Proactive Botnet Detection and Defense at Internet scale

Botnets provide the basis for various cyber-threats. However, setting up a complex botnet infrastructure often involves registration of domain names in the domain name system (DNS). Active as well as passive monitoring approaches can be used in the detection of domains that are registered for botnets and other malicious activities. We present a novel architecture for proactive botent detection and defense based on large-scale DNS measurement and smart pattern recognition using machine learning

Monitoring the DNS Infrastructure for Proactive Botnet Detection

Botnets enable many cyber-criminal activities, such as DDoS attacks, banking fraud and cyberespionage. Botmasters use various techniques to create, maintain and hide their complex C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. However, botnets often use the domain name system (DNS), e.g., to ﬿nd peers and register malicious domains. Since, botmasters manage a large distributed overlay network, but have limited personal resources, they tend to automate domain registration, e.g. using domain name generation algorithms (DGAs). Such automatically generated domains share similarities and appear to be registered in close temporal distance. Such characteristics can be used for bot detection, while their deployment is still in preparation. Hence, the goal of this research is early detection of botnets to facilitate proactive mitigation strategies. Using such a proactive approach prevents botnets from evolving their full size and attack power. As many end users are unable to detect and clean infected machines, we favour a provider-based approach, involving ISPs and DNS registrars. This approach bene﬿ts from its overview of the network that allows to discover behavioural similarities of different connected systems. The bene﬿t of tackling distributed large-scale attacks at provider level has been discussed and demonstrated in previous studies by others. Further, initiatives to incentive ISPs centred botnet mitigation are already ongoing. Previous research already addressed the domain registration behaviour of spammers and demonstrated DGA based malware detection. In contrast, our approach includes the detection of malicious DNS registration behaviour, which we currently analyse for the .com, .net and .org top level domains. These domains represent half of the registered Internet domains. By combining DNS registration behaviour analysis with passive monitoring of DNS requests and IP flows, we are able to tackle botnets throughout their whole life-cycle

How to Achieve Early Botnet Detection at the Provider Level?

Botnets are an enabler for many cyber-criminal activities and often responsible for DDoS attacks, banking fraud, cyber-espionage and extortion. Botnets are controlled by a botmaster that uses various advanced techniques to create, maintain and hide their complex and distributed C&C infrastructures. First, they use P2P techniques and domain fast-flux to increase the resilience against take-down actions. Second, botnets encrypt their communication payload to prevent signature based detection. Both, the actions to increase the resilience and the prevention of signature based detection are counteractions against detection techniques. In contrast to existing approaches, our novel approach includes DNS registration behaviour, which we currently analyse for the .com, .net and .org domains, representing half of registered domains on the Internet. Hence, the goal of this PhD research is to enable early detection of the deployment and operation of botnets to facilitate proactive mitigation strategies, whereas current approaches usually detect botnets while these are already in active use. Consequently, this proactive approach prevents botnets to fully evolve their size and attack power. Moreover, as many end users are unable to detect and clean infected machines, our approach tackles the botnet phenomenon without requiring any end user involvement, by incorporating ISPs and domain name registrars. In addition, this will enable the discovery of similar behaviour of different connected systems, which allows detection in cases where bots are registered under domains that are not willing to cooperate

How well can machine-generated texts be identified and can language models be trained to avoid identification?

With the rise of generative pre-trained transformer models such as GPT-3, GPT-NeoX, or OPT, distinguishing human-generated texts from machine-generated ones has become important. We refined five separate language models to generate synthetic tweets, uncovering that shallow learning classification algorithms, like Naive Bayes, achieve detection accuracy between 0.6 and 0.8. Shallow learning classifiers differ from human-based detection, especially when using higher temperature values during text generation, resulting in a lower detection rate. Humans prioritize linguistic acceptability, which tends to be higher at lower temperature values. In contrast, transformer-based classifiers have an accuracy of 0.9 and above. We found that using a reinforcement learning approach to refine our generative models can successfully evade BERT-based classifiers with a detection accuracy of 0.15 or less.Comment: This paper has been accepted for the upcoming 57th Hawaii International Conference on System Sciences (HICSS-57

The Digital MIQE Guidelines Update: Minimum Information for Publication of Quantitative Digital PCR Experiments for 2020

Digital PCR (dPCR) has developed considerably since the publication of the Minimum Information for Publication of Digital PCR Experiments (dMIQE) guidelines in 2013, with advances in instrumentation, software, applications, and our understanding of its technological potential. Yet these developments also have associated challenges; data analysis steps, including threshold setting, can be difficult and preanalytical steps required to purify, concentrate, and modify nucleic acids can lead to measurement error. To assist independent corroboration of conclusions, comprehensive disclosure of all relevant experimental details is required. To support the community and reflect the growing use of dPCR, we present an update to dMIQE, dMIQE2020, including a simplified dMIQE table format to assist researchers in providing key experimental information and understanding of the associated experimental process. Adoption of dMIQE2020 by the scientific community will assist in standardizing experimental protocols, maximize efficient utilization of resources, and further enhance the impact of this powerful technology

Orienting and locating ocean-bottom seismometers from ship noise analysis

Breakthroughs in understanding the structure and dynamics of our planet will strongly depend upon instrumenting deep oceans. Progress has been made these last decades in ocean-bottom seismic observations, but ocean-bottom seismometer (OBS) temporary deployments are still challenging and face setup limitations. Launched from oceanographic vessels, OBSs fall freely and may slightly drift laterally, dragged by currents. Therefore, their actual orientation and location on the landing sites are hard to assess precisely. Numerous techniques have been developed to retrieve this key information, but most of them are costly, time-consuming or inaccurate. In this work, we show how ship noise can be used as an acoustic source of opportunity to retrieve both the orientation and the location of OBSs on the ocean floor. To retrieve the OBS orientation, we developed a first method based on a combination of seismic and pressure data through the use of the acoustic intensity. This latter can be used to quantify the OBS orientation from the ship noise direction of arrival (DOA), which can then be compared with known ship trajectories obtained from the automatic identification system (AIS). To accurately relocate OBSs, we also developed a second method based on the hydrophone data which computes distances of acoustical sources by measuring time differences of arrival (TDOA) between direct and reverberated phases. The OBS location is then retrieved by fitting measured ship distances with known ship trajectories. In this study, a full network of OBSs deployed in the SW Indian Ocean was reoriented and a test station was relocated. We demonstrate that our new methods may quantify the OBS orientation with an accuracy of about one degree, and its location with an accuracy of a few tens of metres, depending on the number of ships used in the analysis.Imagerie mantellique du point chaud de La Réunio