Abstract: A wide range of malicious activities rely on the domain name service (DNS) to manage their large, distributed networks of infected machines. As a consequence, the monitoring and analysis of DNS queries has recently been proposed as one of the most promising techniques to detect and blacklist domains involved in malicious activities (e.g., phishing, spam, botnets command-and-control, etc.). EXPOSURE is a system we designed to detect such domains in real time, by applying 15 unique features grouped in four categories.We conducted a controlled experiment with a large, real-world dataset consisting of billions of DNS requests. The extremely positive results obtained in the tests convinced us to implement our techniques and deploy it as a free, online service. In this article, we present the Exposure system and describe the results and lessons learned from 17 months of its operation. Over this amount of time, the service detected over 100K malicious domains. The statistics about the time of usage, number of queries, and target IP addresses of each domain are also published on a daily basis on the service Web page.

Abstract: Botnets, as one of the most formidable cyber security threats, are becoming more sophisticated and resistant to detection. In spite of specific behaviors each botnet has, there exist adequate similarities inside each botnet that separate its behavior from benign traffic. Several botnet detection systems have been proposed based on these similarities. However, offering a solution for differentiating botnet traffic (even those using same protocol, e.g. IRC) from normal traffic is not trivial. Extraction of features in either host or network level to model a botnet has been one of the most popular methods in botnet detection. A subset of features, usually selected based on some intuitive understanding of botnets, is used by the machine learning algorithms to classify/ cluster botnet traffic. These approaches, tested against two or three botnet traces, have mostly showed satisfactory detection results. Even though, their effectiveness in detection of other botnets or real traffic remains in doubt. Additionally, effectiveness of different combination of features in terms of providing more detection coverage has not been fully studied. In this paper we revisit flow-based features employed in the existing botnet detection studies and evaluate their relative effectiveness. To ensure a proper evaluation we create a dataset containing a diverse set of botnet traces and background traffic.

Abstract: DDoS attacks mounted by botnets today target a specific service, mobilizing only a small amount of legitimate-looking traffic to compromise the server. Detecting or blocking such clever attacks by only using anomalous traffic statistics has become difficult, and devising countermeasures has been mostly left to the victim server. In this paper, we investigate how a software-defined network (SDN) can be utilized to overcome the difficulty and effectively block legitimate looking DDoS attacks mounted by a larger number of bots. Specifically, we discuss a DDoS blocking application that runs over the SDN controller while using the standard OpenFlow interface.

Abstract: A number of detection and defense mechanisms have emerged in the last decade to tackle the botnet phenomenon. It is important to organize this knowledge to better understand the botnet problem and its solution space. In this paper, we structure existing botnet literature into three comprehensive taxonomies of botnet behavioral features, detection and defenses. This elevated view highlights opportunities for network defense by revealing shortcomings in existing approaches. We introduce the notion of a dimension to denote different criteria which can be used to classify botnet detection techniques. We demonstrate that classification by dimensions is particularly useful for evaluating botnet detection mechanisms through various metrics of interest. We also show how botnet behavioral features from the first taxonomy affect the accuracy of the detection approaches in the second taxonomy. This information can be used to devise integrated detection strategies by combining complementary approaches. To provide real-world context, we liberally augment our discussions with relevant examples from security research and products.

Abstract: Malware remains one of the most significant secu- rity threats on the Internet. Antivirus solutions and blacklists, the main weapons of defense against these attacks, have only been (partially) successful. One reason is that cyber-criminals take active steps to bypass defenses, for example, by distribut- ing constantly changing (obfuscated) variants of their malware programs, and by quickly churning through domains and IP addresses that are used for distributing exploit code and botnet commands. We analyze one of the core tasks that malware authors have to achieve to be successful: They must distribute and install malware programs onto as many victim machines as possible. A main vec- tor to accomplish this is through drive-by download attacks where victims are lured onto web pages that launch exploits against the users' web browsers and their components. Once an exploit is successful, the injected shellcode automatically downloads and launches the malware program. While a significant amount of previous work has focused on detecting the drive-by exploit step and the subsequent network traffic produced by malware programs, little attention has been paid to the intermediate step where the malware binary is downloaded. In this paper, we study how clients in real-world networks download and install malware, and present Nazca, a system that detects infections in large scale networks. Nazca does not operate on individual connections, nor looks at properties of the downloaded programs or the reputation of the servers hosting them. Instead, it looks at the telltale signs of the malicious network infrastructures that orchestrate these malware installa- tion that become apparent when looking at the collective traffic produced and becomes apparent when looking at the collective traffic produced by many users in a large network. Being content agnostic, Nazca does not suffer from coverage gaps in reputation databases (blacklists), and is not susceptible to code obfuscation. We have run Nazca on seven days of traffic from a large Internet Service Provider, where it has detected previously-unseen malware with very low false positive rates

