A mathematical exploitation of simulated uniform scanning botnet propagation dynamics for early stage detection and management

The contribution of this paper is two-fold. Firstly, we propose a botnet detection approach that is sufficiently timely to enable a containment of the botnet outbreak in a supervised network. Secondly, we show that mathematical models of botnet propagation dynamics are a viable means of achieving that level of defense from bot infections in a supervised network. Our approach is built on the idea of processing network traffic such as to localize a weakly connected subgraph within a graph that models network communications between hosts, and thus consider that subgraph as representative of a suspected botnet. We devise applied statistics to infer the propagation dynamics that would characterize the suspected botnet if this latter were indeed a botnet. The inferred dynamics are materialized into a model graph. A subgraph isomorphism search determines whether or not there is an approximate match between the model graph and any subgraph of the weakly connected subgraph. An approximate match between the two leads to a timely identification of infected hosts. We have implemented this research in the Matlab and Perl programming languages, and have validated it in practice in the Emulab network testbed. In the paper, we describe our approach in detail, and discuss experiments along with experimental data that are indicative of the effectiveness of our approach.     

无尺度网络下具有免疫特征的僵尸网络传播模型*

结合无尺度的特性,考虑僵尸网络传播过程中部分主机的免疫特性,提出一种无尺度网络下具有免疫特征的僵尸网络传播模型。该模型基于Internet的实际情况,重点考虑了无尺度网络的拓扑结构,并结合了僵尸网络中部分脆弱主机由于提前从易感染的网络中被移除而具有免疫特征的情况。通过MATLAB进行仿真,仿真结果表明,这种传播模型更符合真实网络中僵尸网络的传播规律。     

P2P僵尸网络的传播建模与分析

为了有效控制自愿式P2P僵尸网络的大规模爆发,从动力学的角度研究了僵尸网络的传播规律.首先,根据僵尸网络的形成过程,建立了一个时滞微分方程模型;其次,通过详细的数学分析得出了有效控制僵尸网络的阈值表达式;最后,数值模拟验证了理论分析的正确性.理论分析和实验结果均表明,当基本再生数的值小于1时,僵尸网络可以被完全控制;否则,安全防御措施只能减小僵尸网络的规模.模拟结果还表明,降低僵尸程序的感染率或提高网络节点的免疫率,可以有效控制僵尸网络的爆发.实际网络管理中,可以通过不均匀分布网络节点、及时下载漏洞补丁等措施控制僵尸程序的传播.     

Clustering botnet communication traffic based on n-gram feature selection

Recognized as one the most serious security threats on current Internet infrastructure, botnets can not only be implemented by existing well known applications, e.g. IRC, HTTP, or Peer-to-Peer, but also can be constructed by unknown or creative applications, which makes the botnet detection a challenging problem. Previous attempts for detecting botnets are mostly to examine traffic content for bot command on selected network links or by setting up honeypots. Traffic content, however, can be encrypted with the evolution of botnet, and as a result leading to a fail of content based detection approaches. In this paper, we address this issue and propose a new approach for detecting and clustering botnet traffic on large-scale network application communities, in which we first classify the network traffic into different applications by using traffic payload signatures, and then a novel decision tree model is used to classify those traffic to be unknown by the payload content (e.g. encrypted traffic) into known application communities where network traffic is clustered based on n-gram features selected and extracted from the content of network flows in order to differentiate the malicious botnet traffic created by bots from normal traffic generated by human beings on each specific application. We evaluate our approach with seven different traffic trace collected on three different network links and results show the proposed approach successfully detects two IRC botnet traffic traces with a high detection rate and an acceptable low false alarm rate.     

