Fast flux botnet detection framework using adaptive dynamic evolving spiking neural network algorithm

A botnet, a set of compromised machines controlled distantly by an attacker, is the basis of numerous security threats around the world. Command and Control servers are the backbones of botnet communications, where the bots and botmasters send report and attack orders to each other. Botnets are also categorized according to their C&C protocols. A Domain Name System method known as Fast-Flux Service Network (FFSN) – a special type of botnet – has been engaged by bot herders to cover malicious botnet activities and increase the lifetime of malicious servers by quickly changing the IP addresses of the domain name over time. Although several methods have been suggested for detecting FFSNs, they have low detection accuracy especially with zero-day domain. In this research, we propose a new system called Fast Flux Killer System (FFKS) that has the ability to detect FF-Domains in online mode with an implementation constructed on Adaptive Dynamic evolving Spiking Neural Network (ADeSNN). The proposed system proved its ability to detect FF domains in online mode with high detection accuracy (98.77%) compare with other algorithms, with low false positive and negative rates respectively. It is also proved a high level of performance. Additionally, the proposed adaptation of the algorithm enhanced and helped in the parameters customization process

Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

DNS Traffic analysis for botnet detection

Botnets pose a major threat to cyber security. Given that firewalls typically prevent unsolicited incoming traffic from reaching hosts internal to the local area network, it is up to each bot to initiate a connection with its remote Command and Control (C&C) server. To perform this task a bot can use either a hardcoded IP address or perform a DNS lookup for a predefined or algorithmically-generated domain name. Modern malware increasingly utilizes DNS to enhance the overall availability and reliability of the C&C communication channel. In this paper we present a prototype botnet detection system that leverages passive DNS traffic analysis to detect a botnet’s presence in a local area network. A naive Bayes classifier is trained on features extracted from both benign and malicious DNS traffic traces and its performance is evaluated. Since the proposed method relies on DNS traffic, it permits the early detection of bots on the network. In addition, the method does not depend on the number of bots operating in the local network and is effective when only a small number of infected machines are present

Multi-Stage Detection Technique for DNS-Based Botnets

Domain Name System (DNS) is one of the most widely used protocols in the Internet. The main purpose of the DNS protocol is mapping user-friendly domain names to IP addresses. Unfortunately, many cyber criminals deploy the DNS protocol for malicious purposes, such as botnet communications. In this type of attack, the botmasters tunnel communications between the Command and Control (C&C) servers and the bot-infected machines within DNS request and response. Designing an effective approach for botnet detection has been done previously based on specific botnet types Since botnet communications are characterized by different features, botmasters may evade detection methods by modifying some of these features. This research aims to design and implement a multi-staged detection approach for Domain Generation Algorithm (DGA), Fast Flux Service Network, and Domain Flux-based botnets, as well as encrypted DNS tunneled-based botnets using the BRO Network Security Monitor. This approach is able to detect DNS-based botnet communications by relying on analyzing different techniques used for finding the C&C server, as well as encrypting the malicious traffic