Abstract: Botnet detection represents one of the most crucial prerequisites of successful botnet neutralization. This paper explores how accurate and timely detection can be achieved by using supervised machine learning as the tool of inferring about malicious botnet traffic. In order to do so, the paper introduces a novel flow-based detection system that relies on supervised machine learning for identifying botnet network traffic. For use in the system we consider eight highly regarded machine learning algorithms, indicating the best performing one. Furthermore, the paper evaluates how much traffic needs to be observed per flow in order to capture the patterns of malicious traffic. The proposed system has been tested through the series of experiments using traffic traces originating from two well-known P2P botnets and diverse non-malicious applications. The results of experiments indicate that the system is able to accurately and timely detect botnet traffic using purely flow-based traffic analysis and supervised machine learning. Additionally, the results show that in order to achieve accurate detection traffic flows need to be monitored for only a limited time period and number of packets per flow. This indicates a strong potential of using the proposed approach within a future on-line detection framework.

Abstract: Botnets are an important security problem on the Internet. They continuously evolve their structure, protocols and attacks. This survey analyzes and compares the most important efforts carried out in a network-based detection area. It accomplishes four tasks: first, the comparison of previous surveys and the proposal of four new dimensions to analyze their classification schemes; second, a new classification and comparison of network-based botnet detection proposals, which includes the definition of 20 desired properties of every botnet detection paper; third, an extensive comparison between the most representative detection proposals; and fourth, the description of the most important problems and highlights in the area. We conclude that the area has achieved great advances so far, but there are still many open problems. Copyright © 2013 John Wiley & Sons, Ltd.

Abstract: In this paper we focus on detecting and clustering distinct groupings of domain names that are queried by numerous sets of infected machines. We propose to analyze domain name system (DNS) traffic, such as Non-Existent Domain (NXDomain) queries, at several premier Top Level Domain (TLD) authoritative name servers to identify strongly connected cliques of malware related domains. We illustrate typical malware DNS lookup patterns when observed on a global scale and utilize this insight to engineer a system capable of detecting and accurately clustering malware domains to a particular variant or malware family without the need for obtaining a malware sample. Finally, the experimental results of our system will provide a unique perspective on the current state of globally distributed malware, particularly the ones that use DNS.

Abstract: In recent years, the Internet has enabled access to widespread remote services in the distributed computing environment; however, integrity of data transmission in the distributed computing platform is hindered by a number of security issues. For instance, the botnet phenomenon is a prominent threat to Internet security, including the threat of malicious codes. The botnet phenomenon supports a wide range of criminal activities, including distributed denial of service(DDoS) attacks, click fraud, phishing, malware distribution, spam emails, and building machines for illegitimate exchange of information/materials. Therefore, it is imperative to design and develop a robust mechanism for improving the botnet detection, analysis, and removal process. Currently, botnet detection techniques have been reviewed in different ways; however, such studies are limited in scope and lack discussions on the latest botnet detection techniques. This paper presents a comprehensive review of the latest state-of-the-art techniques for botnet detection and figures out the trends of previous and current research. It provides a thematic taxonomy for the classification of botnet detection techniques and highlights the implications and critical aspects by qualitatively analyzing such techniques. Related to our comprehensive review, we highlight future directions for improving the schemes that broadly span the entire botnet detection research field and identify the persistent and prominent research challenges that remain open.

