Unsupervised detection of botnet activities using frequent pattern tree mining

A botnet is a network of remotely-controlled infected computers that can send spam, spread viruses, or stage denial-of-serviceattacks, without the consent of the computer owners. Since the beginning of the 21st century, botnet activities have steadilyincreased, becoming one of the major concerns for Internet security. In fact, botnet activities are becoming more and moredifficult to be detected, because they make use of Peer-to-Peer protocols (eMule, Torrent, Frostwire, Vuze, Skype and manyothers). To improve the detectability of botnet activities, this paper introduces the idea of association analysis in the field ofdata mining, and proposes a system to detect botnets based on the FP-growth (Frequent Pattern Tree) frequent item miningalgorithm. The detection system is composed of three parts: packet collection processing, rule mining, and statistical analysisof rules. Its characteristic feature is the rule-based classification of different botnet behaviors in a fast and unsupervisedfashion. The effectiveness of the approach is validated in a scenario with 11 Peer-to-Peer host PCs, 42063 Non-Peer-to-Peerhost PCs, and 17 host PCs with three different botnet activities (Storm, Waledac and Zeus). The recognition accuracy of theproposed architecture is shown to be above 94%. The proposed method is shown to improve the results reported in literature

Interdomain Route Leak Mitigation: A Pragmatic Approach

The Internet has grown to support many vital functions, but it is not administered by any central authority. Rather, the many smaller networks that make up the Internet - called Autonomous Systems (ASes) - independently manage their own distinct host address space and routing policy. Routers at the borders between ASes exchange information about how to reach remote IP prefixes with neighboring networks over the control plane with the Border Gateway Protocol (BGP). This inter-AS communication connects hosts across AS boundaries to build the illusion of one large, unified global network - the Internet. Unfortunately, BGP is a dated protocol that allows ASes to inject virtually any routing information into the control plane. The Internet’s decentralized administrative structure means that ASes lack visibility of the relationships and policies of other networks, and have little means of vetting the information they receive. Routes are global, connecting hosts around the world, but AS operators can only see routes exchanged between their own network and directly connected neighbor networks. This mismatch between global route scope and local network operator visibility gives rise to adverse routing events like route leaks, which occur when an AS advertises a route that should have been kept within its own network by mistake. In this work, we explore our thesis: that malicious and unintentional route leaks threaten Internet availability, but pragmatic solutions can mitigate their impact. Leaks effectively reroute traffic meant for the leak destination along the leak path. This diversion of flows onto unexpected paths can cause broad disruption for hosts attempting to reach the leak destination, as well as obstruct the normal traffic on the leak path. These events are usually due to misconfiguration and not malicious activity, but we show in our initial work that vrouting-capable adversaries can weaponize route leaks and fraudulent path advertisements to enhance data plane attacks on Internet infrastructure and services. Existing solutions like Internet Routing Registry (IRR) filtering have not succeeded in solving the route leak problem, as globally disruptive route leaks still periodically interrupt the normal functioning of the Internet. We examine one relatively new solution - Peerlocking or defensive AS PATH filtering - where ASes exchange toplogical information to secure their networks. Our measurements reveal that Peerlock is already deployed in defense of the largest ASes, but has found little purchase elsewhere. We conclude by introducing a novel leak defense system, Corelock, designed to provide Peerlock-like protection without the scalability concerns that have limited Peerlock’s scope. Corelock builds meaningful route leak filters from globally distributed route collectors and can be deployed without cooperation from other network

Leveraging Conventional Internet Routing Protocol Behavior to Defeat DDoS and Adverse Networking Conditions

