Good guys vs. Bot Guise: Mimicry attacks against fast-flux detection systems

Abstract

Abstract. Fast-Flux (FF) service networks are botnet-based hosting or redirec-tion/proxy services for hosting malicious and illegal content while affording bot-masters a high level of misdirection and protection. With their use as service net-works among criminals on the rise, researchers and security experts have designed fast and accurate detection systems based on their intrinsic behavior patterns. How-ever, botmasters have responded, adopting a plethora of countermeasures to evade detection. In this paper, we explore the escalating “arms race ” between FF bot-net detectors and the botmasters ’ effort to subvert them, presenting several novel mimicry attack techniques that allow botmaster to avoid detection. We first ana-lyze the state-of-art FF detectors and their effectiveness against the current botnet threat, demonstrating how botmasters can—with their current resources—thwart detection strategies. Based on the realistic assumptions inferred from empirically-observed trends, we create formal models for bot decay, online availability, DNS-advertisement strategies and performance, allowing us to compare how different mimicry attacks affect the overall online availability and capacity of botnets.

Download PDF:
_{Sorry, we are unable to provide the full text but you may find it at the following location(s):}

http://www.eecs.umich.edu/tech... (external link)

http://www.eecs.umich.edu/tech... (external link)

http://citeseerx.ist.psu.edu/v... (external link)