Detection of Advanced Bots in Smartphones through User Profiling

abstract: This thesis addresses the ever increasing threat of botnets in the smartphone domain and focuses on the Android platform and the botnets using Online Social Networks (OSNs) as Command and Control (C&C;) medium. With any botnet, C&C; is one of the components on which the survival of botnet depends. Individual bots use the C&C; channel to receive commands and send the data. This thesis develops active host based approach for identifying the presence of bot based on the anomalies in the usage patterns of the user before and after the bot is installed on the user smartphone and alerting the user to the presence of the bot. A profile is constructed for each user based on the regular web usage patterns (achieved by intercepting the http(s) traffic) and implementing machine learning techniques to continuously learn the user's behavior and changes in the behavior and all the while looking for any anomalies in the user behavior above a threshold which will cause the user to be notified of the anomalous traffic. A prototype bot which uses OSN s as C&C; channel is constructed and used for testing. Users are given smartphones(Nexus 4 and Galaxy Nexus) running Application proxy which intercepts http(s) traffic and relay it to a server which uses the traffic and constructs the model for a particular user and look for any signs of anomalies. This approach lays the groundwork for the future host-based counter measures for smartphone botnets using OSN s as C&C; channel.Dissertation/ThesisM.S. Computer Science 201

Botnet Forensic Investigation Techniques and Cost Evaluation

Botnets are responsible for a large percentage of damages and criminal activity on the Internet. They have shifted attacks from push activities to pull techniques for the distribution of malwares and continue to provide economic advantages to the exploiters at the expense of other legitimate Internet service users. In our research we asked; what is the cost of the procedural steps for forensically investigating a Botnet attack? The research method applies investigation guidelines provided by other researchers and evaluates these guidelines in terms of the cost to a digital forensic investigator. We conclude that investigation of Botnet attacks is both possible and procedurally feasible for a forensic investigator; but that scope management is critical for controlling the cost of investigation. We recommend quantifying Botnet investigations into five levels of cost based on time, complexity and technical requirements. Keywords: Botnets, Cybercrime, Investigating, Techniques, Costs, Researc

A self-healing framework to combat cyber attacks. Analysis and development of a self-healing mitigation framework against controlled malware attacks for enterprise networks.

Cybercrime costs a total loss of about $338 billion annually which makes it one of the most profitable criminal activities in the world. Controlled malware (Botnet) is one of the most prominent tools used by cybercriminals to infect, compromise computer networks and steal important information. Infecting a computer is relatively easy nowadays with malware that propagates through social networking in addition to the traditional methods like SPAM messages and email attachments. In fact, more than 1/4 of all computers in the world are infected by malware which makes them viable for botnet use. This thesis proposes, implements and presents the Self-healing framework that takes inspiration from the human immune system. The designed self-healing framework utilises the key characteristics and attributes of the nature’s immune system to reverse botnet infections. It employs its main components to heal the infected nodes. If the healing process was not successful for any reason, it immediately removes the infected node from the Enterprise’s network to a quarantined network to avoid any further botnet propagation and alert the Administrators for human intervention. The designed self-healing framework was tested and validated using different experiments and the results show that it efficiently heals the infected workstations in an Enterprise network

Studying a Virtual Testbed for Unverified Data

It is difficult to fully know the effects a piece of software will have on your computer, particularly when the software is distributed by an unknown source. The research in this paper focuses on malware detection, virtualization, and sandbox/honeypot techniques with the goal of improving the security of installing useful, but unverifiable, software. With a combination of these techniques, it should be possible to install software in an environment where it cannot harm a machine, but can be tested to determine its safety. Testing for malware, performance, network connectivity, memory usage, and interoperability can be accomplished without allowing the program to access the base operating system of a machine. After the full effects of the software are understood and it is determined to be safe, it could then be run from, and given access to, the base operating system. This thesis investigates the feasibility of creating a system to verify the security of unknown software while ensuring it will have no negative impact on the host machine

Security Challenges from Abuse of Cloud Service Threat

Cloud computing is an ever-growing technology that leverages dynamic and versatile provision of computational resources and services. In spite of countless benefits that cloud service has to offer, there is always a security concern for new threats and risks. The paper provides a useful introduction to the rising security issues of Abuse of cloud service threat, which has no standard security measures to mitigate its risks and vulnerabilities. The threat can result an unbearable system gridlock and can make cloud services unavailable or even complete shutdown. The study has identified the potential challenges, as BotNet, BotCloud, Shared Technology Vulnerability and Malicious Insiders, from Abuse of cloud service threat. It has further described the attacking methods, impacts and the reasons due to the identified challenges. The study has evaluated the current available solutions and proposed mitigating security controls for the security risks and challenges from Abuse of cloud services threat

Mobile Malware and Smart Device Security: Trends, Challenges and Solutions

This work is part of the research to study trends and challenges of cyber security to smart devices in smart homes. We have seen the development and demand for seamless interconnectivity of smart devices to provide various functionality and abilities to users. While these devices provide more features and functionality, they also introduce new risks and threats. Subsequently, current cyber security issues related to smart devices are discussed and analyzed. The paper begins with related background and motivation. We identified mobile malware as one of the main issue in the smart devices' security. In the near future, mobile smart device users can expect to see a striking increase in malware and notable advancements in malware-related attacks, particularly on the Android platform as the user base has grown exponentially. We discuss and analyzed mobile malware in details and identified challenges and future trends in this area. Then we propose and discuss an integrated security solution for cyber security in smart devices to tackle the issue

