PeerHunter: Detecting Peer-to-Peer Botnets through Community Behavior Analysis

Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the infrastructure that responsible for various of cyber-crimes. Though a few existing work claimed to detect traditional botnets effectively, the problem of detecting P2P botnets involves more challenges. In this paper, we present PeerHunter, a community behavior analysis based method, which is capable of detecting botnets that communicate via a P2P structure. PeerHunter starts from a P2P hosts detection component. Then, it uses mutual contacts as the main feature to cluster bots into communities. Finally, it uses community behavior analysis to detect potential botnet communities and further identify bot candidates. Through extensive experiments with real and simulated network traces, PeerHunter can achieve very high detection rate and low false positives.Comment: 8 pages, 2 figures, 11 tables, 2017 IEEE Conference on Dependable and Secure Computin

Enhancing data privacy and security in Internet of Things through decentralized models and services

exploits a Byzantine Fault Tolerant (BFT) blockchain, in order to perform collaborative and dynamic botnet detection by collecting and auditing IoT devices\u2019 network traffic flows as blockchain transactions. Secondly, we take the challenge to decentralize IoT, and design a hybrid blockchain architecture for IoT, by proposing Hybrid-IoT. In Hybrid-IoT, subgroups of IoT devices form PoW blockchains, referred to as PoW sub-blockchains. Connection among the PoW sub-blockchains employs a BFT inter-connector framework. We focus on the PoW sub-blockchains formation, guided by a set of guidelines based on a set of dimensions, metrics and bounds

A Historical evaluation of C&C complexity

The actions of Malware are often controlled through uniform communications mechanisms, which are regularly changing to evade detection techniques and remain prolific. Though geographically dispersed, malware-infected nodes being controlled for a common purpose can be viewed as a logically joint network, now loosely referred to as a botnet. The evolution of the mechanisms or processes for controlling the networks of malware-infected nodes may be indicative of their sophistication relative to a point of inception or discovery (if inception time is unknown). A sampling of botnet related malware at different points of inception or discovery can provide accurate representations of the sophistication variance of command and control processes. To accurately measure a sampling, a matrix of sophistication, deemed the Complexity Matrix (CM), was created to categorize the signifying characteristics of Command and Control (C&C) processes amongst a historically-diverse selection of bot binaries. In this paper, a survey of botnets is conducted to identify C&C characteristics that accurately represent the level of sophistication being implemented within a specified time frame. The results of the survey are collected in a CM and used to generate a subsequent roadmap of C&C milestones

Enhancing data privacy and security in Internet of Things through decentralized models and services

exploits a Byzantine Fault Tolerant (BFT) blockchain, in order to perform collaborative and dynamic botnet detection by collecting and auditing IoT devices’ network traffic flows as blockchain transactions. Secondly, we take the challenge to decentralize IoT, and design a hybrid blockchain architecture for IoT, by proposing Hybrid-IoT. In Hybrid-IoT, subgroups of IoT devices form PoW blockchains, referred to as PoW sub-blockchains. Connection among the PoW sub-blockchains employs a BFT inter-connector framework. We focus on the PoW sub-blockchains formation, guided by a set of guidelines based on a set of dimensions, metrics and bounds

OnionBots: Subverting Privacy Infrastructure for Cyber Attacks

Over the last decade botnets survived by adopting a sequence of increasingly sophisticated strategies to evade detection and take overs, and to monetize their infrastructure. At the same time, the success of privacy infrastructures such as Tor opened the door to illegal activities, including botnets, ransomware, and a marketplace for drugs and contraband. We contend that the next waves of botnets will extensively subvert privacy infrastructure and cryptographic mechanisms. In this work we propose to preemptively investigate the design and mitigation of such botnets. We first, introduce OnionBots, what we believe will be the next generation of resilient, stealthy botnets. OnionBots use privacy infrastructures for cyber attacks by completely decoupling their operation from the infected host IP address and by carrying traffic that does not leak information about its source, destination, and nature. Such bots live symbiotically within the privacy infrastructures to evade detection, measurement, scale estimation, observation, and in general all IP-based current mitigation techniques. Furthermore, we show that with an adequate self-healing network maintenance scheme, that is simple to implement, OnionBots achieve a low diameter and a low degree and are robust to partitioning under node deletions. We developed a mitigation technique, called SOAP, that neutralizes the nodes of the basic OnionBots. We also outline and discuss a set of techniques that can enable subsequent waves of Super OnionBots. In light of the potential of such botnets, we believe that the research community should proactively develop detection and mitigation methods to thwart OnionBots, potentially making adjustments to privacy infrastructure.Comment: 12 pages, 8 figure

From ZeuS to Zitmo : trends in banking malware

In the crimeware world, financial botnets are a global threat to banking organizations. Such malware purposely performs financial fraud and steals critical information from clients' computers. A common example of banking malware is the ZeuS botnet. Recently, variants of this malware have targeted mobile platforms, as The-ZeuS-in-the-Mobile or Zitmo. With the rise in mobile systems, platform security is becoming a major concern across the mobile world, with rising incidence of compromising Android devices. In similar vein, there have been mobile botnet attacks on iPhones, Blackberry and Symbian devices. In this setting, we report on trends and developments of ZeuS and its variants

Fighting botnets - a systematic approach

The increasing impact of Internet in the global economy has transformed botnets into one of the most feared security threats for citizens, organizations and governments. Despite the significant efforts that have been made over the last years to understand this phenomenon and develop detection techniques and countermeasures, this continues to be a field with big challenges to address. The most important detection approaches and countermeasures that have been proposed are usually oriented to address some specific type of botnet threat or fight botnets in particular scenarios or conditions. This paper proposes a generic and systematic model to describe the network dynamics whenever a botnet threat is detected, defining all actors, dimensions, states and actions that need to be taken into account at each moment. We believe that the proposed model can be the basis for developing systematic and integrated frameworks, strategies and tools to predict and fight botnet threats in an efficient way.This research was supported by Fundação para a Ciência e a Tecnologia, under research project PTDC/EEA-TEL/101880/2008