The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet

International audienceBotnets constitute a serious security problem. A lot of effort has been invested towards understanding them better, while developing and learning how to deploy effective counter-measures against them. Their study via various analysis, modelling and experimental methods are integral parts of the development cycle of any such botnet mitigation schemes. It also constitutes a vital part of the process of understanding present threats and predicting future ones. Currently, the most popular of these techniques are “in-the-wild” botnet studies, where researchers interact directly with real-world botnets. This approach is less than ideal, for many reasons that we discuss in this paper, including scientific validity, ethical and legal issues. Consequently, we present an alternative approach employing “in the lab” experiments involving at-scale emulated botnets. We discuss the advantages of such an approach over reverse engineering, analytical modelling, simulation and in-the-wild studies. Moreover, we discuss the requirements that facilities supporting them must have. We then describe an experiment in which we emulated a close to 3000-node, fully-featured version of the Waledac botnet, complete with a reproduced command and control (C&C) infrastructure. By observing the load characteristics and yield (rate of spamming) of such a botnet, we can draw interesting conclusions about its real-world operations and design decisions made by its creators. Furthermore, we conducted experiments where we launched sybil attacks against the botnet. We were able to verify that such an attack is, in the case of Waledac, viable. However, we were able to determine that mounting such an attack is not so simple: high resource consumption can cause havoc and partially neutralise the attack. Finally, we were able to repeat the attack with varying parameters, in an attempt to optimise it. The merits of this experimental approach is underlined by the fact that it is very difficult to obtain these results by employing other methods

Analytical Lifecycle Modeling and Threat Analysis of Botnets

Botnet, which is an overlay network of compromised computers built by cybercriminals known as botmasters, is the new phenomenon that has caused deep concerns to the security professionals responsible for governmental, academic, and private sector networks. Botmasters use a plethora of methods to infect network-accessible devices (nodes). The initial malware residing on these nodes then either connects to a central Command & Control (C&C) server or joins a Peer-to-Peer (P2P) botnet. At this point, the nodes can receive the commands of the botmaster and proceed to engage in illicit activities such as Distributed Denial-of-Service (DDoS) attacks and massive e-mail spam campaigns. Being able to reliably estimate the size of a botnet is an important task which allows the adequate deployment of mitigation strategies against the botnet. In this thesis, we develop analytical models that capture the botnet expansion and size evolution behaviors in sufficient details so as to accomplish this crucial estimation/analysis task. We develop four Continuous-Time Markov Chain (CTMC) botnet models: the first two, SComI and SComF, allow the prediction of initial unhindered botnet expansion in the case of infinite and finite population sizes, respectively. The third model, the SIC model, is a botnet lifecycle model which accounts for all important node stages and allows botnet size estimates as well as evaluation of botnet mitigation strategies such as disinfections of nodes and attacks on botnet's C&C mechanism. Finally, the fourth model, the SIC-P2P model, is an extension of the SIC model suitable for P2P botnets, allowing fine-grained analysis of mitigation strategies such as index poisoning and sybil attack. As the convergence of Internet and traditional telecommunication services is underway, the threat of botnets is looming over essential basic communication services. As the last contribution presented in this thesis, we analyze the threat of botnets in the 4G cellular wireless networks. We identify the vulnerability of the air interface, i.e. the Long Term Evolution (LTE), which allows a successful botnet-launched DDoS attack against it. Through simulation using an LTE simulator, we determine the number of botnet nodes per cell that can significantly degrade the service availability of such cellular networks

An efficient approach to online bot detection based on a reinforcement learning technique

