OnionBots: Subverting Privacy Infrastructure for Cyber Attacks

Over the last decade botnets survived by adopting a sequence of increasingly sophisticated strategies to evade detection and take overs, and to monetize their infrastructure. At the same time, the success of privacy infrastructures such as Tor opened the door to illegal activities, including botnets, ransomware, and a marketplace for drugs and contraband. We contend that the next waves of botnets will extensively subvert privacy infrastructure and cryptographic mechanisms. In this work we propose to preemptively investigate the design and mitigation of such botnets. We first, introduce OnionBots, what we believe will be the next generation of resilient, stealthy botnets. OnionBots use privacy infrastructures for cyber attacks by completely decoupling their operation from the infected host IP address and by carrying traffic that does not leak information about its source, destination, and nature. Such bots live symbiotically within the privacy infrastructures to evade detection, measurement, scale estimation, observation, and in general all IP-based current mitigation techniques. Furthermore, we show that with an adequate self-healing network maintenance scheme, that is simple to implement, OnionBots achieve a low diameter and a low degree and are robust to partitioning under node deletions. We developed a mitigation technique, called SOAP, that neutralizes the nodes of the basic OnionBots. We also outline and discuss a set of techniques that can enable subsequent waves of Super OnionBots. In light of the potential of such botnets, we believe that the research community should proactively develop detection and mitigation methods to thwart OnionBots, potentially making adjustments to privacy infrastructure.Comment: 12 pages, 8 figure

Analyzing IDS botnets detection

Mestrado de dupla diplomação com a UTFPR - Universidade Tecnológica Federal do ParanáIn a world increasingly connected with equipment permanently attached, the risk of cybersecurity had rise. Among the various vulnerabilities and forms of exploitation, the Botnets are those being addressed in this work. The number of botnets related infections has grown critically and, due to botnets’ increased capacity and potential use for future infections, a continued development of solutions is needed to strengthen the protection of networks and systems. Intrusion Detection Systems (IDS) are one of the solutions that try to follow this evolution. The continuous evolution of tools and attack forms in order to evade detection, using mechanisms such as encryption (IPSec, SSL) and diverse architecture and different ways of implementing Botnets create great challenges to those who try to detect them. In order to better understand these challenges, this work proposes an architecture to map the behavior of botnets. For this, a topology was created with several components, such as Network Intrusion Detection System (NIDS) and Host Intrusion Detection System (HIDS), aided with information from honeypots for the detection and analysis of attacks. This approach enabled real data to be obtained from attempts, some successfully, from Malware infections, with the aim of transforming systems into Bots and integrating them into Botnets. An exploratory analysis of the data is performed to verify the detection capabilities and the cases where the components do not provide correct information. Some methods based on machine learning were also used to process and analyze the collected data.Num mundo cada vez mais conectado com cada vez mais equipamentos ligados em permanência o risco de cibersegurança tem aumentado. De entre as diversas vulnerabilidades e formas de exploração continuada as Botnets são as visadas neste trabalho. Os números de infeções relacionadas com as Botnets têm crescido de forma critica e devido dotar de maiores capacidades os atacantes e seu grande poder de infeção futura é necessário um desenvolvimento continuo de soluções para reforçar a proteção das redes e sistemas. Os Sistemas de Deteccao de Intrusao (IDS) são uma das soluções que tentam acompanhar esta evolução deste tipo de ameaça. A evolução continua das ferramentas e formas de ataque por forma a fugir à detecção, utilizando mecanismos como tráfego cifrado (IPSec, SSL) e arquitectura diversa e formas diferentes da implementação das Botnets levantam grandes desafios a quem as tenta detectar. Por forma a compreender melhor estes desafios, este trabalho propõe uma arquitetura para mapear o comportamento das Botnets. Para isso criou-se uma topologia com diversos componentes, como Network Intrusion Detection System (NIDS) e Host Intrusion Detection System (HIDS), auxiliados com informação de honeypots para a deteção e análise de ataques. Esta abordagem permitiu obter dados reais de tentativas, algumas com sucesso, de infeções de Malware, com o intuito de transformar os sistemas em Bots e os integrar em Botnets. É efetuada uma análise exploratória dos dados para verificar a capacidade de deteção e os casos em que os sistemas não fornecem informação correta. Foram também utilizados alguns métodos baseados em machine learning para tratamento e análise dos dados coletados

