Article thumbnail

Good guys vs. Bot Guise: Mimicry attacks against fast-flux detection systems

By Matthew Knysz, Xin Hu and Kang G. Shin


Abstract. Fast-Flux (FF) service networks are botnet-based hosting or redirec-tion/proxy services for hosting malicious and illegal content while affording bot-masters a high level of misdirection and protection. With their use as service net-works among criminals on the rise, researchers and security experts have designed fast and accurate detection systems based on their intrinsic behavior patterns. How-ever, botmasters have responded, adopting a plethora of countermeasures to evade detection. In this paper, we explore the escalating “arms race ” between FF bot-net detectors and the botmasters ’ effort to subvert them, presenting several novel mimicry attack techniques that allow botmaster to avoid detection. We first ana-lyze the state-of-art FF detectors and their effectiveness against the current botnet threat, demonstrating how botmasters can—with their current resources—thwart detection strategies. Based on the realistic assumptions inferred from empirically-observed trends, we create formal models for bot decay, online availability, DNS-advertisement strategies and performance, allowing us to compare how different mimicry attacks affect the overall online availability and capacity of botnets.

Year: 2016
OAI identifier: oai:CiteSeerX.psu:
Provided by: CiteSeerX
Download PDF:
Sorry, we are unable to provide the full text but you may find it at the following location(s):
  • (external link)
  • (external link)
  • (external link)
  • Suggested articles

    To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.