CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis

We present CoCoSpot, a novel approach to recognize botnet command and control channels solely based on traffic analysis features, namely carrier protocol distinction, message length sequences and encoding differences. Thus, CoCoSpot can deal with obfuscated and encrypted C&C protocols and complements current methods to fingerprint and recognize botnet C&C channels. Using average-linkage hierarchical clustering of labeled C&C flows, we show that for more than 20 recent botnets and over 87,000 C&C flows, CoCoSpot can recognize more than 88% of the C&C flows at a false positive rate below 0.1%.     

Peri-Watchdog: Hunting for hidden botnets in the periphery of online social networks

In order to evade detection of ever-improving defense techniques, modern botnet masters are constantly looking for new communication platforms for delivering C&C (Command and Control) information. Attracting their attention is the emergence of online social networks such as Twitter, as the information dissemination mechanism provided by these networks can naturally be exploited for spreading botnet C&C information, and the enormous amount of normal communications co-existing in these networks makes it a daunting task to tease out botnet C&C messages.Against this backdrop, we explore graph-theoretic techniques that aid effective monitoring of potential botnet activities in large open online social networks. Our work is based on extensive analysis of a Twitter dataset that contains more than 40 million users and 1.4 billion following relationships, and mine patterns from the Twitter network structure that can be leveraged for improving efficiency of botnet monitoring. Our analysis reveals that the static Twitter topology contains a small-sized core sugraph, after removing which, the Twitter network breaks down into small connected components, each of which can be handily monitored for potential botnet activities. Based on this observation, we propose a method called Peri-Watchdog, which computes the core of a large online social network and derives the set of nodes that are likely to pass botnet C&C information in the periphery of online social network. We analyze the time complexity of Peri-Watchdog under its normal operations. We further apply Peri-Watchdog on the Twitter graph injected with synthetic botnet structures and investigate the effectiveness of Peri-Watchdog in detecting potential C&C information from these botnets.To verify whether patterns observed from the static Twitter graph are common to other online social networks, we analyze another online social network dataset, BrightKite, which contains evolution of social graphs formed by its users in half a year. We show not only that there exists a similarly relatively small core in the BrightKite network, but also this core remains stable over the course of BrightKite evolution. We also find that to accommodate the dynamic growth of BrightKite, the core has to be updated about every 18 days under a constrained monitoring capacity.     

New facets of mobile botnet: architecture and evaluation

It is without a doubt that botnets pose a growing threat to the Internet, with DDoS attacks of any kind carried out by botnets to be on the rise. Nowadays, botmasters rely on advanced Command and Control (C&C) infrastructures to achieve their goals and most importantly to remain undetected. This work introduces two novel botnet architectures that consist only of mobile devices and evaluates both their impact in terms of DNS amplification and TCP flooding attacks, and their cost pertaining to the maintenance of the C&C channel. The first one puts forward the idea of using a continually changing mobile HTTP proxy in front of the botherder, while the other capitalizes on DNS protocol as a covert channel for coordinating the botnet. That is, for the latter, the messages exchanged among the bots and the herder appear as legitimate DNS transactions. Also, a third architecture is described and assessed, which is basically an optimized variation of the first one. Namely, it utilizes a mixed layout where all the attacking bots are mobile, but the proxy machines are typical PCs not involved in the actual attack. For the DNS amplification attack, which is by nature more powerful, we report an amplification factor that fluctuates between 32.7 and 34.1. Also, regarding the imposed C&C cost, we assert that it is minimal (about 0.25 Mbps) per bot in the worst case happening momentarily when the bot learns about the parameters of the attack.     

面向可扩展僵尸网络的安全控制方法

僵尸网络是互联网面临的主要威胁之一。当前,网络服务类型多样、安全漏洞频出、以物联网设备为代表的海量联网设备部署更加有利于僵尸网络全球扩展。未来僵尸网络将更加具有跨平台特性和隐匿性,这给网络空间带来了严重的安全隐患。因此,针对僵尸网络自身开展深入研究,可以为新的僵尸网络防御研究提供研究对象,对于设计下一代网络安全防护体系具有重要意义。提出一种基于HTTP的可扩展僵尸网络框架来解决僵尸网络自身存在的兼容性、隐匿性与安全性问题,该框架基于中心式控制模型, 采用HTTP 作为僵尸网络通信协议,并对通信内容进行基于对称密码学的块加密。进一步地,提出了一种面向多平台架构的僵尸网络安全控制方法,该方法利用源码级代码集成与交叉编译技术解决兼容性问题,引入动态密钥加密通信机制克服传统僵尸网络流量存在规律性和易被分析的不足,设计服务器迁移与重连机制解决中心式僵尸网络模型存在的单点失效问题,以提高僵尸网络存活率。3 个不同控制性水平场景下的仿真实验结果表明,僵尸网络的规模与其命令与控制（C＆amp;C,command and control）服务器服务负载之间存在线性关系;此外,在僵尸网络规模相同的条件下,越高的控制性会带来越高的吞吐量和越大的系统负载,从而验证了所提方法的有效性和现实可行性。     

