, worms, virus, spywares, and advertising software (adware). Therefore, auto-ware, in a sense, consumes network bandwidth, and it might become internal security threats, auto-ware accessed domain/server also might be malicious one. Understanding about behaviour of HTTP auto-ware is beneficial for anomaly/malicious detection, the network management, traffic engineering and security. In this paper, HTTP auto-ware communication behaviour is analysed and modeled, from which a method in filtering out its domain/server is proposed. The filtered results can be used as a good resource for other security action purposes such as malicious domain/URL detection/filtering or investigation of HTTP malware from internal threats.

Lu, Yiqin, Wang, Meng.  2016.  An Easy Defense Mechanism Against Botnet-based DDoS Flooding Attack Originated in SDN Environment Using sFlow. Proceedings of the 11th International Conference on Future Internet Technologies. :14–20.

As today's networks become larger and more complex, the Distributed Denial of Service (DDoS) flooding attack threats may not only come from the outside of networks but also from inside, such as cloud computing network where exists multiple tenants possibly containing malicious tenants. So, the need of source-based defense mechanism against such attacks is pressing. In this paper, we mainly focus on the source-based defense mechanism against Botnet-based DDoS flooding attack through combining the power of Software-Defined Networking (SDN) and sample flow (sFlow) technology. Firstly, we defined a metric to measure the essential features of this kind attack which means distribution and collaboration. Then we designed a simple detection algorithm based on statistical inference model and response scheme through the abilities of SDN. Finally, we developed an application to realize our idea and also tested its effect on emulation network with real network traffic. The result shows that our mechanism could effectively detect DDoS flooding attack originated in SDN environment and identify attack flows for avoiding the harm of attack spreading to target or outside. We advocate the advantages of SDN in the area of defending DDoS attacks, because it is difficult and laborious to organize selfish and undisciplined traditional distributed network to confront well collaborative DDoS flooding attacks.

Bottazzi, Giovanni, Italiano, Giuseppe F., Rutigliano, Giuseppe G..  2016.  Frequency Domain Analysis of Large-Scale Proxy Logs for Botnet Traffic Detection. Proceedings of the 9th International Conference on Security of Information and Networks. :76–80.

Botnets have become one of the most significant cyber threats over the last decade. The diffusion of the "Internet of Things" and its for-profit exploitation, contributed to botnets spread and sophistication, thus providing real, efficient and profitable criminal cyber-services. Recent research on botnet detection focuses on traffic pattern-based detection, and on analyzing the network traffic generated by the infected hosts, in order to find behavioral patterns independent from the specific payloads, architectures and protocols. In this paper we address the periodic behavioral patterns of infected hosts communicating with their Command-and-Control servers. The main novelty introduced is related to the traffic analysis in the frequency domain without using the well-known Fast Fourier Transform. Moreover, the mentioned analysis is performed through the exploitation of the proxy logs, easily deployable on almost every real-world scenario, from enterprise networks to mobile devices.

Kumar, Vimal, Kumar, Satish, Gupta, Avadhesh Kumar.  2016.  Real-time Detection of Botnet Behavior in Cloud Using Domain Generation Algorithm. Proceedings of the International Conference on Advances in Information Communication Technology & Computing. :69:1–69:3.

In the last few years, the high acceptability of service computing delivered over the internet has exponentially created immense security challenges for the services providers. Cyber criminals are using advanced malware such as polymorphic botnets for participating in our everyday online activities and trying to access the desired information in terms of personal details, credit card numbers and banking credentials. Polymorphic botnet attack is one of the biggest attacks in the history of cybercrime and currently, millions of computers are infected by the botnet clients over the world. Botnet attack is an intelligent and highly coordinated distributed attack which consists of a large number of bots that generates big volumes of spamming e-mails and launching distributed denial of service (DDoS) attacks on the victim machines in a heterogeneous network environment. Therefore, it is necessary to detect the malicious bots and prevent their planned attacks in the cloud environment. A number of techniques have been developed for detecting the malicious bots in a network in the past literature. This paper recognize the ineffectiveness exhibited by the singnature based detection technique and networktraffic based detection such as NetFlow or traffic flow detection and Anomaly based detection. We proposed a real time malware detection methodology based on Domain Generation Algorithm. It increasesthe throughput in terms of early detection of malicious bots and high accuracy of identifying the suspicious behavior.

Thakar, Bhavik, Parekh, Chandresh.  2016.  Advance Persistent Threat: Botnet. Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies. :143:1–143:6.

Growth of internet era and corporate sector dealings communication online has introduced crucial security challenges in cyber space. Statistics of recent large scale attacks defined new class of threat to online world, advanced persistent threat (APT) able to impact national security and economic stability of any country. From all APTs, botnet is one of the well-articulated and stealthy attacks to perform cybercrime. Botnet owners and their criminal organizations are continuously developing innovative ways to infect new targets into their networks and exploit them. The concept of botnet refers collection of compromised computers (bots) infected by automated software robots, that interact to accomplish some distributed task which run without human intervention for illegal purposes. They are mostly malicious in nature and allow cyber criminals to control the infected machines remotely without the victim's knowledge. They use various techniques, communication protocols and topologies in different stages of their lifecycle; also specifically they can upgrade their methods at any time. Botnet is global in nature and their target is to steal or destroy valuable information from organizations as well as individuals. In this paper we present real world botnet (APTs) survey.