Toward a Monopoly Botnet Market

ABSTRACT

Economics play an increasingly important role in fighting cyber crimes. While the arms race against botnet problems has achieved limited success, we propose an approach attacking botnets through affecting a botnet market structure. The characteristics of the present underground botnet market suggest that it functions effectively as perfectly competitive. Competitive markets are usually efficient. We argue that less competition in the botnet market is actually preferred. Our economic analysis suggests that monopoly reduces the overall market output of botnets. Using a model of market structure evolution, we identify key forces that affect the botnet market structure and propose possible ways such as defaming botnet entrants to reduce competition, which ultimately reduce the size and output of the botnet market. The analysis provides useful insight to botnet defenders as a guidance on an efficient allocation of defending resources by attacking more on new entrants to the botnet market relative to the existing botmasters.     

一种抗污染的混合P2P僵尸网络

基于Peer-list的混合型P2P僵尸网络代表了一类高级僵尸网络形态,这种僵尸网络的优势是可抵抗传统P2P僵尸网络易受的索引污染（Index Poisoning）攻击和女巫（Sybil）攻击,然而却引入了新的问题——易受Peer-list污染攻击。本文提出一种新颖的混合P2P僵尸网络设计模型,在僵尸网络构建和Peer-list更新的整个生命周期中引入信誉机制,使得Peer-list污染攻击难以发挥作用。实验证明该模型具备很强的抗污染能力和很高的健壮性,因此对网络安全防御造成了新的威胁。最后,我们提出了若干可行的防御方法。本文旨在增加防御者对高级僵尸网络的理解,以促进更有效的网络防御。     

面向可扩展僵尸网络的安全控制方法

僵尸网络是互联网面临的主要威胁之一。当前,网络服务类型多样、安全漏洞频出、以物联网设备为代表的海量联网设备部署更加有利于僵尸网络全球扩展。未来僵尸网络将更加具有跨平台特性和隐匿性,这给网络空间带来了严重的安全隐患。因此,针对僵尸网络自身开展深入研究,可以为新的僵尸网络防御研究提供研究对象,对于设计下一代网络安全防护体系具有重要意义。提出一种基于HTTP的可扩展僵尸网络框架来解决僵尸网络自身存在的兼容性、隐匿性与安全性问题,该框架基于中心式控制模型, 采用HTTP 作为僵尸网络通信协议,并对通信内容进行基于对称密码学的块加密。进一步地,提出了一种面向多平台架构的僵尸网络安全控制方法,该方法利用源码级代码集成与交叉编译技术解决兼容性问题,引入动态密钥加密通信机制克服传统僵尸网络流量存在规律性和易被分析的不足,设计服务器迁移与重连机制解决中心式僵尸网络模型存在的单点失效问题,以提高僵尸网络存活率。3 个不同控制性水平场景下的仿真实验结果表明,僵尸网络的规模与其命令与控制（C＆amp;C,command and control）服务器服务负载之间存在线性关系;此外,在僵尸网络规模相同的条件下,越高的控制性会带来越高的吞吐量和越大的系统负载,从而验证了所提方法的有效性和现实可行性。     

Estimating botnet virulence within mathematical models of botnet propagation dynamics

Mathematical models of botnet propagation dynamics are increasingly deemed to have potential for significant contribution to botnet mitigation. Botnet virulence, which comprises network vulnerability rate and network infection rate, is a key factor in those models. In this paper we discuss a practical approach that draws on epidemiological models in biology to estimate the botnet virulence in a network. Our research provides mathematical models of botnet propagation dynamics with concrete measures of botnet virulence, which make those models practical and hence employable in mitigation of real world botnets in a timely fashion. The approach is based on random sampling and follows a novel application of statistical learning and inference in a botnet-versus-network setting. We have implemented this research in the Matlab programming language. In this paper, we discuss an experimental evaluation of the effectiveness of this research with respect to botnet propagation dynamics realistically simulated in a GTNetS network simulation platform.     

