CloudBot: Advanced mobile botnets using ubiquitous cloud technologies

The mobile botnet is a collection of compromised mobile devices that can remotely receive commands from the botmaster. Exploiting unique features of mobile networks and smartphones, mobile botnets pose a severe threat to mobile users, because smartphones have become an indispensable part of our daily lives and carried a lot of private information. With the development of cloud computing technologies, botmaster can utilize ubiquitous cloud technologies to construct robust and scalable C&C (command and control) channel for mobile botnet. In this paper, we propose Cloudbot, a novel mobile botnet, which outperforms existing mobile botnets in terms of robustness, controllability, scalability, and stealthiness. Although the basic idea of using cloud technologies seems straightforward, we explore the design space of exploiting such services and tackle several challenging issues to overcome the limitations of existing mobile botnets. We have implemented CloudBot by exploiting popular push services and cloud storage services, and evaluated it through extensive experiments. The results demonstrate not only the feasibility of CloudBot but also its advantages, such as stealthiness, robustness, and performance.     

Peri-Watchdog: Hunting for hidden botnets in the periphery of online social networks

In order to evade detection of ever-improving defense techniques, modern botnet masters are constantly looking for new communication platforms for delivering C&C (Command and Control) information. Attracting their attention is the emergence of online social networks such as Twitter, as the information dissemination mechanism provided by these networks can naturally be exploited for spreading botnet C&C information, and the enormous amount of normal communications co-existing in these networks makes it a daunting task to tease out botnet C&C messages.Against this backdrop, we explore graph-theoretic techniques that aid effective monitoring of potential botnet activities in large open online social networks. Our work is based on extensive analysis of a Twitter dataset that contains more than 40 million users and 1.4 billion following relationships, and mine patterns from the Twitter network structure that can be leveraged for improving efficiency of botnet monitoring. Our analysis reveals that the static Twitter topology contains a small-sized core sugraph, after removing which, the Twitter network breaks down into small connected components, each of which can be handily monitored for potential botnet activities. Based on this observation, we propose a method called Peri-Watchdog, which computes the core of a large online social network and derives the set of nodes that are likely to pass botnet C&C information in the periphery of online social network. We analyze the time complexity of Peri-Watchdog under its normal operations. We further apply Peri-Watchdog on the Twitter graph injected with synthetic botnet structures and investigate the effectiveness of Peri-Watchdog in detecting potential C&C information from these botnets.To verify whether patterns observed from the static Twitter graph are common to other online social networks, we analyze another online social network dataset, BrightKite, which contains evolution of social graphs formed by its users in half a year. We show not only that there exists a similarly relatively small core in the BrightKite network, but also this core remains stable over the course of BrightKite evolution. We also find that to accommodate the dynamic growth of BrightKite, the core has to be updated about every 18 days under a constrained monitoring capacity.     

CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis

We present CoCoSpot, a novel approach to recognize botnet command and control channels solely based on traffic analysis features, namely carrier protocol distinction, message length sequences and encoding differences. Thus, CoCoSpot can deal with obfuscated and encrypted C&C protocols and complements current methods to fingerprint and recognize botnet C&C channels. Using average-linkage hierarchical clustering of labeled C&C flows, we show that for more than 20 recent botnets and over 87,000 C&C flows, CoCoSpot can recognize more than 88% of the C&C flows at a false positive rate below 0.1%.     

