17 research outputs found
Bayesian bot detection based on dns traffic similarity
ABSTRACT Bots often are detected by their communication with a command and control (C&C) infrastructure. To evade detection, botmasters are increasingly obfuscating C&C communications, e.g., by using fastflux or peer-to-peer protocols. However, commands tend to elicit similar actions in bots of a same botnet. We propose and evaluate a Bayesian approach for detecting bots based on the similarity of their DNS traffic to that of known bots. Experimental results and sensitivity analysis suggest that the proposed method is effective and robust
Detection of Behavioral Malware in Delay Tolerant Networks
Disruption-tolerant networkingΒ has gained currency in the United States due to support fromΒ DARPA, which has funded many DTN projects. Disruption may occur because of the limits of wireless radio range, sparsity of mobile nodes, energy resources, attack, and noise. The delay-tolerant-network (DTN) model is becoming a viable communication alternative to the traditional infrastructural model for modern mobile consumer electronics equipped with short-range communication technologies such as Bluetooth, NFC, and Wi-Fi Direct. Proximity malware is a class of malware that exploits the opportunistic contacts and distributed nature of DTNs for propagation. Behavioral characterization of malware is an effective alternative to pattern matching in detecting malware, especially when dealing with polymorphic or obfuscated malware. In this paper, we first propose a general behavioral characterization of proximity malware which based on Naive Bayesian model, which has been successfully applied in non-DTN settings such as filtering email spams and detecting bonnets. We identify two unique challenges for extending Bayesian malware detection to DTNs (βinsufficient evidence vs. evidence collection riskβ and βfiltering false evidence sequentially and distributedlyβ), and propose a simple yet effective method, look-ahead, to address the challenges. Furthermore, we propose two extensions to look-ahead, dogmatic filtering and adaptive look-ahead, to address the challenge of βmalicious nodes sharing false evidenceβ. Real mobile network traces are used to verify the effectiveness of the proposed methods
A P2P BOTNET VIRUS DETECTION SYSTEM BASED ON DATA-MINING ALGORITHMS
ABSTRACT A P2P botnet virus detection system based on data-mining algorithms is proposed in this study to detect the infected computers quickly using Bayes Classifier and Neural Network (NN) Classifier. The system can detect P2P botnet viruses in the early stage of infection and report to network managers to avoid further infection. The system adopts real-time flow identification techniques to detect traffic flows produced by P2P application programs and botnet viruses by comparing with the known flow patterns in the database. After trained by adjusting the system parameters using test samples, the experimental results show that the accuracy of Bayes Classifier is 95.78% and that of NN Classifier is 98.71% in detecting P2P botnet viruses and suspected flows to achieve the goal of infection control in a short time
An Effective Conversation-Based Botnet Detection Method
A botnet is one of the most grievous threats to network security since it can evolve into many attacks, such as Denial-of-Service (DoS), spam, and phishing. However, current detection methods are inefficient to identify unknown botnet. The high-speed network environment makes botnet detection more difficult. To solve these problems, we improve the progress of packet processing technologies such as New Application Programming Interface (NAPI) and zero copy and propose an efficient quasi-real-time intrusion detection system. Our work detects botnet using supervised machine learning approach under the high-speed network environment. Our contributions are summarized as follows: (1) Build a detection framework using PF_RING for sniffing and processing network traces to extract flow features dynamically. (2) Use random forest model to extract promising conversation features. (3) Analyze the performance of different classification algorithms. The proposed method is demonstrated by well-known CTU13 dataset and nonmalicious applications. The experimental results show our conversation-based detection approach can identify botnet with higher accuracy and lower false positive rate than flow-based approach
ΠΠΌΠΈΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠ΅ ΠΌΠΎΠ΄Π΅Π»ΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΠΌΠ΅Ρ Π°Π½ΠΈΠ·ΠΌΠΎΠ² Π·Π°ΡΠΈΡΡ ΠΎΡ Π±ΠΎΡ-ΡΠ΅ΡΠ΅ΠΉ.
