Analysis and characterisation of botnet scan traffic

Botnets compose a major source of malicious activity over a network and their early identification and detection is considered as a top priority by security experts. The majority of botmasters rely heavily on a scan procedure in order to detect vulnerable hosts and establish their botnets via a command and control (C&C) server. In this paper we examine the statistical characteristics of the scan process invoked by the Mariposa and Zeus botnets and demonstrate the applicability of conditional entropy as a robust metric for profiling it using real pre-captured operational data. Our analysis conducted on real datasets demonstrates that the distributional behaviour of conditional entropy for Mariposa and Zeus-related scan flows differs significantly from flows manifested by the commonly used NMAP scans. In contrast with the typically used by attackers Stealth and Connect NMAP scans, we show that consecutive scanning flows initiated by the C&C servers of the examined botnets exhibit a high dependency between themselves in regards of their conditional entropy. Thus, we argue that the observation of such scan flows under our proposed scheme can sufficiently aid network security experts towards the adequate profiling and early identification of botnet activity

Analysis and Characterization of Botnet Scan Traffic

Botnets compose a major source of malicious activity over a network and their early identification and detection is considered as a top priority by security experts. The majority of botmasters rely heavily on a scan procedure in order to detect vulnerable hosts and establish their botnets via a command and control (C&C) server. In this paper we examine the statistical characteristics of the scan process invoked by the Mariposa and Zeus botnets and demonstrate the applicability of conditional entropy as a robust metric for profiling it using real pre-captured operational data. Our analysis conducted on real datasets demonstrates that the distributional behaviour of conditional entropy for Mariposa and Zeus-related scan flows differs significantly from flows manifested by the commonly used NMAP scans. In contrast with the typically used by attackers Stealth and Connect NMAP scans, we show that consecutive scanning flows initiated by the C&C servers of the examined botnets exhibit a high dependency between themselves in regards of their conditional entropy. Thus, we argue that the observation of such scan flows under our proposed scheme can sufficiently aid network security experts towards the adequate profiling and early identification of botnet activity

A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networks

In recent years, Botnets have been adopted as a popular method to carry and spread many malicious codes on the Internet. These malicious codes pave the way to execute many fraudulent activities including spam mail, distributed denial-of-service attacks and click fraud. While many Botnets are set up using centralized communication architecture, the peer-to-peer (P2P) Botnets can adopt a decentralized architecture using an overlay network for exchanging command and control data making their detection even more difficult. This work presents a method of P2P Bot detection based on an adaptive multilayer feed-forward neural network in cooperation with decision trees. A classification and regression tree is applied as a feature selection technique to select relevant features. With these features, a multilayer feed-forward neural network training model is created using a resilient back-propagation learning algorithm. A comparison of feature set selection based on the decision tree, principal component analysis and the ReliefF algorithm indicated that the neural network model with features selection based on decision tree has a better identification accuracy along with lower rates of false positives. The usefulness of the proposed approach is demonstrated by conducting experiments on real network traffic datasets. In these experiments, an average detection rate of 99.08 % with false positive rate of 0.75 % was observed

Flooding attacks to internet threat monitors (ITM): Modeling and counter measures using botnet and honeypots

The Internet Threat Monitoring (ITM),is a globally scoped Internet monitoring system whose goal is to measure, detect, characterize, and track threats such as distribute denial of service(DDoS) attacks and worms. To block the monitoring system in the internet the attackers are targeted the ITM system. In this paper we address flooding attack against ITM system in which the attacker attempt to exhaust the network and ITM's resources, such as network bandwidth, computing power, or operating system data structures by sending the malicious traffic. We propose an information-theoretic frame work that models the flooding attacks using Botnet on ITM. Based on this model we generalize the flooding attacks and propose an effective attack detection using Honeypots

OnionBots: Subverting Privacy Infrastructure for Cyber Attacks

Over the last decade botnets survived by adopting a sequence of increasingly sophisticated strategies to evade detection and take overs, and to monetize their infrastructure. At the same time, the success of privacy infrastructures such as Tor opened the door to illegal activities, including botnets, ransomware, and a marketplace for drugs and contraband. We contend that the next waves of botnets will extensively subvert privacy infrastructure and cryptographic mechanisms. In this work we propose to preemptively investigate the design and mitigation of such botnets. We first, introduce OnionBots, what we believe will be the next generation of resilient, stealthy botnets. OnionBots use privacy infrastructures for cyber attacks by completely decoupling their operation from the infected host IP address and by carrying traffic that does not leak information about its source, destination, and nature. Such bots live symbiotically within the privacy infrastructures to evade detection, measurement, scale estimation, observation, and in general all IP-based current mitigation techniques. Furthermore, we show that with an adequate self-healing network maintenance scheme, that is simple to implement, OnionBots achieve a low diameter and a low degree and are robust to partitioning under node deletions. We developed a mitigation technique, called SOAP, that neutralizes the nodes of the basic OnionBots. We also outline and discuss a set of techniques that can enable subsequent waves of Super OnionBots. In light of the potential of such botnets, we believe that the research community should proactively develop detection and mitigation methods to thwart OnionBots, potentially making adjustments to privacy infrastructure.Comment: 12 pages, 8 figure