Botnet command and control based on Short Message Service and human mobility

Many serious threats for PCs are spreading to the mobile environment. A mobile botnet, which is a collection of hijacked smartphones under the control of hackers, is one of them. With the quick development of the computing and communication abilities of smartphones, many command and control (C&C) techniques in PC botnets can be easily reused in mobile botnets. However, some particular functions and characteristics of smartphones may provide botmasters with additional means to control their mobile botnets. This paper presents two special C&C mechanisms that leverage Short Message Service and human mobility, respectively. The first one designs a SMS-based flooding algorithm to propagate commands. We theoretically prove that the uniform random graph is the optimal topology for this botnet, and demonstrate its high efficiency and stealth with various simulations. The second one utilizes Bluetooth to transmit botnet commands when hijacked smartphones encounter each other while in motion. We study its performance in a 100 m × 100 m square area with NS-2 simulations, and show that human-mobility characteristics facilitate the command propagation. Even if the infection rate is low, the command can still be effectively propagated provided that the mobility of devices is high. In the end, we propose effective defense strategies against these two special C&C mechanisms.     

The SIC botnet lifecycle model: A step beyond traditional epidemiological models

Botnets, overlay networks built by cyber criminals from numerous compromised network-accessible devices, have become a pressing security concern in the Internet world. Availability of accurate mathematical models of population size evolution enables security experts to plan ahead and deploy adequate resources when responding to a growing threat of an emerging botnet. In this paper, we introduce the Susceptible-Infected-Connected (SIC) botnet model. Prior botnet models are largely the same as the models for the spread of malware among computers and disease among humans. The SIC model possesses some key improvements over earlier models: (1) keeping track of only key node stages (Infected and Connected), hence being applicable to a larger set of botnets; and (2) being a Continuous-Time Markov Chain-based model, it takes into account the stochastic nature of population size evolution. The SIC model helps the security experts with the following two key analyses: (1) estimation of the global botnet size during its initial appearance based on local measurements; and (2) comparison of botnet mitigation strategies such as disinfection of nodes and attacks on botnet’s Command and Control (C&C) structure. The analysis of the mitigation strategies has been strengthened by the development of an analytical link between the SIC model and the P2P botnet mitigation strategies. Specifically, one can analyze how a random sybil attack on a botnet can be fine-tuned based on the insight drawn from the use of the SIC model. We also show that derived results may be used to model the sudden growth and size fluctuations of real-world botnets.     

Detecting P2P bots by mining the regional periodicity

Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays.Current methods for detecting P2P botnets,such as similarity analysis of network behavior and machine-learning based classification,cannot handle the challenges brought about by different network scenarios and botnet variants.We noticed that one important but neglected characteristic of P2P bots is that they periodically send requests to update their peer lists or receive commands from botmasters in the command-and-control (C&C) phase.In this paper,we propose a novel detection model named detection by mining regional periodicity (DMRP),including capturing the event time series,mining the hidden periodicity of host behaviors,and evaluating the mined periodic patterns to identify P2P bot traffic.As our detection model is built based on the basic properties of P2P protocols,it is difficult for P2P bots to avoid being detected as long as P2P protocols are employed in their C&C.For hidden periodicity mining,we introduce the so-called regional periodic pattern mining in a time series and present our algorithms to solve the mining problem.The experimental evaluation on public datasets demonstrates that the algorithms are promising for efficient P2P bot detection in the C&C phase.     

Dissecting SpyEye – Understanding the design of third generation botnets

Botnet malware is improving with the latest (3rd) generation exemplified by the SpyEye and Zeus botnets. These botnets are important to understand because they target online financial transactions, primarily with banks. In this paper, we analyze the components from multiple generations of the SpyEye botnet in order to understand both how it works and how it is evolving. SpyEye is a sophisticated piece of malware with a modular design that eases the incorporation of improvements. We will discuss in detail the complete framework of SpyEye botnet consisting of the Bot Development Kit (BDK), the plugin architecture, the backend storage server, the bot design and the web-based Command and Control (C&C) management system. In addition, we also examine the techniques used by SpyEye to steal money.     