To create effective mechanisms of protection against botnets, it is necessary to investigate the behavior of botnets and their impact on the operation of computer networks, as well as methods for botnet detection and counteraction to them. The paper investigates protection mechanisms against botnets, which are proliferated by worm propagation techniques and carry out DDoS attacks. As a toolkit to study of botnets and protect mechanisms we developed the simulation environment. The paper considers the architecture of the simulation environment implemented and a multitude of experiments which show ample opportunities of the developed simulation environment for research of botnets and protection mechanisms.ΠΠ»Ρ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΡΡ
ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠΎΠ² Π·Π°ΡΠΈΡΡ ΠΎΡ Π±ΠΎΡ-ΡΠ΅ΡΠ΅ΠΉ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°ΡΡ ΠΏΠΎΠ²Π΅Π΄Π΅Π½ΠΈΠ΅ Π±ΠΎΡ-ΡΠ΅ΡΠ΅ΠΉ, ΠΈΡ
Π²Π»ΠΈΡΠ½ΠΈΠ΅ Π½Π° ΡΠ°Π±ΠΎΡΡ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ½ΡΡ
ΡΠ΅ΡΠ΅ΠΉ, Π° ΡΠ°ΠΊΠΆΠ΅ ΠΌΠ΅ΡΠΎΠ΄Ρ Π΄Π΅ΡΠ΅ΠΊΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ Π±ΠΎΡ-ΡΠ΅ΡΠ΅ΠΉ ΠΈ ΠΏΡΠΎΡΠΈΠ²ΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ ΠΈΠΌ. Π Π΄Π°Π½Π½ΠΎΠΉ ΡΡΠ°ΡΡΠ΅ ΠΈΡΡΠ»Π΅Π΄ΡΡΡΡΡ ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΡ Π·Π°ΡΠΈΡΡ ΠΎΡ Π±ΠΎΡ-ΡΠ΅ΡΠ΅ΠΉ, ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½ΡΡΡΠΈΡ
ΡΡ Ρ ΠΏΠΎΠΌΠΎΡΡΡ ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΠΈ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ½ΡΡ
ΡΠ΅ΡΠ²Π΅ΠΉ ΠΈ Π²ΡΠΏΠΎΠ»Π½ΡΡΡΠΈΡ
ΡΠ°ΡΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π½ΡΠ΅ Π°ΡΠ°ΠΊΠΈ ΡΠΈΠΏΠ° Β«ΠΎΡΠΊΠ°Π· Π² ΠΎΠ±ΡΠ»ΡΠΆΠΈΠ²Π°Π½ΠΈΠΈΒ». Π ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΠ° Π΄Π»Ρ ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΡ Π±ΠΎΡ-ΡΠ΅ΡΠ΅ΠΉ ΠΈ ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠΎΠ² Π·Π°ΡΠΈΡΡ ΠΏΡΠ΅Π΄Π»Π°Π³Π°Π΅ΡΡΡ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎ-ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΠ°Π»ΡΠ½Π°Ρ ΡΡΠ΅Π΄Π° ΠΈΠΌΠΈΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠ³ΠΎ ΠΌΠΎΠ΄Π΅Π»ΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΡΠ°Π·ΡΠ°Π±ΠΎΡΠ°Π½Π½Π°Ρ Π°Π²ΡΠΎΡΠ°ΠΌΠΈ ΡΡΠ°ΡΡΠΈ. ΠΠΏΠΈΡΡΠ²Π°Π΅ΡΡΡ ΠΎΠ±ΡΠ°Ρ Π°ΡΡ
ΠΈΡΠ΅ΠΊΡΡΡΠ° ΡΡΠ΅Π΄Ρ ΠΌΠΎΠ΄Π΅Π»ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΈ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»Π΅Π½Ρ ΡΠΊΡΠΏΠ΅ΡΠΈΠΌΠ΅Π½ΡΡ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΏΠΎΠΊΠ°Π·ΡΠ²Π°ΡΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ ΡΠ°Π·ΡΠ°Π±ΠΎΡΠ°Π½Π½ΠΎΠΉ ΡΡΠ΅Π΄Ρ ΠΈΠΌΠΈΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠ³ΠΎ ΠΌΠΎΠ΄Π΅Π»ΠΈΡΠΎΠ²Π°Π½ΠΈΡ Π΄Π»Ρ ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΡ Π±ΠΎΡ-ΡΠ΅ΡΠ΅ΠΉ ΠΈ ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠΎΠ² Π·Π°ΡΠΈΡΡ ΠΎΡ Π½ΠΈΡ