具有变化感染率的僵尸网络传播模型

僵尸网络对网络安全的威胁已经引起了众多安全研究专家的高度重视。数学建模是研究僵尸网络传播特性 的一种有效方法。现有的僵尸网络传播模型假设感染率是常量。事实上,大量僵尸病毒爆发时会引起网络拥塞,从而 导致感染变慢。针对这一特点,提出一个具有变化感染率的僵尸网络传播模型。根据Intetne、的实际情况,在模型中 加入了预先免疫特征项。最后通过matlab模拟对比了提出的模型与已有模型在反映僵尸网络感染时的差异。实验 结果表明,具有变化感染率的僵尸网络传播模型能更准确地反映实际网络中僵尸程序的传播规律。     

The SIC botnet lifecycle model: A step beyond traditional epidemiological models

Botnets, overlay networks built by cyber criminals from numerous compromised network-accessible devices, have become a pressing security concern in the Internet world. Availability of accurate mathematical models of population size evolution enables security experts to plan ahead and deploy adequate resources when responding to a growing threat of an emerging botnet. In this paper, we introduce the Susceptible-Infected-Connected (SIC) botnet model. Prior botnet models are largely the same as the models for the spread of malware among computers and disease among humans. The SIC model possesses some key improvements over earlier models: (1) keeping track of only key node stages (Infected and Connected), hence being applicable to a larger set of botnets; and (2) being a Continuous-Time Markov Chain-based model, it takes into account the stochastic nature of population size evolution. The SIC model helps the security experts with the following two key analyses: (1) estimation of the global botnet size during its initial appearance based on local measurements; and (2) comparison of botnet mitigation strategies such as disinfection of nodes and attacks on botnet’s Command and Control (C&C) structure. The analysis of the mitigation strategies has been strengthened by the development of an analytical link between the SIC model and the P2P botnet mitigation strategies. Specifically, one can analyze how a random sybil attack on a botnet can be fine-tuned based on the insight drawn from the use of the SIC model. We also show that derived results may be used to model the sudden growth and size fluctuations of real-world botnets.     

Efficient botnet herding within the Tor network

During 2013 the Tor network had a massive spike in new users as a botnet started using Tor hidden services to hide its C&C (Command and Control) servers. This resulted in network congestion and reduced performance for all users. Tor hidden services are attractive to botnet herders because they provide anonymity for both the C&C servers and the bots. The aim of this paper is to present a superior way that Tor hidden services can be used for botnet C&C which minimises harm to the Tor network while retaining all security benefits.     

非结构化P2P僵尸网络鲁棒性分析

僵尸网络结构的不断改进对网络安全造成了极大的威胁,如何深入研究其结构本身的固有性质对抵御该种攻击方式显得尤为重要。从复杂网络的角度模拟非结构化P2P僵尸网络,通过定义度量标准并应用网络中心化指标分析非结构化P2P僵尸网络面对节点失效时的鲁棒性。实验结果表明,非结构化P2P僵尸网络在面对随机节点失效时其鲁棒性较强,而面对高中心化节点失效时其鲁棒性将会迅速降低。     

Modeling and evaluating of typical advanced peer-to-peer botnet

In this paper, we present a general model for an advanced peer-to-peer (P2P) botnet, in which the performance of the botnet can be systematically studied. From the model, we can derive five performance metrics to describe the robustness, security and efficiency of the botnet. Additionally, we analyze the relationship between the performance metrics and the model feature metrics of the botnet, and it is helpful to study the botnet under different model feature metrics. Furthermore, the proposed model can be easily applied to other types of botnets. Finally, taking the robustness and security into consideration, an optimization scheme for designing an optimal P2P botnet is proposed.     

基于重组的半分布式僵尸网络抗打击技术

僵尸网络防御技术的不断涌现对僵尸网络生存能力提出了严峻的挑战,为了改善僵尸网络的生存能力,从攻击者角度提出一种适用于半分布式僵尸网络的基于重组的抗打击技术。通过对僵尸网络生存状态的感知和对存活节点的探查,实现了半分布式僵尸网络在遭受严重打击导致拓扑结构破碎情况下,寻回存活节点并将其重组为新的僵尸网络。通过实验验证了该技术的有效性,证明其能够有效增强半分布式僵尸网络的生存能力     

Tsunami: A parasitic,indestructible botnet on Kad

While current botnets rely on a central server or bootstrap nodes for their operations, in this paper we identify and investigate a new type of botnet, called Tsunami, in which no such bottleneck nodes exist. In particular, we study how a Tsunami botnet can build a parasitic relationship with a widely deployed P2P system, Kad, to successfully issue commands to its bots, launch various attacks, including distributed denial of service (DDoS) and spam, at ease, as well as receive responses from the bots. Our evaluation shows that in a Kad network with four million nodes, even with only 6 % nodes being Tsunami bots, Tsunami can reach 75 % of its bots in less than 4 min and receive responses from 99 % of bots. We further propose how we may defend against Tsunami and evaluate the defense solution.     