Scalable Wavelet-Based Active Network Stepping Stone Detection

Network intrusions leverage vulnerable hosts as stepping stones to penetrate deeper into a network and mask malicious actions from detection. This research focuses on a novel active watermark technique using Discrete Wavelet Transformations to mark and detect interactive network sessions. This technique is scalable, nearly invisible and resilient to multi-flow attacks. The watermark is simulated using extracted timestamps from the CAIDA 2009 dataset and replicated in a live environment. The simulation results demonstrate that the technique accurately detects the presence of a watermark at a 5% False Positive and False Negative rate for both the extracted timestamps as well as the empirical tcplib distribution. The watermark extraction accuracy is approximately 92%. The live experiment is implemented using the Amazon Elastic Compute Cloud. The client system sends marked and unmarked packets from California to Virginia using stepping stones in Tokyo, Ireland and Oregon. Five trials are conducted using simultaneous watermarked and unmarked samples. The live results are similar to the simulation and provide evidence demonstrating the effectiveness in a live environment to identify stepping stones

Detecção de botnets baseada na análise de fluxos de rede utilizando estatística inversa

Dissertação (Mestrado Profissional em Computação Aplicada) — Universidade de Brasília, Instituto de Ciências Exatas, Departamento de Ciência da Computação, Brasília, 2022.Botnet é uma rede de computadores infectados, os quais são controlados remotamente por um cybercriminal, denominado botmaster e que tem como objetivo realizar ataques cibernéticos massivos, como DDoS, SPAM e roubo de informações. Os métodos tradicionais de detecção de botnets, normalmente baseados em assinatura, são incapazes de detectar botnets desconhecidas. A análise baseada em comportamento tem sido promissora para a detecção de tendências atuais de botnets, as quais estão em constante evolução. Considerando que um ataque de botnet à infraestrutura de TI do Centro de Coordenação de Operações Móvel (CCOp Mv) do Exército Brasileiro pode prejudicar o sucesso das operações, através do furto de informações sensíveis ou mesmo causando interrupção à sistemas críticos do CCOp Mv, esta dissertação propõe um mecanismo de detecção de botnets baseado na análise do comportamento de fluxos de rede. A técnica utilizada para detecção de botnets foi recentemente desenvolvida e é denominada Energy-based Flow Classifier (EFC). Essa técnica utiliza estatística inversa para detecção de anomalias e possui uma importante característica que é a sua fácil adaptação a novos domínios, o que pode ser promissor para detecção de botnets desconhecidas. Além disso, o EFC é um algoritmo considerado interpretável, permitindo analisar o modelo estatístico inferido. Com base nisso, propomos uma abordagem para seleção dos atributos mais informativos para a detecção de botnets, através da análise dos acoplamentos entre os pares de atributos calculados pelo EFC. Para avaliar a eficiência do modelo gerado, bem como avaliar os atributos selecionados pelo EFC, realizamos diversos experimentos, com três conjuntos de dados distintos. Os resultados obtidos foram comparados com diversos modelos gerados por algoritmos tradicionais de uma e de duas classes. Também fizemos experimentos com duas outras abordagens de seleção de atributos. Os resultados obtidos mostram que o EFC consegue manter resultados mais estáveis, independente do domínio, ao contrário dos demais algoritmos testados e principalmente, que o EFC pode ser empregado como uma técnica para seleção dos atributos mais relevantes.Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES).A botnet is a network of infected computers, which are remotely controlled by a cybercriminal, called botmaster, whose objective is to carry out massive cyberattacks, such as DDoS, SPAM, and information theft. Traditional botnet detection methods, usually signature-based, are unable to detect unknown botnets. Behavior-based analytics has held promise for detecting current botnet trends, which are constantly evolving. Considering that Botnet attacks on the IT infrastructure of the Brazilian Army’s Mobile Operations Coordination Center (CCOp Mv) may harm the success of operations, through theft of sensitive information or even causing interruption to critical CCOp Mv systems, this dissertation proposes a botnet detection mechanism based on network flow behavior analysis. The main objective is to propose an additional layer of cyber protection to the CCOp Mv IT infrastructure. The technique used to detect botnets was recently developed and it is called Energy-based Flow Classifier (EFC). This technique uses inverse statistics for anomaly detection and has an important characteristic which is its easy adaptation to new domains, which can be promising for detecting unknown botnets. In addition, the EFC is considered an interpretable algorithm, allowing the analysis of the inferred statistical model. Based on this, we propose an approach for selecting the most informative features for botnet detection, by analyzing the couplings between the pairs of attributes calculated by the EFC. To evaluate the efficiency of the generated model, as well as to evaluate the features selected by the EFC, we carried out several experiments, with three different data sets. The results obtained were compared with several models generated by traditional one and two-class algorithms. We also experimented with two other feature selection approaches. The results obtained show that the EFC manages to maintain more stable results, regardless of the domain, unlike the other algorithms tested, and mainly, the EFC can be used as a technique for selecting the most relevant features

Stepping Stone Detection for Tracing Attack Sources in Software-Defined Networks

Stepping stones are compromised hosts in a network which can be used by hackers and other malicious attackers to hide the origin of connections. Attackers hop from one compromised host to another to form a chain of stepping stones before launching attack on the actual victim host. Various timing and content based detection techniques have been proposed in the literature to trace back through a chain of stepping stones in order to identify the attacker. This has naturally led to evasive strategies such as shaping the traffic differently at each hop. The evasive techniques can also be detected. Our study aims to adapt some of the existing stepping stone detection and anti-evasion techniques to software-defined networks which use network function virtualization. We have implemented the stepping-stone detection techniques in a simulated environment and uses Flow for the traffic monitoring at the switches. We evaluate the detection algorithms on different network topologies and analyze the results to gain insight on the effectiveness of the detection mechanisms. The selected detection techniques work well on relatively high packet sampling rates. However, new solutions will be needed for large SDN networks where the packet sampling rate needs to be lower