An Analysis of Pre-Infection Detection Techniques for Botnets and other Malware

Traditional techniques for detecting malware, such as viruses, worms and rootkits, rely on identifying virus-specific signature definitions within network traffic, applications or memory. Because a sample of malware is required to define an attack signature, signature detection has drawbacks when accounting for malware code mutation, has limited use in zero-day protection and is a post-infection technique requiring malware to be present on a device in order to be detected. A malicious bot is a malware variant that interconnects with other bots to form a botnet. Amongst their multiple malicious uses, botnets are ideal for launching mass Distributed Denial of Services attacks against the ever increasing number of networked devices that are starting to form the Internet of Things and Smart Cities. Regardless of topology; centralised Command & Control or distributed Peer-to-Peer, bots must communicate with their commanding botmaster. This communication traffic can be used to detect malware activity in the cloud before it can evade network perimeter defences and to trace a route back to source to takedown the threat. This paper identifies the inefficiencies exhibited by signature-based detection when dealing with botnets. Total botnet eradication relies on traffic-based detection methods such as DNS record analysis, against which malware authors have multiple evasion techniques. Signature-based detection displays further inefficiencies when located within virtual environments which form the backbone of data centre infrastructures, providing malware with a new attack vector. This paper highlights a lack of techniques for detecting malicious bot activity within such environments, proposing an architecture based upon flow sampling protocols to detect botnets within virtualised environments

Fast Flux Domain Detection Using DNS Traffic

There are many attacks possible that affect the services of DNS server, one such type of attack is Distributed Denial of Service (DDoS). So to avoid such attacks, DNS servers use various types of techniques like load balancing, Round Robin DNS, Content Distribution Networks, etc. But cybercriminals use these techniques to hide their actual and network location from the outside world. One such type of technique is Fast-Flux Service Networks, which is like proxies to the cybercriminals that makes them untraceable. FFSN is a major threat to internet security and used in many illegal scams like phishing websites, malware delivery, illegal adult content, and etc. Fast flux service networks have some limitation as attackers do not have control over the compromised PC’s physically. For the detection of FFSN, broadly two approaches have been proposed, namely, (i) Using passive network traffic, and (ii) Using active network traffic. The problem of detection with active network traffic is that they predict CDN domain as FFSN domain because initially, FFSN looks like CDN. Further, there are many machine learning algorithms have been used to detect FFSN. In this research, we emphasize on two problems, namely, (i) Features used for detecting the FFSN which helps us to distinguish FFSN from the other network efficiently, and (ii) Find the best classifier for detection of FFSN. This work shows how relevant features extracted from the network traffic help us to distinguish FFSN from benign domains. Further, we try to propose the best threshold values for each feature that efficiently detect FFSN while distinguishing it from other benign domains. In this work, we have used five different machine learning algorithms, namely, Decision Tree, Random Forest, SVM, KNN, and Boosted Tree. Then, we compare the performance of these five machine learning algorithms to find out which is the best one to detect fast flux domain from passive DNS network traffic

Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness

Botnets are considered as the primary threats on the Internet and there have been many research efforts to detect and mitigate them. Today, Botnet uses a DNS technique fast-flux to hide malware sites behind a constantly changing network of compromised hosts. This technique is similar to trustworthy Round Robin DNS technique and Content Delivery Network (CDN). In order to distinguish the normal network traffic from Botnets different techniques are developed with more or less success. The aim of this paper is to improve Botnet detection using an Intrusion Detection System (IDS) or router. A novel classification method for online Botnet detection based on DNS traffic features that distinguish Botnet from CDN based traffic is presented. Botnet features are classified according to the possibility of usage and implementation in an embedded system. Traffic response is analysed as a strong candidate for online detection. Its disadvantage lies in specific areas where CDN acts as a Botnet. A new feature based on search engine hits is proposed to improve the false positive detection. The experimental evaluations show that proposed classification could significantly improve Botnet detection. A procedure is suggested to implement such a system as a part of IDS

KHẢO SÁT CÁC NỀN TẢNG VÀ KỸ THUẬT XỬ LÝ LOG TRUY CẬP DỊCH VỤ MẠNG CHO PHÁT HIỆN NGUY CƠ MẤT AN TOÀN THÔNG TIN

In the layers of information security measures, the monitoring and detection measures of anomalous activities and information insecurity risks are considered the second defense layer behind firewalls and access controls. This defense layer includes intrusion detection and prevention systems for hosts and networks. This paper examines platforms, tools and techniques for processing and analyzing access logs of network service servers for the detection of anomalous activities and information insecurity risks. Based on the survey results, the paper proposes the architecture of the monitoring and information security insurance system for small and medium-sized networks of organizations with limited resources.Trong hệ thống lớp các giải pháp đảm bảo an toàn thông tin, các giải pháp giám sát phát hiện bất thường và các nguy cơ mất an toàn trong hệ thống mạng được xem là lớp phòng vệ thứ hai, sau lớp tường lửa và các biện pháp kiểm soát truy nhập. Lớp giải pháp này gồm các hệ thống giám sát, phát hiện và ngăn chặn tấn công, xâm nhập cho các host và mạng. Bài báo này khảo sát, đánh giá các nền tảng, công cụ và các kỹ thuật xử lý, phân tích log truy cập các máy chủ dịch vụ phục vụ phát hiện các hành vi bất thường và nguy cơ mất an toàn thông tin. Trên cơ sở đó, bài báo đề xuất mô hình kiến trúc hệ thống giám sát, hỗ trợ đảm bảo an toàn thông tin cho các tổ chức có quy mô hệ thống mạng và nguồn lực hạn chế

Anomaly detection based on machine learning techniques

Master of ScienceDepartment of Computer ScienceWilliam H. HsuThis report presents an experimental exploration of supervised inductive learning methods for the task of Domain Name Service (DNS) query filtering for anomaly detection. The anomaly types for which I implement a learning monitor represent specific attack vectors, such as distributed denial-of-service (DDOS), remote-to-user (R2U), and probing, that have been increasing in size and sophistication in recent years. A number of anomaly detection measures, such as honeynet-based and Intrusion Detection System (IDS)-based, have been proposed. However, IDS-based solutions that use signatures seem to be ineffective, because attackers associated with recent anomalies are equipped with sophisticated code update and evasion techniques. By contrast, anomaly detection methods do not require pre-built signatures and thus have the capability to detect new or unknown anomalies. Towards this end, this project implements and applies an anomaly detection model learned from DNS query data and evaluates the effectiveness of an implementation of this model using popular machine learning techniques. Experimental results show how this machine learning approach uses existing inductive learning algorithms such as k-NN (k-nearest neighbour), Decision trees and Naive Bayes can be used effectively in anomaly detection