191 research outputs found
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
Over the last decade botnets survived by adopting a sequence of increasingly
sophisticated strategies to evade detection and take overs, and to monetize
their infrastructure. At the same time, the success of privacy infrastructures
such as Tor opened the door to illegal activities, including botnets,
ransomware, and a marketplace for drugs and contraband. We contend that the
next waves of botnets will extensively subvert privacy infrastructure and
cryptographic mechanisms. In this work we propose to preemptively investigate
the design and mitigation of such botnets. We first, introduce OnionBots, what
we believe will be the next generation of resilient, stealthy botnets.
OnionBots use privacy infrastructures for cyber attacks by completely
decoupling their operation from the infected host IP address and by carrying
traffic that does not leak information about its source, destination, and
nature. Such bots live symbiotically within the privacy infrastructures to
evade detection, measurement, scale estimation, observation, and in general all
IP-based current mitigation techniques. Furthermore, we show that with an
adequate self-healing network maintenance scheme, that is simple to implement,
OnionBots achieve a low diameter and a low degree and are robust to
partitioning under node deletions. We developed a mitigation technique, called
SOAP, that neutralizes the nodes of the basic OnionBots. We also outline and
discuss a set of techniques that can enable subsequent waves of Super
OnionBots. In light of the potential of such botnets, we believe that the
research community should proactively develop detection and mitigation methods
to thwart OnionBots, potentially making adjustments to privacy infrastructure.Comment: 12 pages, 8 figure
Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences
In this survey, we first briefly review the current state of cyber attacks,
highlighting significant recent changes in how and why such attacks are
performed. We then investigate the mechanics of malware command and control
(C2) establishment: we provide a comprehensive review of the techniques used by
attackers to set up such a channel and to hide its presence from the attacked
parties and the security tools they use. We then switch to the defensive side
of the problem, and review approaches that have been proposed for the detection
and disruption of C2 channels. We also map such techniques to widely-adopted
security controls, emphasizing gaps or limitations (and success stories) in
current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages.
Listing abstract compressed from version appearing in repor
PeerHunter: Detecting Peer-to-Peer Botnets through Community Behavior Analysis
Peer-to-peer (P2P) botnets have become one of the major threats in network
security for serving as the infrastructure that responsible for various of
cyber-crimes. Though a few existing work claimed to detect traditional botnets
effectively, the problem of detecting P2P botnets involves more challenges. In
this paper, we present PeerHunter, a community behavior analysis based method,
which is capable of detecting botnets that communicate via a P2P structure.
PeerHunter starts from a P2P hosts detection component. Then, it uses mutual
contacts as the main feature to cluster bots into communities. Finally, it uses
community behavior analysis to detect potential botnet communities and further
identify bot candidates. Through extensive experiments with real and simulated
network traces, PeerHunter can achieve very high detection rate and low false
positives.Comment: 8 pages, 2 figures, 11 tables, 2017 IEEE Conference on Dependable and
Secure Computin
On the security of machine learning in malware C & C detection:a survey
One of the main challenges in security today is defending against malware attacks. As trends and anecdotal evidence show, preventing these attacks, regardless of their indiscriminate or targeted nature, has proven difficult: intrusions happen and devices get compromised, even at security-conscious organizations. As a consequence, an alternative line of work has focused on detecting and disrupting the individual steps that follow an initial compromise and are essential for the successful progression of the attack. In particular, several approaches and techniques have been proposed to identify the command and control (C&C) channel that a compromised system establishes to communicate with its controller. A major oversight of many of these detection techniques is the design's resilience to evasion attempts by the well-motivated attacker. C&C detection techniques make widespread use of a machine learning (ML) component. Therefore, to analyze the evasion resilience of these detection techniques, we first systematize works in the field of C&C detection and then, using existing models from the literature, go on to systematize attacks against the ML components used in these approaches
On Detection of Current and Next-Generation Botnets.
Botnets are one of the most serious security threats to the Internet and its end users. A botnet consists of compromised computers that are remotely coordinated by a botmaster under a
Command and Control (C&C) infrastructure. Driven by financial incentives, botmasters leverage botnets to conduct various cybercrimes such as spamming, phishing, identity theft and
Distributed-Denial-of-Service (DDoS) attacks. There are three main challenges facing botnet detection. First, code obfuscation is widely employed by current botnets, so signature-based detection is insufficient. Second, the C&C
infrastructure of botnets has evolved rapidly. Any detection solution targeting one botnet instance can hardly keep up with this change. Third, the proliferation of powerful smartphones presents a new platform for future botnets. Defense
techniques designed for existing botnets may be outsmarted when botnets invade smartphones.
Recognizing these challenges, this dissertation proposes behavior-based botnet detection solutions at three different levels---the end host, the edge network and the Internet infrastructure---from a small scale to a large scale, and investigates the next-generation botnet targeting smartphones.
It (1) addresses the problem of botnet seeding by devising a per-process containment scheme for end-host systems; (2) proposes a hybrid botnet detection framework for edge networks
utilizing combined host- and network-level information; (3) explores the structural properties of botnet topologies and
measures network components' capabilities of large-scale botnet detection at the Internet infrastructure level; and (4)
presents a proof-of-concept mobile botnet employing SMS messages as the C&C and P2P as the topology to facilitate future research on countermeasures against next-generation
botnets.
The dissertation makes three primary contributions. First, the detection solutions proposed utilize intrinsic and fundamental
behavior of botnets and are immune to malware obfuscation and traffic encryption. Second, the solutions are general enough to identify different types of botnets, not a specific botnet
instance. They can also be extended to counter next-generation botnet threats. Third, the detection solutions function at
multiple levels to meet various detection needs. They each take a different perspective but are highly complementary to each other, forming an integrated botnet detection framework.Ph.D.Computer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/91382/1/gracez_1.pd
The End of the Canonical IoT Botnet: A Measurement Study of Mirai's Descendants
Since the burgeoning days of IoT, Mirai has been established as the canonical
IoT botnet. Not long after the public release of its code, researchers found
many Mirai variants compete with one another for many of the same vulnerable
hosts. Over time, the myriad Mirai variants evolved to incorporate unique
vulnerabilities, defenses, and regional concentrations. In this paper, we ask:
have Mirai variants evolved to the point that they are fundamentally distinct?
We answer this question by measuring two of the most popular Mirai descendants:
Hajime and Mozi. To actively scan both botnets simultaneously, we developed a
robust measurement infrastructure, BMS, and ran it for more than eight months.
The resulting datasets show that these two popular botnets have diverged in
their evolutions from their common ancestor in multiple ways: they have
virtually no overlapping IP addresses, they exhibit different behavior to
network events such as diurnal rate limiting in China, and more. Collectively,
our results show that there is no longer one canonical IoT botnet. We discuss
the implications of this finding for researchers and practitioners
Enhancing data privacy and security in Internet of Things through decentralized models and services
exploits a Byzantine Fault Tolerant (BFT) blockchain, in order to perform collaborative and dynamic botnet detection by collecting and auditing IoT devices\u2019 network traffic flows as blockchain transactions. Secondly, we take the challenge to decentralize IoT, and design a hybrid blockchain architecture for IoT, by proposing Hybrid-IoT. In Hybrid-IoT, subgroups of IoT devices form PoW blockchains, referred to as PoW sub-blockchains. Connection among the PoW sub-blockchains employs a BFT inter-connector framework. We focus on the PoW sub-blockchains formation, guided by a set of guidelines based on a set of dimensions, metrics and bounds
- …