无尺度网络下具有双因素的僵尸网络传播模型

随着网络技术的发展,僵尸网络逐渐成为Internet上最具威胁的攻击平台.而现今的网络是随机网络、无尺度网络等构成的一个复杂网络.结合无尺度的特性,考虑僵尸网络传播过程中部分主机的免疫特性与网络阻塞特征,提出一种无尺度网络下具有双因素的僵尸网络传播模型.该模型基于Internet的实际情况,重点考虑了无尺度网络的拓扑结构,并结合了僵尸网络中部分脆弱主机由于提前从易感染的网络中移除而具有的免疫特征情况与传播过程中的网络流量阻塞情况.Matlab仿真结果表明,这种传播模型更符合真实网络中僵尸网络的传播规律.     

基于短地址混淆和谷歌云推送的移动僵尸网络的构建

为了提升对移动僵尸网络的预测能力和防御能力,提出了一种基于短地址混淆(USSes-Flux)和谷歌云(GCM)推送的移动僵尸网络的构建机制。设计了基于中心结构和对等网络(P2P)混合的拓扑结构的移动僵尸网络模型,给出了USSes-Flux算法,从而增强了命令与控制信道的隐秘性和强壮性。给出了该移动僵尸网络的控制模型,分析了不同僵尸节点的状态改变、命令设计和传播算法。实验环境中,研究了短地址的失效率与申请数量之间的关系,并对该移动僵尸网络与不同命令和控制信道的样本进行静态分析、动态分析和电量测试。结果表明:该移动僵尸网络具有较强的隐秘性、强壮性和低消耗。     

基于智能合约的高对抗性僵尸网络研究

区块链技术的发展与应用使构建更为鲁棒和灵活的僵尸网络命令控制信道成为可能。为了更好地研究这类潜在的新型僵尸网络威胁,提出基于区块链智能合约的高对抗性僵尸网络模型——SCBot。SCBot 模型采用分层混合拓扑结构,在僵尸子网层构建基于智能合约的命令传递信道,并建立可信度评估机制判别节点真实性,从流量和终端两大层面提升网络的对抗性。模拟构建小型的僵尸网络集群,对SCBot的命令传递效率和鲁棒性进行了对比实验,并从经济成本角度分析其在现实环境中的可行性。最后对该类型僵尸网络的防御策略做简要分析和讨论。     

具有异构感染率的僵尸网络建模与分析

僵尸网络作为共性攻击平台,采用目前先进的匿名网络和恶意代码技术为APT攻击提供了大量有效资源。为了有效控制僵尸网络的大规模爆发,需研究其构建规律。考虑到在传播过程中僵尸网络的不同区域具有不同的感染率,结合疾病传播模型,提出了一种具有异构感染率的僵尸网络传播模型。首先,通过对僵尸网络稳态特征的分析,使用平均场方法从动力学角度研究了其传播特性;然后,在BA网络中通过模拟实验来分析异构感染率如何影响僵尸网络的传播阈值。实验结果表明, 该模型更符合真实情况,且僵尸程序传播阈值和异构感染率的关系与节点数量无关。     

一种分布式的僵尸网络实时检测算法

僵尸网络通过控制的主机实现多类恶意行为,使得当前的检测方法失效,其中窃取敏感数据已经成为主流。鉴于僵尸网络实现的恶意行为,检测和减轻方法的研究已经势在必行。提出了一种新颖的分布式实时僵尸网络检测方法,该方法通过将Netflow组织成主机Netflow图谱和主机关系链,并提取隐含的C&C通信特征来检测僵尸网络。同时,基于Spark Streaming分布式实时流处理引擎,使用该算法实现了BotScanner分布式检测系统。为了验证该系统的有效性,采用5个主流的僵尸网络家族进行训练,并分别使用模拟网络流量和真实网络流量进行测试。实验结果表明,在无需深度包解析的情况下,BotScanner分布式检测系统能够实时检测指定的僵尸网络,并获得了较高的检测率和较低的误报率。而且,在真实的网络环境中,BotScanner分布式检测系统能够进行实时检测,加速比接近线性,验证了Spark Streaming引擎在分布式流处理方面的优势,以及用于僵尸网络检测方面的可行性。     