Network Traffic Analysis Using Stochastic Grammars

Network traffic analysis is widely used to infer information from Internet traffic. This is possible even if the traffic is encrypted. Previous work uses traffic characteristics, such as port numbers, packet sizes, and frequency, without looking for more subtle patterns in the network traffic. In this work, we use stochastic grammars, hidden Markov models (HMMs) and probabilistic context-free grammars (PCFGs), as pattern recognition tools for traffic analysis. HMMs are widely used for pattern recognition and detection. We use a HMM inference approach. With inferred HMMs, we use confidence intervals (CI) to detect if a data sequence matches the HMM. To compare HMMs, we define a normalized Markov metric. A statistical test is used to determine model equivalence. Our metric systematically removes the least likely events from both HMMs until the remaining models are statistically equivalent. This defines the distance between models. We extend the use of HMMs to PCFGs, which have more expressive power. We estimate PCFG production probabilities from data. A statistical test is used for detection. We present three applications of HMM and PCFG detection to network traffic analysis. First, we infer the presence of protocol tunneling through Tor (the onion router) anonymization network. The Markov metric quantifies the similarity of network traffic HMMs in Tor to identify the protocol. It also measures communication noise in Tor network. We use HMMs to detect centralized botnet traffic. We infer HMMs from botnet traffic data and detect botnet infections. Experimental results show that HMMs can accurately detect Zeus botnet traffic. To hide their locations better, newer botnets have P2P control structures. Hierarchical P2P botnets contain recursive and hierarchical patterns. We use PCFGs to detect P2P botnet traffic. Experimentation on real-world traffic data shows that PCFGs can accurately differentiate between P2P botnet traffic and normal Internet traffic

From Intrusion Detection to Attacker Attribution: A Comprehensive Survey of Unsupervised Methods

Over the last five years there has been an increase in the frequency and diversity of network attacks. This holds true, as more and more organisations admit compromises on a daily basis. Many misuse and anomaly based Intrusion Detection Systems (IDSs) that rely on either signatures, supervised or statistical methods have been proposed in the literature, but their trustworthiness is debatable. Moreover, as this work uncovers, the current IDSs are based on obsolete attack classes that do not reflect the current attack trends. For these reasons, this paper provides a comprehensive overview of unsupervised and hybrid methods for intrusion detection, discussing their potential in the domain. We also present and highlight the importance of feature engineering techniques that have been proposed for intrusion detection. Furthermore, we discuss that current IDSs should evolve from simple detection to correlation and attribution. We descant how IDS data could be used to reconstruct and correlate attacks to identify attackers, with the use of advanced data analytics techniques. Finally, we argue how the present IDS attack classes can be extended to match the modern attacks and propose three new classes regarding the outgoing network communicatio

Mitigating Botnet Attack Using Encapsulated Detection Mechanism (EDM)

Botnet as it is popularly called became fashionable in recent times owing to it embedded force on network servers. Botnet has an exponential growth of about 170, 000 within network server and client infrastructures per day. The networking environment on monthly basis battle over 5 million bots. Nigeria as a country loses above one hundred and twenty five (N125) billion naira to network fraud annually, end users such as Banks and other financial institutions battle daily the botnet threats.Comment: This paper addresses critical area of networ

Experimental host-and network-based analyser and detector for Botnets

Botnets are networks of malware-infected machines that are controlled by an adversary are the cause of a large number of problems on the internet [1]. They are increasing faster than any other type of malware and have created a huge army of hosts over the internet. By coordinating themselves, they are able to initiate attacks of unprecedented scales [2]. An example of such a Botnet can be made in Python code. This Botnet will be able to generate a simple attack which will steal screenshots taken while the user is entering his confidential information on a bank website. The aim of this project is firstly to detect and analyse this Botnet operation and secondly to make statistics of the Intrusion Detection System detection rate.Detecting malicious software in the system is generally made by an antivirus which analyses a files signature and compares it to their own database in order to know if a file is infected or not. Other kinds of detection tools such as Host-based IDS (Intrusion Detection System) can be used: they trigger abnormal activity but in reality, they generate many false positive results. The tool "Process monitor" is able to detect every process used by the system in real time, and another tool "Filewatcher", is able to detect any modification of files on the hard drive. These tools aim to recognize whether a program is acting suspiciously within the computer and this activity should be logged by one of these security tools. However, results from the first experiment revealed that the host-based detection remained unfeasible using these tools because of the multiples of processes which are continuously running inside the system causing many false positive errors.On another hand, the network activity has been monitored in order to detect, using an Intrusion Detection System, the next intrusion or activity of this Botnet on the network. The experiment is going to test the IDS by increasing network activity, and will include attacks to some background traffic generated at different speeds. The aim is to see how the IDS will react to this increasing type of traffic. Results show that the CPU utilisation of the IDS is increasing in function of the network speed. But even if all the attacks have been successfully detected under 80Mb/s, 5% of the packets have been dropped by the IDS and could have contained some malicious activity. This paper concludes that for this experimental setup which uses a 2.0 GHz CPU, to have a secure network with 0% of packet drop by the IDS, the maximum network activity should be of 30Mb/s. Further development in this project could be to experiment with different CPU performances assessing how the IDS will react to an increasing network activity and when it will start dropping packets. It would allow companies to gauge which configuration is needed for their IDS to be totally reliable with 0% dropped packets or semi-reliable with less than 2% dropped packets