ABSTRACTEconomics play an increasingly important role in fighting cyber crimes. While the arms race against botnet problems has achieved limited success, we propose an approach attacking botnets through affecting a botnet market structure. The characteristics of the present underground botnet market suggest that it functions effectively as perfectly competitive. Competitive markets are usually efficient. We argue that less competition in the botnet market is actually preferred. Our economic analysis suggests that monopoly reduces the overall market output of botnets. Using a model of market structure evolution, we identify key forces that affect the botnet market structure and propose possible ways such as defaming botnet entrants to reduce competition, which ultimately reduce the size and output of the botnet market. The analysis provides useful insight to botnet defenders as a guidance on an efficient allocation of defending resources by attacking more on new entrants to the botnet market relative to the existing botmasters. 相似文献
Mathematical models of botnet propagation dynamics are increasingly deemed to have potential for significant contribution to botnet mitigation. Botnet virulence, which comprises network vulnerability rate and network infection rate, is a key factor in those models. In this paper we discuss a practical approach that draws on epidemiological models in biology to estimate the botnet virulence in a network. Our research provides mathematical models of botnet propagation dynamics with concrete measures of botnet virulence, which make those models practical and hence employable in mitigation of real world botnets in a timely fashion. The approach is based on random sampling and follows a novel application of statistical learning and inference in a botnet-versus-network setting. We have implemented this research in the Matlab programming language. In this paper, we discuss an experimental evaluation of the effectiveness of this research with respect to botnet propagation dynamics realistically simulated in a GTNetS network simulation platform. 相似文献
Recognized as one the most serious security threats on current Internet infrastructure, botnets can not only be implemented by existing well known applications, e.g. IRC, HTTP, or Peer-to-Peer, but also can be constructed by unknown or creative applications, which makes the botnet detection a challenging problem. Previous attempts for detecting botnets are mostly to examine traffic content for bot command on selected network links or by setting up honeypots. Traffic content, however, can be encrypted with the evolution of botnet, and as a result leading to a fail of content based detection approaches. In this paper, we address this issue and propose a new approach for detecting and clustering botnet traffic on large-scale network application communities, in which we first classify the network traffic into different applications by using traffic payload signatures, and then a novel decision tree model is used to classify those traffic to be unknown by the payload content (e.g. encrypted traffic) into known application communities where network traffic is clustered based on n-gram features selected and extracted from the content of network flows in order to differentiate the malicious botnet traffic created by bots from normal traffic generated by human beings on each specific application. We evaluate our approach with seven different traffic trace collected on three different network links and results show the proposed approach successfully detects two IRC botnet traffic traces with a high detection rate and an acceptable low false alarm rate. 相似文献
Understanding the command-and-control (C&C) protocol used by a botnet is crucial for anticipating its repertoire of nefarious activity. However, the C&C protocols of botnets, similar to many other application layer protocols, are undocumented. Automatic protocol reverse-engineering techniques enable understanding undocumented protocols and are important for many security applications, including the analysis and defense against botnets. For example, they enable active botnet infiltration, where a security analyst rewrites messages sent and received by a bot in order to contain malicious activity and to provide the botmaster with an illusion of successful and unhampered operation.In this work, we propose a novel approach to automatic protocol reverse engineering based on dynamic program binary analysis. Compared to previous work that examines the network traffic, we leverage the availability of a program that implements the protocol. Our approach extracts more accurate and complete protocol information and enables the analysis of encrypted protocols. Our automatic protocol reverse-engineering techniques extract the message format and field semantics of protocol messages sent and received by an application that implements an unknown protocol specification. We implement our techniques into a tool called Dispatcher and use it to analyze the previously undocumented C&C protocol of MegaD, a spam botnet that at its peak produced one third of the spam on the Internet. 相似文献
In this paper, we present a general model for an advanced peer-to-peer (P2P) botnet, in which the performance of the botnet can be systematically studied. From the model, we can derive five performance metrics to describe the robustness, security and efficiency of the botnet. Additionally, we analyze the relationship between the performance metrics and the model feature metrics of the botnet, and it is helpful to study the botnet under different model feature metrics. Furthermore, the proposed model can be easily applied to other types of botnets. Finally, taking the robustness and security into consideration, an optimization scheme for designing an optimal P2P botnet is proposed. 相似文献