The Internet is a cornerstone of modern society. Yet increasingly devastating attacks against the Internet threaten to undermine the Internet\u27s success at connecting the unconnected. Of all the adversarial campaigns waged against the Internet and the organizations that rely on it, distributed denial of service, or DDoS, tops the list of the most volatile attacks. In recent years, DDoS attacks have been responsible for large swaths of the Internet blacking out, while other attacks have completely overwhelmed key Internet services and websites. Core to the Internet\u27s functionality is the way in which traffic on the Internet gets from one destination to another. The set of rules, or protocol, that defines the way traffic travels the Internet is known as the Border Gateway Protocol, or BGP, the de facto routing protocol on the Internet. Advanced adversaries often target the most used portions of the Internet by flooding the routes benign traffic takes with malicious traffic designed to cause widespread traffic loss to targeted end users and regions. This dissertation focuses on examining the following thesis statement. Rather than seek to redefine the way the Internet works to combat advanced DDoS attacks, we can leverage conventional Internet routing behavior to mitigate modern distributed denial of service attacks. The research in this work breaks down into a single arc with three independent, but connected thrusts, which demonstrate that the aforementioned thesis is possible, practical, and useful. The first thrust demonstrates that this thesis is possible by building and evaluating Nyx, a system that can protect Internet networks from DDoS using BGP, without an Internet redesign and without cooperation from other networks. This work reveals that Nyx is effective in simulation for protecting Internet networks and end users from the impact of devastating DDoS. The second thrust examines the real-world practicality of Nyx, as well as other systems which rely on real-world BGP behavior. Through a comprehensive set of real-world Internet routing experiments, this second thrust confirms that Nyx works effectively in practice beyond simulation as well as revealing novel insights about the effectiveness of other Internet security defensive and offensive systems. We then follow these experiments by re-evaluating Nyx under the real-world routing constraints we discovered. The third thrust explores the usefulness of Nyx for mitigating DDoS against a crucial industry sector, power generation, by exposing the latent vulnerability of the U.S. power grid to DDoS and how a system such as Nyx can protect electric power utilities. This final thrust finds that the current set of exposed U.S. power facilities are widely vulnerable to DDoS that could induce blackouts, and that Nyx can be leveraged to reduce the impact of these targeted DDoS attacks

Towards Accurate Node-Based Detection of P2P Botnets

Botnets are a serious security threat to the current Internet infrastructure. In this paper, we propose a novel direction for P2P botnet detection called node-based detection. This approach focuses on the network characteristics of individual nodes. Based on our model, we examine node’s flows and extract the useful features over a given time period. We have tested our approach on real-life data sets and achieved detection rates of 99-100% and low false positives rates of 0–2%. Comparison with other similar approaches on the same data sets shows that our approach outperforms the existing approaches

Enabling Quantum Cybersecurity Analytics in Botnet Detection: Stable Architecture and Speed-up through Tree Algorithms

For the first time, we enable the execution of hybrid machine learning methods on real quantum computers, with 100 data samples, and also with real-device-based simulations, with 5,000 data samples and thereby outperforming the current state of research of Suryotrisongko and Musashi from the year 2022 who were dealing with 1,000 data samples and not with simulations on quantum real devices but on quantum simulators (i.e. pure software-based emulators) only. Additionally, we beat their reported accuracy of 76.8% by an average accuracy of 89.0%, all of this in a total computation time of 382 seconds only. They did not report the execution time. We gain this significant progress by a two-fold strategy: First, we provide a stabilized quantum architecture that enables us to execute HQML algorithms on real quantum devices. Second, we design a new form of hybrid quantum binary classification algorithms that are based on Hoeffding decision tree algorithms. These algorithms lead to the mentioned speed-up through their batch-wise execution in order to drastically reduce the number of shots needed for the real quantum device compared to standard loop-based optimizers. Their incremental nature serves the purpose of big data online streaming for DGA botnet detection. These two steps allow us to apply hybrid quantum machine learning to the field of cybersecurity analytics on the example of DGA botnet detection and how quantum-enhanced SIEM and, thereby, quantum cybersecurity analytics is made possible. We conduct experiments using the library Qiskit with quantum simulator Aer as well as on three different real quantum devices from MS Azure Quantum, naming IonQ, Rigetti and Quantinuum. It is the first time that these tools have been combined.Comment: 33 pages, 6 figures, 6 table

Short Message Service (SMS) Command and Control (C2) Awareness in Android-based Smartphones using Kernel-Level Auditing

This thesis addresses the emerging threat of botnets in the smartphone domain and focuses on the Android platform and botnets using short message service (SMS) as the command and control (C2) channel. With any botnet, C2 is the most important component contributing to its overall resilience, stealthiness, and effectiveness. This thesis develops a passive host-based approach for identifying covert SMS traffic and providing awareness to the user. Modifying the kernel and implementing this awareness mechanism is achieved by developing and inserting a loadable kernel module that logs all inbound SMS messages as they are sent from the baseband radio to the application processor. The design is successfully implemented on an HTC Nexus One Android smartphone and validated with tests using an Android SMS bot from the literature. The module successfully logs all messages including bot messages that are hidden from user applications. Suspicious messages are then identified by comparing the SMS application message list with the kernel log\u27s list of events. This approach lays the groundwork for future host-based countermeasures for smartphone botnets and SMS-based botnets

Delay Performance and Cybersecurity of Smart Grid Infrastructure

To address major challenges to conventional electric grids (e.g., generation diversification and optimal deployment of expensive assets), full visibility and pervasive control over utilities\u27 assets and services are being realized through the integratio