Behavioral analysis of botnets for threat intelligence

This paper examines the behavioral patterns of fast-flux botnets for threat intelligence. The Threat Intelligence infrastructure, which we have specifically developed for fast-flux botnet detection and monitoring, enables this analysis. Cyber criminals and attackers use botnets to conduct a wide range of operations including spam campaigns, phishing scams, malware delivery, denial of service attacks, and click fraud. The most advanced botnet operators use fast-flux infrastructure and DNS record manipulation techniques to make their networks more stealthy, scalable, and resilient. Our analysis shows that such networks share common lifecycle characteristics, and form clusters based on size, growth and type of malicious behavior. We introduce a social network connectivity metric, and show that command and control and malware botnets have similar scores with this metric while spam and phishing botnets have similar scores. We describe how a Guilt-by-Association approach and connectivity metric can be used to predict membership in particular botnet families. Finally, we discuss the intelligence utility of fast-flux botnet behavior analysis as a cyber defense tool against advanced persistent threats.     

Resource monitoring for the detection of parasite P2P botnets

Detecting botnet behaviors in networks is a popular topic in the current research literature. The problem of detection of P2P botnets has been denounced as one of the most difficult ones, and this is even sounder when botnets use existing P2P networks infrastructure (parasite P2P botnets). The majority of the detection proposals available at present are based on monitoring network traffic to determine the potential existence of command-and-control communications (C&C) between the bots and the botmaster. As a different and novel approach, this paper introduces a detection scheme which is based on modeling the evolution of the number of peers sharing a resource in a P2P network over time. This allows to detect abnormal behaviors associated to parasite P2P botnet resources in this kind of environments. We perform extensive experiments on Mainline network, from which promising detection results are obtained while patterns of parasite botnets are tentatively discovered.     

Identifying botnets by capturing group activities in DNS traffic

Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, existing approaches can be overwhelmed by the large amount of data needed to be analyzed. In this paper, we propose a light-weight mechanism to detect botnets using their fundamental characteristics, i.e., group activity. The proposed mechanism, referred to as BotGAD (botnet group activity detector) needs a small amount of data from DNS traffic to detect botnet, not all network traffic content or known signatures. BotGAD can detect botnets from a large-scale network in real-time even though the botnet performs encrypted communications. Moreover, BotGAD can detect botnets that adopt recent evasion techniques. We evaluate BotGAD using multiple DNS traces collected from different sources including a campus network and large ISP networks. The evaluation shows that BotGAD can automatically detect botnets while providing real-time monitoring in large scale networks.     

Efficient botnet herding within the Tor network

During 2013 the Tor network had a massive spike in new users as a botnet started using Tor hidden services to hide its C&C (Command and Control) servers. This resulted in network congestion and reduced performance for all users. Tor hidden services are attractive to botnet herders because they provide anonymity for both the C&C servers and the bots. The aim of this paper is to present a superior way that Tor hidden services can be used for botnet C&C which minimises harm to the Tor network while retaining all security benefits.     

CloudBot: Advanced mobile botnets using ubiquitous cloud technologies

The mobile botnet is a collection of compromised mobile devices that can remotely receive commands from the botmaster. Exploiting unique features of mobile networks and smartphones, mobile botnets pose a severe threat to mobile users, because smartphones have become an indispensable part of our daily lives and carried a lot of private information. With the development of cloud computing technologies, botmaster can utilize ubiquitous cloud technologies to construct robust and scalable C&C (command and control) channel for mobile botnet. In this paper, we propose Cloudbot, a novel mobile botnet, which outperforms existing mobile botnets in terms of robustness, controllability, scalability, and stealthiness. Although the basic idea of using cloud technologies seems straightforward, we explore the design space of exploiting such services and tackle several challenging issues to overcome the limitations of existing mobile botnets. We have implemented CloudBot by exploiting popular push services and cloud storage services, and evaluated it through extensive experiments. The results demonstrate not only the feasibility of CloudBot but also its advantages, such as stealthiness, robustness, and performance.     

Detecting P2P botnets by discovering flow dependency in C&C traffic

Botnets are widely used by attackers and they have evolved from centralized structures to distributed structures. Most of the modern P2P bots launch attacks in a stealthy way and the detection approaches based on the malicious traffic of bots are inefficient. In this paper, an approach that aims to detect Peer-to-Peer (P2P) botnets is proposed. Unlike previous works, the approach is independent of any malicious traffic generated by bots and does not require bots’ information provided by external systems. It detects P2P bots by focusing on the instinct characteristics of their Command and Control (C&C) communications, which are identified by discovering flow dependencies in C&C traffic. After discovering the flow dependencies, our approach distinguishes P2P bots and normal hosts by clustering technique. Experimental results on real-world network traces merged with synthetic P2P botnet traces indicate that 1) flow dependency can be used to detect P2P botnets, and 2) the proposed approach can detect P2P botnets with a high detection rate and a low false positive rate.     