New facets of mobile botnet: architecture and evaluation

It is without a doubt that botnets pose a growing threat to the Internet, with DDoS attacks of any kind carried out by botnets to be on the rise. Nowadays, botmasters rely on advanced Command and Control (C&C) infrastructures to achieve their goals and most importantly to remain undetected. This work introduces two novel botnet architectures that consist only of mobile devices and evaluates both their impact in terms of DNS amplification and TCP flooding attacks, and their cost pertaining to the maintenance of the C&C channel. The first one puts forward the idea of using a continually changing mobile HTTP proxy in front of the botherder, while the other capitalizes on DNS protocol as a covert channel for coordinating the botnet. That is, for the latter, the messages exchanged among the bots and the herder appear as legitimate DNS transactions. Also, a third architecture is described and assessed, which is basically an optimized variation of the first one. Namely, it utilizes a mixed layout where all the attacking bots are mobile, but the proxy machines are typical PCs not involved in the actual attack. For the DNS amplification attack, which is by nature more powerful, we report an amplification factor that fluctuates between 32.7 and 34.1. Also, regarding the imposed C&C cost, we assert that it is minimal (about 0.25 Mbps) per bot in the worst case happening momentarily when the bot learns about the parameters of the attack.     

On design and performance evaluation of an integrated SIP and HCoP-B architecture for nested network mobility

This paper proposes a fully-integrated SIP + HCoP-B architecture to provide efficient mobility management of the nested mobile network. It achieves the following merits, which are rare in the literature. First, it reduces network deployment costs by only equipping an integrated SIP mobile server. Second, it supports both SIP-based and non-SIP-based applications. Third, by adopting the analytical model proposed in Mohanty and Akyildiz (2007) [19], mathematical analyses are provided to investigate six performance metrics of SIP + HCoP-B and the other four well-known SIP's over NEMO schemes over the error-prone wireless link. Finally, it is shown that SIP + HCoP-B outperforms these four traditional schemes through intensive simulations.     

Automatic protocol reverse-engineering: Message format extraction and field semantics inference

Understanding the command-and-control (C&C) protocol used by a botnet is crucial for anticipating its repertoire of nefarious activity. However, the C&C protocols of botnets, similar to many other application layer protocols, are undocumented. Automatic protocol reverse-engineering techniques enable understanding undocumented protocols and are important for many security applications, including the analysis and defense against botnets. For example, they enable active botnet infiltration, where a security analyst rewrites messages sent and received by a bot in order to contain malicious activity and to provide the botmaster with an illusion of successful and unhampered operation.In this work, we propose a novel approach to automatic protocol reverse engineering based on dynamic program binary analysis. Compared to previous work that examines the network traffic, we leverage the availability of a program that implements the protocol. Our approach extracts more accurate and complete protocol information and enables the analysis of encrypted protocols. Our automatic protocol reverse-engineering techniques extract the message format and field semantics of protocol messages sent and received by an application that implements an unknown protocol specification. We implement our techniques into a tool called Dispatcher and use it to analyze the previously undocumented C&C protocol of MegaD, a spam botnet that at its peak produced one third of the spam on the Internet.     

移动平台下僵尸网络的研究与发展

随着手机操作系统和移动通信技术的发展。Internet的主要安全威胁之一的僵尸网络已跨步至移动平台,给手机用户造成了巨大的经济威胁,成为移动平台安全的研究重点之一。我们重新定义了僵尸网络,对移动平台下的僵尸网络的发展、体系结果以及命令与控制机制进行分析,并探讨传统僵尸网络扩展到移动僵尸网络的工作,分析移动僵尸网络未来的研究工作的重点。     

Detecting P2P bots by mining the regional periodicity

Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays.Current methods for detecting P2P botnets,such as similarity analysis of network behavior and machine-learning based classification,cannot handle the challenges brought about by different network scenarios and botnet variants.We noticed that one important but neglected characteristic of P2P bots is that they periodically send requests to update their peer lists or receive commands from botmasters in the command-and-control (C&C) phase.In this paper,we propose a novel detection model named detection by mining regional periodicity (DMRP),including capturing the event time series,mining the hidden periodicity of host behaviors,and evaluating the mined periodic patterns to identify P2P bot traffic.As our detection model is built based on the basic properties of P2P protocols,it is difficult for P2P bots to avoid being detected as long as P2P protocols are employed in their C&C.For hidden periodicity mining,we introduce the so-called regional periodic pattern mining in a time series and present our algorithms to solve the mining problem.The experimental evaluation on public datasets demonstrates that the algorithms are promising for efficient P2P bot detection in the C&C phase.     