动态自组织P2P僵尸网络的构建及其防御

僵尸网络作为大规模攻击活动的基础平台,严重威胁网络空间安全,从预测的角度对其开展研究具有重要的现实意义。针对现有研究在终端感知、身份识别和动态对抗中存在的不足,本文概括僵尸网络生命周期,总结P2P结构僵尸网络的脆弱点,建立P2P僵尸网络动态对抗模型,分析节点真实性判断和网络拓扑优化重构的重要性。在此基础上,从攻击者视角提出一种新颖的动态自组织P2P僵尸网络模型DSBot。该模型在架构设计上可扩展至各类目标设备,通过基于可信度矩阵和真实性验证的节点安全性评估机制增强终端对抗性,并提出分阶段感染策略。借鉴无线自组网和多智能体的思路和方法,刻画节点属性多维表示和基于状态标识的动态网络框架,以此为基础设计O(N_i)更新算法、均匀连接算法和节点主动移除算法,并结合相应的初始化和调整机制提出网络自组织重构策略,从而进一步提升网络的健壮性。其中,O(N_i)更新算法确保节点的可信度,均匀连接算法降低网络暴露风险,节点主动移除算法实时移除可疑节点。从平均等待时间、命令可达率、网络连接度和重构稳定时间等方面对DSBot模型进行评估。实验结果表明,DSBot模型在效率和韧性上可满足僵尸网络命令控制机制的基本需求。最后,从终端清除、命令控制服务器打击和命令控制过程等方面讨论了可能的防御策略。本文旨在通过预测新型僵尸网络模型来完善防御解决方案。     

Clustering botnet communication traffic based on n-gram feature selection

Recognized as one the most serious security threats on current Internet infrastructure, botnets can not only be implemented by existing well known applications, e.g. IRC, HTTP, or Peer-to-Peer, but also can be constructed by unknown or creative applications, which makes the botnet detection a challenging problem. Previous attempts for detecting botnets are mostly to examine traffic content for bot command on selected network links or by setting up honeypots. Traffic content, however, can be encrypted with the evolution of botnet, and as a result leading to a fail of content based detection approaches. In this paper, we address this issue and propose a new approach for detecting and clustering botnet traffic on large-scale network application communities, in which we first classify the network traffic into different applications by using traffic payload signatures, and then a novel decision tree model is used to classify those traffic to be unknown by the payload content (e.g. encrypted traffic) into known application communities where network traffic is clustered based on n-gram features selected and extracted from the content of network flows in order to differentiate the malicious botnet traffic created by bots from normal traffic generated by human beings on each specific application. We evaluate our approach with seven different traffic trace collected on three different network links and results show the proposed approach successfully detects two IRC botnet traffic traces with a high detection rate and an acceptable low false alarm rate.     

僵尸网络中的关键问题

僵尸网络是一种复杂、灵活、高效的网络攻击平台,在互联网中分布非常广泛.僵尸网络使攻击者具备了实施大规模恶意活动的能力,如发送垃圾邮件、发动分布式拒绝服务攻击等.由于其危害日益严重,僵尸网络已经成为网络安全研究的热点之一.但是近年来,僵尸网络新的发展、变化,突破了以往对僵尸网络的认知.文中分析僵尸网络的现有研究,对僵尸网络进行了重新定义,并从网络结构、网络独立性和信息传递方式等角度对僵尸网络的类型进行了划分;然后,梳理了僵尸网络检测技术、测量技术和反制技术等方面的工作;最后,给出了僵尸网络的演化趋势和未来研究方向.     

基于流量摘要的僵尸网络检测

随着僵尸网络的日益进化,检测和防范僵尸网络攻击成为网络安全研究的重要任务.现有的研究很少考虑到僵尸网络中的时序模式,并且在实时僵尸网络检测中效果不佳,也无法检测未知的僵尸网络.针对这些问题,本文提出了基于流量摘要的僵尸网络检测方法,首先将原始流数据按照源主机地址聚合,划分适当的时间窗口生成流量摘要记录,然后构建决策树、随机森林和XGBoost机器学习分类模型.在CTU-13数据集上的实验结果表明,本文提出的方法能够有效检测僵尸流量,并且能够检测未知僵尸网络,此外,借助Spark技术也能满足现实应用中快速检测的需要.     

Automatic protocol reverse-engineering: Message format extraction and field semantics inference

Understanding the command-and-control (C&C) protocol used by a botnet is crucial for anticipating its repertoire of nefarious activity. However, the C&C protocols of botnets, similar to many other application layer protocols, are undocumented. Automatic protocol reverse-engineering techniques enable understanding undocumented protocols and are important for many security applications, including the analysis and defense against botnets. For example, they enable active botnet infiltration, where a security analyst rewrites messages sent and received by a bot in order to contain malicious activity and to provide the botmaster with an illusion of successful and unhampered operation.In this work, we propose a novel approach to automatic protocol reverse engineering based on dynamic program binary analysis. Compared to previous work that examines the network traffic, we leverage the availability of a program that implements the protocol. Our approach extracts more accurate and complete protocol information and enables the analysis of encrypted protocols. Our automatic protocol reverse-engineering techniques extract the message format and field semantics of protocol messages sent and received by an application that implements an unknown protocol specification. We implement our techniques into a tool called Dispatcher and use it to analyze the previously undocumented C&C protocol of MegaD, a spam botnet that at its peak produced one third of the spam on the Internet.     