僵尸网络机理与防御技术

以僵尸网络为载体的各种网络攻击活动是目前互联网所面临的最为严重的安全威胁之一.虽然近年来这方面的研究取得了显著的进展,但是由于僵尸网络不断演化、越来越复杂和隐蔽以及网络和系统体系结构的限制给检测和防御带来的困难,如何有效应对僵尸网络的威胁仍是一项持续而具有挑战性的课题.首先从僵尸网络的传播、攻击以及命令与控制这3个方面介绍了近年来僵尸网络工作机制的发展,然后从监测、工作机制分析、特征分析、检测和主动遏制这5个环节对僵尸网络防御方面的研究进行总结和分析,并对目前的防御方法的局限、僵尸网络的发展趋势和进一步的研究方向进行了讨论.     

一种抗污染的混合P2P僵尸网络

基于Peer-list的混合型P2P僵尸网络代表了一类高级僵尸网络形态,这种僵尸网络的优势是可抵抗传统P2P僵尸网络易受的索引污染（Index Poisoning）攻击和女巫（Sybil）攻击,然而却引入了新的问题——易受Peer-list污染攻击。本文提出一种新颖的混合P2P僵尸网络设计模型,在僵尸网络构建和Peer-list更新的整个生命周期中引入信誉机制,使得Peer-list污染攻击难以发挥作用。实验证明该模型具备很强的抗污染能力和很高的健壮性,因此对网络安全防御造成了新的威胁。最后,我们提出了若干可行的防御方法。本文旨在增加防御者对高级僵尸网络的理解,以促进更有效的网络防御。     

僵尸网络中的关键问题

僵尸网络是一种复杂、灵活、高效的网络攻击平台,在互联网中分布非常广泛.僵尸网络使攻击者具备了实施大规模恶意活动的能力,如发送垃圾邮件、发动分布式拒绝服务攻击等.由于其危害日益严重,僵尸网络已经成为网络安全研究的热点之一.但是近年来,僵尸网络新的发展、变化,突破了以往对僵尸网络的认知.文中分析僵尸网络的现有研究,对僵尸网络进行了重新定义,并从网络结构、网络独立性和信息传递方式等角度对僵尸网络的类型进行了划分;然后,梳理了僵尸网络检测技术、测量技术和反制技术等方面的工作;最后,给出了僵尸网络的演化趋势和未来研究方向.     

Scalable fine-grained behavioral clustering of HTTP-based malware

A large number of today’s botnets leverage the HTTP protocol to communicate with their botmasters or perpetrate malicious activities. In this paper, we present a new scalable system for network-level behavioral clustering of HTTP-based malware that aims to efficiently group newly collected malware samples into malware family clusters. The end goal is to obtain malware clusters that can aid the automatic generation of high quality network signatures, which can in turn be used to detect botnet command-and-control (C&C) and other malware-generated communications at the network perimeter.We achieve scalability in our clustering system by simplifying the multi-step clustering process proposed in [31], and by leveraging incremental clustering algorithms that run efficiently on very large datasets. At the same time, we show that scalability is achieved while retaining a good trade-off between detection rate and false positives for the signatures derived from the obtained malware clusters. We implemented a proof-of-concept version of our new scalable malware clustering system and performed experiments with about 65,000 distinct malware samples. Results from our evaluation confirm the effectiveness of the proposed system and show that, compared to [31], our approach can reduce processing times from several hours to a few minutes, and scales well to large datasets containing tens of thousands of distinct malware samples.     

Tsunami: A parasitic,indestructible botnet on Kad

While current botnets rely on a central server or bootstrap nodes for their operations, in this paper we identify and investigate a new type of botnet, called Tsunami, in which no such bottleneck nodes exist. In particular, we study how a Tsunami botnet can build a parasitic relationship with a widely deployed P2P system, Kad, to successfully issue commands to its bots, launch various attacks, including distributed denial of service (DDoS) and spam, at ease, as well as receive responses from the bots. Our evaluation shows that in a Kad network with four million nodes, even with only 6 % nodes being Tsunami bots, Tsunami can reach 75 % of its bots in less than 4 min and receive responses from 99 % of bots. We further propose how we may defend against Tsunami and evaluate the defense solution.     

基于流量摘要的僵尸网络检测

随着僵尸网络的日益进化,检测和防范僵尸网络攻击成为网络安全研究的重要任务.现有的研究很少考虑到僵尸网络中的时序模式,并且在实时僵尸网络检测中效果不佳,也无法检测未知的僵尸网络.针对这些问题,本文提出了基于流量摘要的僵尸网络检测方法,首先将原始流数据按照源主机地址聚合,划分适当的时间窗口生成流量摘要记录,然后构建决策树、随机森林和XGBoost机器学习分类模型.在CTU-13数据集上的实验结果表明,本文提出的方法能够有效检测僵尸流量,并且能够检测未知僵尸网络,此外,借助Spark技术也能满足现实应用中快速检测的需要.