Russian advertisement offering botnet servicesThe purpose of this article is to examine to what extent botnets pose a threat to information security. In Chapter 1 the terms in the title are defined, and a comprehensive overview of botnets is provided in order to equip the reader with an understanding of the context for the remaining chapters. The motives for using botnets and the methods in which they are used are outlined. The methods of botnet attack are then analysed in terms of their potential impact on information security and a conclusion is drawn that botnets are indeed a threat to information security in general terms.Chapter 2 then goes on to examine the extent of the threat from the three different perspectives of governments, corporate and the general public. The threats from each perspective and their impacts are identified, and each threat type for each perspective is then categorised in terms of probability and potential impact. The extent of the threat of each botnet-related attack from each perspective is then assessed using a model recommended by ISO/IEC 27005:2008, and the conclusion is drawn that the extent of the threat that botnets pose to governments, corporates and the general public is High.In Chapter 3, we look at how law enforcement agencies investigate botnets and the criminals behind them, and establish the challenges they face in doing so. It is clear that law enforcement face an uphill struggle due to technical tricks employed by the botherders to remain untraceable, lack of resources with the necessary skillset, the legal complexity of working with multiple jurisdictions, and procedural delays working with foreign law enforcement agencies. The conclusion is drawn that botnets are here to stay and that for the time being the botherders will have the upper hand. 相似文献
Detecting botnet behaviors in networks is a popular topic in the current research literature. The problem of detection of P2P botnets has been denounced as one of the most difficult ones, and this is even sounder when botnets use existing P2P networks infrastructure (parasite P2P botnets). The majority of the detection proposals available at present are based on monitoring network traffic to determine the potential existence of command-and-control communications (C&C) between the bots and the botmaster. As a different and novel approach, this paper introduces a detection scheme which is based on modeling the evolution of the number of peers sharing a resource in a P2P network over time. This allows to detect abnormal behaviors associated to parasite P2P botnet resources in this kind of environments. We perform extensive experiments on Mainline network, from which promising detection results are obtained while patterns of parasite botnets are tentatively discovered. 相似文献
To defend oneself against botnet attacks, one must have tools that make it possible to investigate the processes occurring on all stages of the lifecycle of botnets (propagation, control, attack) and possess defense mechanisms that can counteract botnets. A simulation-based approach to the investigation of botnets and the corresponding defense mechanisms is proposed. The simulation is performed using a special software environment developed by the authors. The architecture of this environment and the libraries needed to create models of botnets and defense mechanisms are described. Experimental data demonstrating the capabilities of the simulation environment for studying various stages of the botnet lifecycle and the efficiency of the corresponding defense mechanisms are discussed. 相似文献
Botnets are a serious threat to cyber-security. As a consequence, botnet detection has become an important research topic in network protection and cyber-crime prevention. P2P botnets are one of the most malicious zombie networks, as their architecture imitates P2P software. Characteristics of P2P botnets include (1) the use of multiple controllers to avoid single-point failure; (2) the use of encryption to evade misuse detection technologies; and (3) the capacity to evade anomaly detection, usually by initiating numerous sessions without consuming substantial bandwidth. To overcome these difficulties, we propose a novel data mining method. First, we identify the differences between P2P botnet behavior and normal network behavior. Then, we use these differences to tune the data-mining parameters to cluster and distinguish normal Internet behavior from that lurking P2P botnets. This method can identify a P2P botnet without breaking the encryption. Furthermore, the detection system can be deployed without altering the existing network architecture, and it can detect the existence of botnets in a complex traffic mix before they attack. The experimental results reveal that the method is effective in recognizing the existence of botnets. Accordingly, the results of this study will be of value to information security academics and practitioners. 相似文献
Botnets pose significant threats to cybersecurity. The infected Internet of Things (IoT) devices are used to launch unsupported malicious activities on target entities to disrupt their operations and services. To address this danger, we propose a machine learning-based method, for detecting botnets by analyzing network traffic data flow including various types of botnet attacks. Our method uses a hybrid model where a Variational AutoEncoder (VAE) is trained in an unsupervised manner to learn latent representations that describe the benign traffic data, and one-class classifier (OCC) for detecting anomaly (also called novelty detection). The main aim of this research is to learn the discriminating representations of the normal data in low dimensional latent space generated by VAE, and thus improve the predictive power of the OCC to detect malicious traffic. We have evaluated the performance of our model, and compared it against baseline models using a real network based dataset, containing popular IoT devices, and presenting a wide variety of attacks from two recent botnet families Mirai and Bashlite. Tests showed that our model can detect botnets with a satisfactory performance.