Algorithms for acoustic localization based on microphone array in service robotics

This paper deals with the development of acoustic source localization algorithms for service robots working in real conditions. One of the main utilizations of these algorithms in a mobile robot is that the robot can localize a human operator and eventually interact with him/herself by means of verbal commands. The location of a speaking operator is detected with a microphone array based algorithm; localization information is passed to a navigation module which sets up a navigation mission using knowledge of the environment map. In fact, the system we have developed aims at integrating acoustic, odometric and collision sensors with the mobile robot control architecture. Good performance with real acoustic data have been obtained using neural network approach with spectral subtraction and a noise robust voice activity detector. The experiments show that the average absolute localization error is about 40 cm at 0 dB and about 10 cm at 10 dB of SNR for the named localization. Experimental results describing mobile robot performance in a talker following task are reported.     

Resource monitoring for the detection of parasite P2P botnets

Detecting botnet behaviors in networks is a popular topic in the current research literature. The problem of detection of P2P botnets has been denounced as one of the most difficult ones, and this is even sounder when botnets use existing P2P networks infrastructure (parasite P2P botnets). The majority of the detection proposals available at present are based on monitoring network traffic to determine the potential existence of command-and-control communications (C&C) between the bots and the botmaster. As a different and novel approach, this paper introduces a detection scheme which is based on modeling the evolution of the number of peers sharing a resource in a P2P network over time. This allows to detect abnormal behaviors associated to parasite P2P botnet resources in this kind of environments. We perform extensive experiments on Mainline network, from which promising detection results are obtained while patterns of parasite botnets are tentatively discovered.     

Buffered DDA command generation in a CNC

In a computerized numerical controller (CNC), interpolating more than one block in a sampling interval, increases the feed rate. Some commands skipped by the generator are pre-saved in a circular buffer, to provide faster operation than that of a conventional digital differential analyzer. The feed rate can be increased when programmed distances are short. The high feed rate is confirmed by installing the buffered command generation algorithm in the motion board that includes a digital signal processor. The feed rate can reach 11.6 m/min, when minimal (1 μm) distance is programmed in all blocks.     

Dissecting SpyEye – Understanding the design of third generation botnets

Botnet malware is improving with the latest (3rd) generation exemplified by the SpyEye and Zeus botnets. These botnets are important to understand because they target online financial transactions, primarily with banks. In this paper, we analyze the components from multiple generations of the SpyEye botnet in order to understand both how it works and how it is evolving. SpyEye is a sophisticated piece of malware with a modular design that eases the incorporation of improvements. We will discuss in detail the complete framework of SpyEye botnet consisting of the Bot Development Kit (BDK), the plugin architecture, the backend storage server, the bot design and the web-based Command and Control (C&C) management system. In addition, we also examine the techniques used by SpyEye to steal money.     

僵尸网络机理与防御技术

以僵尸网络为载体的各种网络攻击活动是目前互联网所面临的最为严重的安全威胁之一.虽然近年来这方面的研究取得了显著的进展,但是由于僵尸网络不断演化、越来越复杂和隐蔽以及网络和系统体系结构的限制给检测和防御带来的困难,如何有效应对僵尸网络的威胁仍是一项持续而具有挑战性的课题.首先从僵尸网络的传播、攻击以及命令与控制这3个方面介绍了近年来僵尸网络工作机制的发展,然后从监测、工作机制分析、特征分析、检测和主动遏制这5个环节对僵尸网络防御方面的研究进行总结和分析,并对目前的防御方法的局限、僵尸网络的发展趋势和进一步的研究方向进行了讨论.     