In recent years, Botnets have been adopted as a popular method used to carry and spread many malicious codes on the Internet. These codes pave the way to conducting many fraudulent activities, including spam mail, distributed denial of service attacks (DDoS) and click fraud. While many Botnets are set up using a centralized communication architecture such as Internet Relay Chat (IRC) and Hypertext Transfer Protocol (HTTP), peer-to-peer (P2P) Botnets can adopt a decentralized architecture using an overlay network for exchanging command and control (C&C) messages, which is a more resilient and robust communication channel infrastructure. Without a centralized point for C&C servers, P2P Botnets are more flexible to defeat countermeasures and detection procedures than traditional centralized Botnets. Several Botnet detection techniques have been proposed, but Botnet detection is still a very challenging task for the Internet security community because Botnets execute attacks stealthily in the dramatically growing volumes of network traffic. However, current Botnet detection schemes face significant problem of efficiency and adaptability. The present study combined a traffic reduction approach with reinforcement learning (RL) method in order to create an online Bot detection system. The proposed framework adopts the idea of RL to improve the system dynamically over time. In addition, the traffic reduction method is used to set up a lightweight and fast online detection method. Moreover, a host feature based on traffic at the connection-level was designed, which can identify Bot host behaviour. Therefore, the proposed technique can potentially be applied to any encrypted network traffic since it depends only on the information obtained from packets header. Therefore, it does not require Deep Packet Inspection (DPI) and cannot be confused with payload encryption techniques. The network traffic reduction technique reduces packets input to the detection system, but the proposed solution achieves good a detection rate of 98.3% as well as a low false positive rate (FPR) of 0.012% in the online evaluation. Comparison with other techniques on the same dataset shows that our strategy outperforms existing methods. The proposed solution was evaluated and tested using real network traffic datasets to increase the validity of the solution

Intrusion detection in IPv6-enabled sensor networks.

In this research, we study efficient and lightweight Intrusion Detection Systems (IDS) for ad-hoc networks through the lens of IPv6-enabled Wireless Sensor Actuator Networks. These networks consist of highly constrained devices able to communicate wirelessly in an ad-hoc fashion, thus following the architecture of ad-hoc networks. Current state of the art IDS in IoT and WSNs have been developed considering the architecture of conventional computer networks, and as such they do not efficiently address the paradigm of ad-hoc networks, which is highly relevant in emerging network paradigms, such as the Internet of Things (IoT). In this context, the network properties of resilience and redundancy have not been extensively studied. In this thesis, we first identify a trade-off between the communication and energy overheads of an IDS (as captured by the number of active IDS agents in the network) and the performance of the system in terms of successfully identifying attacks. In order to fine-tune this trade-off, we model networks as Random Geometric Graphs; these are a rigorous approach that allows us to capture underlying structural properties of the network. We then introduce a novel IDS architectural approach that consists of a central IDS agent and set of distributed IDS agents deployed uniformly at random over the network area. These nodes are able to efficiently detect attacks at the networking layer in a collaborative manner by monitoring locally available network information provided by IoT routing protocols, such as RPL. The detailed experimental evaluation conducted in this research demonstrates significant performance gains in terms of communication overhead and energy dissipation while maintaining high detection rates. We also show that the performance of our IDS in ad-hoc networks does not rely on the size of the network but on fundamental underling network properties, such as the network topology and the average degree of the nodes. The experiments show that our proposed IDS architecture is resilient against frequent topology changes due to node failures

Data Substantiation in Mobility

The world is embracing the presence of connected autonomous vehicles which are expected to play a major role in the future of intelligent transport systems. Given such connectivity, vehicles in the networks are vulnerable to making incorrect decisions due to anomalous data. No sophisticated attacks are required; just a vehicle reporting anomalous speeds would be enough to disrupt the entire traffic flow. Detection of such anomalies is vital to ensure the security of a vehicular network. This thesis proposes the use of traffic flow theory for anomalous data detection in vehicular networks, by evaluating the consistency of microscopic parameters which are derived by traffic flow theory with macroscopic views of traffic under different traffic conditions. Though little attention has been given to using traffic flow properties to determine anomalous basic safety message data, the fundamental nature of traffic flow properties makes it a robust assessment tool. The aim of this thesis is to develop a robust data substantiation framework for vehicular networks using traffic flow fundamentals. The aim is fulfilled in three objectives; (1) to provide an overview of the context in terms of existing data substantiation methods, vehicular communication, and traffic flow theory, (2) to develop data substantiation models to detect anomalies irrespective of the cause of the anomality, and (3) to assess the applicability of traffic flow theory for data substantiation in vehicular networks. Chapters 1 and 2 are introductions and literature reviews respectively. The first main chapter describes the context of vehicular networks, traffic flow theory, and the intuition of applying traffic flow theory for substantiation in vehicular networks. The next three chapters elaborate, formulate, demonstrate, and evaluate the use of macroscopic views of traffic to substantiate microscopic data in vehicular networks. The first of these discusses the use of steady state conditions in traffic flow theory to substantiate data in vehicular networks, and the second describes the use of shockwave theory in traffic to substantiate data in vehicular networks. The third chapter develops a data substantiation model utilising localised views of traffic to provide an additional resolution to the previous models

