Chen Lu
ABSTRACT
Botnets are becoming a major source of spam, private data and money steal and other cybercrime. During the battle with security communities, botnets became Tailored Trustworthy Spaces (TTS). Bot herders first used encryption and access control of the botnet command and control channel to secure botnet communications. The use of fastflux and P2P technologies help botnets become more resilient to detection and takendown. Their fast evolving propagation, command and control, and attacks make botnets good examples of moving targets. Detecting and removing botnets has become a difficult and important task for security community. In this paper, we apply timing analysis on P2P hierarchical botnet traffic, since timing signatures commonly exist in automated network processes. We extend previous work to use probabilistic context-free grammars (PCFGs), a more expressive grammar in the Chomsky hierarchy. Experiment results of simulated P2P botnet show that PCFGs have accurate detection rates. Our approach provides possible "exploits" to compromise TTS and moving target systems. Therefore timing signatures should be considered in design to make the system more secure and resilient.
- Citadel - An Open-Source Malware Project. http://blog.seculert.com/2012/02/citadel-open-source-malware-project.html.Google Scholar
- Robot Wars - How Botnets Work. http://www.windowsecurity.com/articles/robot-wars-how-botnets-work.html.Google Scholar
- The threat from P2P botnets. http://www.securelist.com/en/blog/654/Lab_Matters_The_threat_from_P2P_botnets.Google Scholar
- ZeuS Gets More Sophisticated Using P2P Techniques. http://www.abuse.ch/?p=3499.Google Scholar
- Zeus: God of DIY Botnets. http://www.fortiguard.com/analysis/zeusanalysis.html.Google Scholar
- A. V. Aho, M. S. Lam, R. Sethi, and J. D. Ullman. Compilers: Principles, techniques, and tools, 2nd edition. Pearson Education Inc., 2006. Google ScholarDigital Library
- M. Bailey, E. Cooke, F. Jahanian, Y. Xu, and M. Karir. A survey of botnet technology and defenses. Conference For Homeland Security, Cybersecurity Applications and Technology, 0:299--304, 2009. Google ScholarDigital Library
- S. Geman and M. Johnson. Probabilistic grammars and their applications. In International Encyclopedia of the Social & Behavioral Sciences, pages 12075--12082, 2002.Google Scholar
- C. Lu and R. Brooks. Botnet traffic detection using hidden markov models. In Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, CSIIRW '11, pages 31:1--31:1, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- C. Lu and R. Brooks. P2p hierarchical botnet traffic detection using hidden markov models. Learning from Authoritative Security Experiment Results Workshop Proceedings, 2012. Google ScholarDigital Library
- C. D. Manning and H. Schutze. Foundations of statistical natural language processing. The MIT Press, 1999. Google ScholarDigital Library
- J. Neter, W. Wasserman, and M. H. Kutner. Applied linear regression models. Irwin Press, 1989.Google Scholar
- C. Noam. Three models for the description of language. Information Theory, IRE Transactions, 2(3):113--124, 1956.Google Scholar
- G. Ollmann. Botnet communication topologies. White Paper of Damballa, 2009.Google Scholar
- L. Wei, T. Mahbod, and A. A. Ghorbani. Automatic discovery of botnet communities on large-scale communication networks. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS '09, pages 1--10, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- C. Wilson. Botnets, cybercrime, and cyberterrorism: Vulnerabilities and policy issues for congress. CRS Report for Congress, 2009.Google Scholar
- D. Zwillinger. Standard mathematical tables and formulae. Chapman & Hall/CRC, 2003.Google Scholar
Index Terms
- Timing analysis in P2P botnet traffic using probabilistic context-free grammars
Recommendations
P2P hierarchical botnet traffic detection using hidden Markov models
LASER '12: Proceedings of the 2012 Workshop on Learning from Authoritative Security Experiment ResultsBotnets are a major source of spam, distributed denial-of-service attacks (DDoS) and other cybercrime [21]. Compromised computers are usually controlled by a centralized Command and Control (C&C) server. Hidden Markov models (HMMs) have been used ...
Detecting botnet by anomalous traffic
Botnets can cause significant security threat and huge loss to organizations, and are difficult to discover their existence. Therefore they have become one of the most severe threats on the Internet. The core component of botnets is their command and ...
A Botnet Detecting Infrastructure Using a Beneficial Botnet
SIGUCCS '18: Proceedings of the 2018 ACM SIGUCCS Annual ConferenceA beneficial botnet, which tries to cope with technology of malicious botnets such as peer to peer (P2P) networking and Domain Generation Algorithm (DGA), is discussed. In order to cope with such botnets' technology, we are developing a beneficial ...
Comments