Detecting P2P botnets by discovering flow dependency in C&C traffic

Botnets are widely used by attackers and they have evolved from centralized structures to distributed structures. Most of the modern P2P bots launch attacks in a stealthy way and the detection approaches based on the malicious traffic of bots are inefficient. In this paper, an approach that aims to detect Peer-to-Peer (P2P) botnets is proposed. Unlike previous works, the approach is independent of any malicious traffic generated by bots and does not require bots’ information provided by external systems. It detects P2P bots by focusing on the instinct characteristics of their Command and Control (C&C) communications, which are identified by discovering flow dependencies in C&C traffic. After discovering the flow dependencies, our approach distinguishes P2P bots and normal hosts by clustering technique. Experimental results on real-world network traces merged with synthetic P2P botnet traces indicate that 1) flow dependency can be used to detect P2P botnets, and 2) the proposed approach can detect P2P botnets with a high detection rate and a low false positive rate.     

Improving command and control speech recognition on mobile devices: using predictive user models for language modeling

Command and control (C&C) speech recognition allows users to interact with a system by speaking commands or asking questions restricted to a fixed grammar containing pre-defined phrases. Whereas C&C interaction has been commonplace in telephony and accessibility systems for many years, only recently have mobile devices had the memory and processing capacity to support client-side speech recognition. Given the personal nature of mobile devices, statistical models that can predict commands based in part on past user behavior hold promise for improving C&C recognition accuracy. For example, if a user calls a spouse at the end of every workday, the language model could be adapted to weight the spouse more than other contacts during that time. In this paper, we describe and assess statistical models learned from a large population of users for predicting the next user command of a commercial C&C application. We explain how these models were used for language modeling, and evaluate their performance in terms of task completion. The best performing model achieved a 26% relative reduction in error rate compared to the base system. Finally, we investigate the effects of personalization on performance at different learning rates via online updating of model parameters based on individual user data. Personalization significantly increased relative reduction in error rate by an additional 5%.     

Quantum mechanical description of the interactions between DNA and water

In recent years, a lot of attention has been focused on the electronic properties of DNA. With recent advances in linear scaling quantum mechanics there are now new tools available to enhance our understanding of the electronic properties of DNA among other biomolecules. Using both explicit solvent models and implicit (continuum) solvent models, the electronic characteristics of a dodecamer duplex DNA have been fully studied using both divide and conquer (D&C), semi-empirical quantum mechanics and non-D&C semi-empirical quantum mechanics. According to the AM1 Hamiltonian, ∼3.5 electrons (∼0.3 electron/base pair) are transferred from the duplex to the solvent. According to the density of state (DOS) analysis, in vacuo DNA has a band gap of ∼1 eV showing that in the absence of solvent, the DNA may exhibit similar properties to those of a semiconductor. Upon increasing solvation (2.5–5.5 Å), the band gap ranges from ∼3 eV to ∼6 eV. For the implicit solvent model, the band gap continues this widening trend to ∼7 eV. Therefore, upon solvation and in the absence of dopants, the DNA should begin to loose its conductive properties. Finally, when one considers the energy and localization of the frontier orbitals (HOMO and LUMO), solvent has a stabilizing effect on the DNA system. The energy of the HOMO drops from ∼15 eV in vacuo to ∼2 eV for 5.5 Å of water to ∼−8 eV for the implicit solvent model. Similarly, the LUMO drops from ∼16 eV for in vacuo to ∼9 eV for 5.5 Å of water to ∼−1 eV for the implicit model. Beyond the importance of the computed results on the materials properties of DNA, the present work also shows that the behavior of intercalators will be affected by the electronic properties of DNA. This could have an impact on our understanding of how DNA based drugs interact with DNA and on the design of new DNA based small molecule drugs.     

The SIC botnet lifecycle model: A step beyond traditional epidemiological models

Botnets, overlay networks built by cyber criminals from numerous compromised network-accessible devices, have become a pressing security concern in the Internet world. Availability of accurate mathematical models of population size evolution enables security experts to plan ahead and deploy adequate resources when responding to a growing threat of an emerging botnet. In this paper, we introduce the Susceptible-Infected-Connected (SIC) botnet model. Prior botnet models are largely the same as the models for the spread of malware among computers and disease among humans. The SIC model possesses some key improvements over earlier models: (1) keeping track of only key node stages (Infected and Connected), hence being applicable to a larger set of botnets; and (2) being a Continuous-Time Markov Chain-based model, it takes into account the stochastic nature of population size evolution. The SIC model helps the security experts with the following two key analyses: (1) estimation of the global botnet size during its initial appearance based on local measurements; and (2) comparison of botnet mitigation strategies such as disinfection of nodes and attacks on botnet’s Command and Control (C&C) structure. The analysis of the mitigation strategies has been strengthened by the development of an analytical link between the SIC model and the P2P botnet mitigation strategies. Specifically, one can analyze how a random sybil attack on a botnet can be fine-tuned based on the insight drawn from the use of the SIC model. We also show that derived results may be used to model the sudden growth and size fluctuations of real-world botnets.     