Abstract: Network security against possible attacks involves making decisions under uncertainty Not only may one be ignorant of the place, the power, or the time of potential attacks, one may also be largely ignorant of the attacker's purpose To illustrate this phenomenon, this paper proposes a simple Bayesian game-theoretic model of allocating defensive (scanning) effort among nodes of a network in which a network's defender does not know the adversary's motivation for intruding on the network, eg, to bring the maximal damage to the network (for example, to steal credit card numbers or information on bank accounts stored there) or to infiltrate the network for other purposes (for example, to corrupt nodes for a further distributed denial of service botnet attack on servers) Due to limited defensive capabilities, the defender faces the dilemma of either: 1) focusing on increasing defense of the most valuable nodes, and in turn, increasing the chance for the adversary to sneak into the network through less valuable nodes or 2) taking care of defense of all the nodes, and in turn, reducing the level of defense of the most valuable ones An explicit solution to this dilemma is suggested based on the information available to the defender, and it is shown how this information allows the authorities to increase the efficiency of a network's defense Some interesting properties of the rivals' strategies are presented Notably, the adversary's strategy has a node-sharing structure and the adversary's payoffs have a discontinuous dependence on the probability of the attack's type This discontinuity implies that the defender has to take into account the human factor since some threshold values of this inclination in the adversary's behavior could make the defender's policy very sensitive to small perturbations, while in other situations it produces minimal impact

Abstract: Cloud forensics has become an inexorable and a transformative discipline in the modern world. The need to share a pool of resources and to extract digital evidence from the same distributed resources to be presented in a court of law, has become a subject of focus. Forensic readiness is a pro-active process that entails digital preparedness that an organisation uses to gather, store and handle incident responsive data with the aim of reducing post-event response by digital forensics investigators. Forensic readiness in the cloud can be achieved by implementing a botnet with nonmalicious code as opposed to malicious code. The botnet still infects instances of virtual computers within the cloud, however, with good intentions as opposed to bad intentions. The botnet is, effectively, implemented as a service that harvests digital information that can be preserved as admissible and submissive potential digital evidence. In this paper, the authors‟ problem is that there are no techniques that exist for gathering information in the cloud for digital forensic readiness purposes as described in international standard for digital forensic investigations (ISO/IEC 27043). The authors proposed a model that allows digital forensic readiness to be achieved by implementing a Botnet as a service (BaaS) in a cloud environment.

Abstract: Because of the advances in Internet technology, the applications of the Internet of Things have become a crucial topic. The number of mobile devices used globally substantially increases daily; therefore, information security concerns are increasingly vital. The botnet virus is a major threat to both personal computers and mobile devices; therefore, a method of botnet feature characterization is proposed in this study. The proposed method is a classified model in which an artificial fish swarm algorithm and a support vector machine are combined. A LAN environment with several computers which has infected by the botnet virus was simulated for testing this model; the packet data of network flow was also collected. The proposed method was used to identify the critical features that determine the pattern of botnet. The experimental results indicated that the method can be used for identifying the essential botnet features and that the performance of the proposed method was superior to that of genetic algorithms.

Abstract: Miscreants use DDoS botnets to attack a victim via a large number of malware-infected hosts, combining the bandwidth of the individual PCs. Such botnets have thus a high potential to render targeted services unavailable. However, the actual impact of attacks by DDoS botnets has never been evaluated. In this paper, we monitor C&C servers of 14 DirtJumper and Yoddos botnets and record the DDoS targets of these networks. We then aim to evaluate the availability of the DDoS victims, using a variety of measurements such as TCP response times and analyzing the HTTP content. We show that more than 65% of the victims are severely affected by the DDoS attacks, while also a few DDoS attacks likely failed.