A methodology for the quantitative evaluation of attacks and mitigations in IoT systems

PhD ThesisAs we move towards a more distributed and unsupervised internet, namely through the Internet of Things (IoT), the avenues of attack multiply. To compound these issues, whilst attacks are developing, the current security of devices is much lower than for traditional systems. In this thesis I propose a new methodology for white box behaviour intrusion detection in constrained systems. I leverage the characteristics of these types of systems, namely their: heterogeneity, distributed nature, and constrained capabilities; to devise a pipeline, that given a specification of a IoT scenario can generate an actionable intrusion detection system to protect it. I identify key IoT scenarios for which more traditional black box approaches would not suffice, and devise means to bypass these limitations. The contributions include; 1) A survey of intrusion detection for IoT; 2) A modelling technique to observe interactions in IoT deployments; 3) A modelling approach that focuses on the observation of specific attacks on possible configurations of IoT devices; Combining these components: a specification of the system as per contribution 1 and a attack specification as per contribution 2, we can deploy a bespoke behaviour based IDS for the specified system. This one of a kind approach allows for the quick and efficient generation of attack detection from the onset, positioning this approach as particularly suitable to dynamic and constrained IoT environments

A systematic design approach to IOT security for legacy production machinery

The Internet of Things (IoT) is an emerging topic of rapidly growing technical importance for the industry. The aim is to connect objects with unique identifiers and combine them with internet connectivity for data transfer. This advanced connectivity has significant potential in the workshop-level upgrade of existing legacy equipment to unlock new features and economic benefits especially for monitoring and control applications However, the introduction of the Industrial Internet of Things (IIoT) brings new additional security and integrity risks for the industrial environment in the form of network, communication, software and hardware security risks. This thesis addresses such fundamental new risks at their root by introducing a novel approach for IoT-enabled monitoring of legacy production machinery, which consist of five stages, incorporating security by design features. The first two phases of this novel approach aim to analyse current monitoring practices and security and vulnerability issues related to the application domain. The proposed approach applies three more stages which make the domain-relevant analysis to become application specific. These include a detailed model of the application context on legacy production machinery monitoring, together with its interfaces and functionality, implementing threat mitigations combined with a new modular IoT DAQ unit mechanism, validated by functional tests against Denial of Service (DoS) and clone attacks. Thus, to be effective, the design approach is further developed with application-specific functionality. This research demonstrates an instance of this innovative riskaverse design thinking through introducing an IoT device design which is applicable to a wide set of industrial scenarios. A practical showcase example of a specific implementation of the generic IoT design is given through a concrete industrial application that upgrades existing legacy machine tool equipment. The reported work establishes a novel viewpoint for the understanding of IoT security risks and their consequent mitigation, opening a new space of riskaverse designs that can bring significant confidence in data, safety, and security of IoT-enabled industry.Manufacturin

Applied Metaheuristic Computing

For decades, Applied Metaheuristic Computing (AMC) has been a prevailing optimization technique for tackling perplexing engineering and business problems, such as scheduling, routing, ordering, bin packing, assignment, facility layout planning, among others. This is partly because the classic exact methods are constrained with prior assumptions, and partly due to the heuristics being problem-dependent and lacking generalization. AMC, on the contrary, guides the course of low-level heuristics to search beyond the local optimality, which impairs the capability of traditional computation methods. This topic series has collected quality papers proposing cutting-edge methodology and innovative applications which drive the advances of AMC