Multiphase transfer of control signal for adaptive power control in CDMA systems

Capacity improvment in cellular networks is highly dependent on the effectiveness of power control. A power control procedure is needed to compensate for the fluctuation of a mobile's transmitting power received at a base station and to increase the capacity of the mobile communication system via decreasing intra- and inter-cellular interference. Here we consider fuzzy set theory based delayed adaptive step-size closed loop power control scheme(s). In this scheme transmitters adjust their power step sizes according to the received multiphased power control signals (delayed commands) from base stations. Code division multiple access (CDMA) system standards (cdmaOne, CDMA2000 and ETSI UMTS/UTRAN) limit the number of bits to two for the length of the control command in time slots. Hence, the number of commands is limited to four per time slot (in practise to two: up and down fixed amount, the rest are zero and unused values) when a sign and magnitude binary word format is used. In the developed algorithm, the number of commands is enlarged to 16 per two sequential time slots (four bits) without an increase in the standardized control bit rate by transmitting control commands in two sequential phases (time slots). First two bits of the command are transmitted in the current time slot and a receiver stores them and waits for the next time slot, which includes the last two bits of the control signal. The receiver interprets control command after receiving all 4 bits. Therefore, the control frequency is decreased (delayed control) to half of the original but respectively the dynamic scale is increased to 4 times larger (in practise 7 times: 7 values up and 7 down, 1 value for zero and 1 unused) for the sign and magnitude binary coding. A single transmitter's control results with the developed controller in a frequency selective fading channel in a CDMA network with interfering nodes and Gaussian noise are compared to the predefined step size power control scheme, which is a de facto standard the power control in cellular networks.     

Differential innovation of smartphone and application use by sociodemographics and personality

In the current study, we explore predictors of smartphone and smartphone application use in a large, diverse, population representative South Korean sample (N = 9482). Sociodemographics (e.g., gender, age, education, and income) were major predictors of smartphone and smartphone application use. Generally, younger, educated, and wealthy individuals tended to use smartphones and smartphone applications to a greater extent. Females tended to use smartphones, e-commerce applications, and relational applications more compared to males. Openness, extraversion, and conscientiousness were associated with increased probability of smartphone ownership. Extraversion was associated with decreased literacy application use and increased relational application use. Conscientiousness was associated with decreased e-commerce application use. These results imply that sociodemographics and personality predict smartphone innovation.     

Theoretical predictions and experimental validations on machining the Nimonic C-263 super alloy

The current paper presents the simulated 3D Finite Element Model (FEM) and experimental validation while turning the Nimonic C-263 super alloy using a cemented carbide cutting tool. FEM machining simulations was carried out using a Lagrangian finite element based machining model to predict the tangential cutting force, temperature distribution at tool tip and the effective stress and strain. All simulations were performed according to the cutting conditions designed, using the orthogonal array. The work piece was considered as perfectly plastic and its shape was taken as a curved model. An experimental validation of the cutting process was conducted in order to verify the simulated results of tangential cutting force and temperature at tool tip and the comparison shows that the percentage error 6% was observed and the shear friction factor 0.6 indicates good agreement between the simulated results and the experiment results. As the cutting speed is increased from 22 m/min to 54 m/min at higher feed rate, a larger strain to an extent of up to 6.55 mm/mm, a maximum value of 810 MPa stress and higher temperature localization to an extent of 620 °C at tool tip were observed.