Abstract: Malware continues to be one of the major threats to Internet security. In the battle against cybercriminals, accurately identifying the underlying malicious server infrastructure (e.g., C&C servers for botnet command and control) is of vital importance. Most existing passive monitoring approaches cannot keep up with the highly dynamic, ever-evolving malware server infrastructure. As an effective complementary technique, active probing has recently attracted attention due to its high accuracy, efficiency, and scalability (even to the Internet level). In this paper, we propose Autoprobe, a novel system to automatically generate effective and efficient fingerprints of remote malicious servers. Autoprobe addresses two fundamental limitations of existing active probing approaches: it supports pull-based C&C protocols, used by the majority of malware, and it generates fingerprints even in the common case when C&C servers are not alive during fingerprint generation. Using real-world malware samples we show that Autoprobe can successfully generate accurate C&C server fingerprints through novel applications of dynamic binary analysis techniques. By conducting Internet-scale active probing, we show that Autoprobe can successfully uncover hundreds of malicious servers on the Internet, many of them unknown to existing blacklists. We believe Autoprobe is a great complement to existing defenses, and can play a unique role in the battle against cybercriminals.

Abstract: In this paper, we propose a behavior-based detection that can discriminate Distributed Denial of Service (DDoS) attack traffic from legitimated traffic regardless to various types of the attack packets and methods. Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission rates and packet forms to beat defense systems. These various attack strategies lead to defense systems requiring various detection methods in order to identify the attacks. Moreover, DDoS attacks can craft the traffics like flash crowd events and fly under the radar through the victim. We notice that DDoS attacks have features of repeatable patterns which are different from legitimate flash crowd traffics. In this paper, we propose a comparable detection methods based on the Pearson’s correlation coefficient. Our methods can extract the repeatable features from the packet arrivals in the DDoS traffics but not in flash crowd traffics. The extensive simulations were tested for the optimization of the detection methods. We then performed experiments with several datasets and our results affirm that the proposed methods can differentiate DDoS attacks from legitimate traffics.

Abstract: Mobile botnets have recently evolved owing to the rapid growth of smartphone technologies. The implications of botnets have inspired attention from the academia and industry alike, which includes vendors, investors, hackers and researcher community. Above all, the capability of botnets is exploited in a wide range of criminal activities, such as, Distributed Denial of Service (DDoS) attacks, stealing business information, remote access, online/click fraud, phishing, malware distribution, spam emails, and building mobile devices for illegitimate exchange of information/materials. In this paper, we investigate mobile botnet attacks by exploring attack vectors and a subsequent presentation of a well-defined thematic taxonomy. Through identification of significant parameters from the taxonomy, we conduct a comparison to explore effects of existing mobile botnets on commercial as well as open source mobile operating system platforms. The parameters for comparison include mobile botnet architecture, platform, target audience, vulnerabilities/loopholes, operational impact and detection approaches. Related to our findings, we present open research challenges in this domain.

Abstract: The delay-tolerant-network (DTN) model is becoming a viable communication alternative to the traditional infrastructural model for modern mobile consumer electronics equipped with short-range communication technologies such as Bluetooth, NFC, and Wi-Fi Direct. Proximity malware is a class of malware that exploits the opportunistic contacts and distributed nature of DTNs for propagation. Behavioral characterization of malware is an effective alternative to pattern matching in detecting malware, especially when dealing with polymorphic or obfuscated malware. In this paper, we first propose a general behavioral characterization of proximity malware which based on naive Bayesian model, which has been successfully applied in non-DTN settings such as filtering email spams and detecting botnets. We identify two unique challenges for extending Bayesian malware detection to DTNs ("insufficient evidence versus evidence collection risk" and "filtering false evidence sequentially and distributedly"), and propose a simple yet effective method, look ahead, to address the challenges. Furthermore, we propose two extensions to look ahead, dogmatic filtering, and adaptive look ahead, to address the challenge of "malicious nodes sharing false evidence." Real mobile network traces are used to verify the effectiveness of the proposed methods.

Abstract: Malicious software and especially botnets are among the most important security threats in the Internet. Thus, the accurate and timely detection of such threats is of great importance. Detecting machines infected with malware by identifying their malicious activities at the network level is an appealing approach, due to the ease of deployment. Nowadays, the most common communication channels used by attackers to control the infected machines are based on the HTTP protocol. To evade detection, HTTP-based malware adapt their behavior to the communication patterns of the benign HTTP clients, such as web browsers. This poses significant challenges to existing detection approaches like signature-based and behavioral-based detection systems. In this paper, we propose BOTHOUND: a novel approach to precisely detect HTTP-based malware at the network level. The key idea is that implementations of the HTTP protocol by different entities have small but perceivable differences. Building on this observation,BOTHOUND automatically generates models for malicious and benign requests and classifies at real time the HTTP traffic of a monitored network. Our evaluation results demonstrate that BOTHOUND outperforms prior work on identifying HTTP-based botnets, being able to detect a large variety of real-world HTTP-based malware, including advanced persistent threats used in targeted attacks, with a very low percentage of classification errors.