Modeling and evaluating of typical advanced peer-to-peer botnet

In this paper, we present a general model for an advanced peer-to-peer (P2P) botnet, in which the performance of the botnet can be systematically studied. From the model, we can derive five performance metrics to describe the robustness, security and efficiency of the botnet. Additionally, we analyze the relationship between the performance metrics and the model feature metrics of the botnet, and it is helpful to study the botnet under different model feature metrics. Furthermore, the proposed model can be easily applied to other types of botnets. Finally, taking the robustness and security into consideration, an optimization scheme for designing an optimal P2P botnet is proposed.     

一种分布式的僵尸网络实时检测算法

僵尸网络通过控制的主机实现多类恶意行为,使得当前的检测方法失效,其中窃取敏感数据已经成为主流。鉴于僵尸网络实现的恶意行为,检测和减轻方法的研究已经势在必行。提出了一种新颖的分布式实时僵尸网络检测方法,该方法通过将Netflow组织成主机Netflow图谱和主机关系链,并提取隐含的C&C通信特征来检测僵尸网络。同时,基于Spark Streaming分布式实时流处理引擎,使用该算法实现了BotScanner分布式检测系统。为了验证该系统的有效性,采用5个主流的僵尸网络家族进行训练,并分别使用模拟网络流量和真实网络流量进行测试。实验结果表明,在无需深度包解析的情况下,BotScanner分布式检测系统能够实时检测指定的僵尸网络,并获得了较高的检测率和较低的误报率。而且,在真实的网络环境中,BotScanner分布式检测系统能够进行实时检测,加速比接近线性,验证了Spark Streaming引擎在分布式流处理方面的优势,以及用于僵尸网络检测方面的可行性。     

Botnets: To what extent are they a threat to information security?

1. Download : Download high-res image (158KB)
2. Download : Download full-size image

Russian advertisement offering botnet services

The purpose of this article is to examine to what extent botnets pose a threat to information security. In Chapter 1 the terms in the title are defined, and a comprehensive overview of botnets is provided in order to equip the reader with an understanding of the context for the remaining chapters. The motives for using botnets and the methods in which they are used are outlined. The methods of botnet attack are then analysed in terms of their potential impact on information security and a conclusion is drawn that botnets are indeed a threat to information security in general terms.Chapter 2 then goes on to examine the extent of the threat from the three different perspectives of governments, corporate and the general public. The threats from each perspective and their impacts are identified, and each threat type for each perspective is then categorised in terms of probability and potential impact. The extent of the threat of each botnet-related attack from each perspective is then assessed using a model recommended by ISO/IEC 27005:2008, and the conclusion is drawn that the extent of the threat that botnets pose to governments, corporates and the general public is High.In Chapter 3, we look at how law enforcement agencies investigate botnets and the criminals behind them, and establish the challenges they face in doing so. It is clear that law enforcement face an uphill struggle due to technical tricks employed by the botherders to remain untraceable, lack of resources with the necessary skillset, the legal complexity of working with multiple jurisdictions, and procedural delays working with foreign law enforcement agencies. The conclusion is drawn that botnets are here to stay and that for the time being the botherders will have the upper hand.     

P2P僵尸网络研究

P2P僵尸网络是一种新型网络攻击方式,因其稳定可靠、安全隐蔽的特性被越来越多地用于实施网络攻击,给网络安全带来严峻挑战.为深入理解P2P僵尸网络工作机理和发展趋势,促进检测技术研究,首先分析了P2P僵尸程序功能结构,然后对P2P僵尸网络结构进行了分类,并分析了各类网络结构的特点;在介绍了P2P僵尸网络生命周期的基础上,着重阐述了P2P僵尸网络在各个生命周期的工作机制;针对当前P2P僵尸网络检测研究现状,对检测方法进行了分类并介绍了各类检测方法的检测原理;最后对P2P僵尸网络的发展趋势进行了展望,并提出一种改进的P2P僵尸网络结构.     

僵尸网络机理与防御技术

以僵尸网络为载体的各种网络攻击活动是目前互联网所面临的最为严重的安全威胁之一.虽然近年来这方面的研究取得了显著的进展,但是由于僵尸网络不断演化、越来越复杂和隐蔽以及网络和系统体系结构的限制给检测和防御带来的困难,如何有效应对僵尸网络的威胁仍是一项持续而具有挑战性的课题.首先从僵尸网络的传播、攻击以及命令与控制这3个方面介绍了近年来僵尸网络工作机制的发展,然后从监测、工作机制分析、特征分析、检测和主动遏制这5个环节对僵尸网络防御方面的研究进行总结和分析,并对目前的防御方法的局限、僵尸网络的发展趋势和进一步的研究方向进行了讨论.     