Behavioral analysis of botnets for threat intelligence

This paper examines the behavioral patterns of fast-flux botnets for threat intelligence. The Threat Intelligence infrastructure, which we have specifically developed for fast-flux botnet detection and monitoring, enables this analysis. Cyber criminals and attackers use botnets to conduct a wide range of operations including spam campaigns, phishing scams, malware delivery, denial of service attacks, and click fraud. The most advanced botnet operators use fast-flux infrastructure and DNS record manipulation techniques to make their networks more stealthy, scalable, and resilient. Our analysis shows that such networks share common lifecycle characteristics, and form clusters based on size, growth and type of malicious behavior. We introduce a social network connectivity metric, and show that command and control and malware botnets have similar scores with this metric while spam and phishing botnets have similar scores. We describe how a Guilt-by-Association approach and connectivity metric can be used to predict membership in particular botnet families. Finally, we discuss the intelligence utility of fast-flux botnet behavior analysis as a cyber defense tool against advanced persistent threats.     

Domain-flux僵尸网络域名检测

针对现有Domain-flux僵尸网络检测方法在检测范围方面的不足,提出基于域名访问活跃特征的Domain-flux僵尸网络域名检测方法。通过阐述Domain-flux僵尸网络所利用的域名集合在访问方面所表现出的时间行为特征,提出一种基于域名访问活跃特征的检测算法,给出检测算法的具体描述、检测处理流程及系统整体结构,利用某运行商DNS服务器镜像数据实验验证检测算法。实验结果显示,检测算法不依赖于具体的域名字符特征,可以有效过滤出Domain-flux僵尸网络所利用的域名。     

基于通信相似度的僵尸网络节点检测方法

目前,僵尸网络检测方法大多依靠对僵尸网络通信活动或通信内容的分析,前者对数据流的特征进行统计分析,不涉及数据流中的内容,在检测加密类型方面具有较强优势,但准确性较低;后者依赖先验知识进行检测,具有较强的准确度,但检测的通用性较低。因此,根据杰卡德相似度系数定义了通信相似度,并提出了一种基于用户请求域名系统（DNS,domain name system）的通信相似度计算方法,用于基于网络流量的僵尸网络节点检测。最后,基于Spark框架对所提出的方法进行了实验验证,实验结果表明该方法可以有效地用于僵尸网络节点检测。     

动态自组织P2P僵尸网络的构建及其防御

僵尸网络作为大规模攻击活动的基础平台,严重威胁网络空间安全,从预测的角度对其开展研究具有重要的现实意义。针对现有研究在终端感知、身份识别和动态对抗中存在的不足,本文概括僵尸网络生命周期,总结P2P结构僵尸网络的脆弱点,建立P2P僵尸网络动态对抗模型,分析节点真实性判断和网络拓扑优化重构的重要性。在此基础上,从攻击者视角提出一种新颖的动态自组织P2P僵尸网络模型DSBot。该模型在架构设计上可扩展至各类目标设备,通过基于可信度矩阵和真实性验证的节点安全性评估机制增强终端对抗性,并提出分阶段感染策略。借鉴无线自组网和多智能体的思路和方法,刻画节点属性多维表示和基于状态标识的动态网络框架,以此为基础设计O(N_i)更新算法、均匀连接算法和节点主动移除算法,并结合相应的初始化和调整机制提出网络自组织重构策略,从而进一步提升网络的健壮性。其中,O(N_i)更新算法确保节点的可信度,均匀连接算法降低网络暴露风险,节点主动移除算法实时移除可疑节点。从平均等待时间、命令可达率、网络连接度和重构稳定时间等方面对DSBot模型进行评估。实验结果表明,DSBot模型在效率和韧性上可满足僵尸网络命令控制机制的基本需求。最后,从终端清除、命令控制服务器打击和命令控制过程等方面讨论了可能的防御策略。本文旨在通过预测新型僵尸网络模型来完善防御解决方案。