P2P僵尸网络研究与进展

由于基于IRC协议的僵尸网络存在单点失效的天然缺陷,越来越多的僵尸网络转而使用非集中式命令与控制信道。基于P2P协议的僵尸网络就是其中最重要的一种。P2P僵尸网络经过10多年的发展,技术已经完全成熟,它们具有更强的弹性和鲁棒性,更难以被清除,被认为是新一代的僵尸网络。阐述了P2P僵尸网络的发展历程,详细分析了功能结构、分类方法和工作过程,介绍了P2P僵尸网络传播模型和跟踪、检测、防御方法的研究进展。     

Resource monitoring for the detection of parasite P2P botnets

Detecting botnet behaviors in networks is a popular topic in the current research literature. The problem of detection of P2P botnets has been denounced as one of the most difficult ones, and this is even sounder when botnets use existing P2P networks infrastructure (parasite P2P botnets). The majority of the detection proposals available at present are based on monitoring network traffic to determine the potential existence of command-and-control communications (C&C) between the bots and the botmaster. As a different and novel approach, this paper introduces a detection scheme which is based on modeling the evolution of the number of peers sharing a resource in a P2P network over time. This allows to detect abnormal behaviors associated to parasite P2P botnet resources in this kind of environments. We perform extensive experiments on Mainline network, from which promising detection results are obtained while patterns of parasite botnets are tentatively discovered.     

Simulation-based study of botnets and defense mechanisms against them

To defend oneself against botnet attacks, one must have tools that make it possible to investigate the processes occurring on all stages of the lifecycle of botnets (propagation, control, attack) and possess defense mechanisms that can counteract botnets. A simulation-based approach to the investigation of botnets and the corresponding defense mechanisms is proposed. The simulation is performed using a special software environment developed by the authors. The architecture of this environment and the libraries needed to create models of botnets and defense mechanisms are described. Experimental data demonstrating the capabilities of the simulation environment for studying various stages of the botnet lifecycle and the efficiency of the corresponding defense mechanisms are discussed.     

A novel method of mining network flow to detect P2P botnets

Botnets are a serious threat to cyber-security. As a consequence, botnet detection has become an important research topic in network protection and cyber-crime prevention. P2P botnets are one of the most malicious zombie networks, as their architecture imitates P2P software. Characteristics of P2P botnets include (1) the use of multiple controllers to avoid single-point failure; (2) the use of encryption to evade misuse detection technologies; and (3) the capacity to evade anomaly detection, usually by initiating numerous sessions without consuming substantial bandwidth. To overcome these difficulties, we propose a novel data mining method. First, we identify the differences between P2P botnet behavior and normal network behavior. Then, we use these differences to tune the data-mining parameters to cluster and distinguish normal Internet behavior from that lurking P2P botnets. This method can identify a P2P botnet without breaking the encryption. Furthermore, the detection system can be deployed without altering the existing network architecture, and it can detect the existence of botnets in a complex traffic mix before they attack. The experimental results reveal that the method is effective in recognizing the existence of botnets. Accordingly, the results of this study will be of value to information security academics and practitioners.     

Bloccess: Enabling Fine-Grained Access Control Based on Blockchain

Botnets pose significant threats to cybersecurity. The infected Internet of Things (IoT) devices are used to launch unsupported malicious activities on target entities to disrupt their operations and services. To address this danger, we propose a machine learning-based method, for detecting botnets by analyzing network traffic data flow including various types of botnet attacks. Our method uses a hybrid model where a Variational AutoEncoder (VAE) is trained in an unsupervised manner to learn latent representations that describe the benign traffic data, and one-class classifier (OCC) for detecting anomaly (also called novelty detection). The main aim of this research is to learn the discriminating representations of the normal data in low dimensional latent space generated by VAE, and thus improve the predictive power of the OCC to detect malicious traffic. We have evaluated the performance of our model, and compared it against baseline models using a real network based dataset, containing popular IoT devices, and presenting a wide variety of attacks from two recent botnet families Mirai and Bashlite. Tests showed that our model can detect botnets with a satisfactory performance.

     

移动平台下僵尸网络的研究与发展

随着手机操作系统和移动通信技术的发展。Internet的主要安全威胁之一的僵尸网络已跨步至移动平台,给手机用户造成了巨大的经济威胁,成为移动平台安全的研究重点之一。我们重新定义了僵尸网络,对移动平台下的僵尸网络的发展、体系结果以及命令与控制机制进行分析,并探讨传统僵尸网络扩展到移动僵尸网络的工作,分析移动僵尸网络未来的研究工作的重点。