Abstract: Botnets are one of the most destructive threats against the cyber security. Recently, HTTP protocol is frequently utilized by botnets as the Command and Communication (C&C) protocol. In this work, we aim to detect HTTP based botnet activity based on botnet behaviour analysis via machine learning approach. To achieve this, we employ flow-based network traffic utilizing Net Flow (via Soft flowd). The proposed botnet analysis system is implemented by employing two different machine learning algorithms, C4.5 and Naive Bayes. Our results show that C4.5 learning algorithm based classifier obtained very promising performance on detecting HTTP based botnet activity.

Abstract: Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.

Abstract: Botmasters have lately focused their attention to the Tor network to provide the botnet command-and-control (C&C) servers with anonymity. The C&C constitutes the crucial part of the botnet infrastructure, and hence needs to be protected. Even though Tor provides such an anonymity service, it also exposes the botnet activity due to recognizable patterns. On the one hand, the bot using Tor is detectable due to the characteristic network traffic, and the ports used. Moreover, the malware needs to download the Tor client at infection time. The act of downloading the software is itself peculiar and detectable. On the other hand, centralized C&C servers attract a lot of communication from all the bots. This behaviour exposes the botnet and the anomaly can be easily identified in the network. This paper analyses how the Tor network is currently used by botmasters to guarantee C&C anonymity. Furthermore, we address the problems that still afflict Tor-based botnets. Finally, we show that the use of Tor does not, in fact, fully guarantee the anonymity features required by botnets that are still detectable and susceptible to attacks.

Abstract: Due to a rapid growth of Internet, the number of network attacks has risen leading to the essentials of network intrusion detection systems (IDS) to secure the network. With heterogeneous accesses and huge traffic volumes, several pattern identification techniques have been brought into the research community. Data Mining is one of the analyses which many IDSs have adopted as an attack recognition scheme. Thus, in this paper, the classification methodology including attribute and data selections was drawn based on the well-known classification schemes, i.e., Decision Tree, Ripper Rule, Neural Networks, Naive Bayes, k-Nearest-Neighbour, and Support Vector Machine, for intrusion detection analysis using both KDD CUP dataset and recent HTTP BOTNET attacks. Performance of the evaluation was measured using recent Weka tools with a standard cross-validation and confusion matrix.

Abstract: Botnets, which are networks of compromised machines under the control of a single malicious entity, are a serious threat to online security. The fact that botnets, by definition, receive their commands from a single entity can be leveraged to fight them. To this end, one requires techniques that can detect command and control (C&C) traffic, as well as the servers that host C&C services. Given the knowledge of a C&C server's IP address, one can use this information to detect all hosts that attempt to contact such a server, and subsequently disinfect, disable, or block the infected machines. This information can also be used by law enforcement to take down the C&C server. In this paper, we present a new botnet C&C signature extraction approach that can be used to find C&C communication in traffic generated by executing malware samples in a dynamic analysis system. This approach works in two steps. First, we extract all frequent strings seen in the network traffic. Second, we use a function that assigns a score to each string. This score represents the likelihood that the string is indicative of C&C traffic. This function allows us to rank strings and focus our attention on those that likely represent good C&C signatures. We apply our technique to almost 2.6 million network connections produced by running more than 1.4 million malware samples. Using our technique, we were able to automatically extract a set of signatures that are able to identify C&C traffic. Furthermore, we compared our signatures with those used by existing tools, such as Snort and BotHunter.

Abstract: Smartphones are rising in popularity as well as becoming more sophisticated over recent years. This popularity coupled with the fact that smartphones contain a lot of private user data is causing a proportional rise in different malwares for the platform. In this paper we analyze and classify state-of-the-art malware techniques and their countermeasures. The paper also reports a novel method for malware development and novel attack techniques such as mobile botnets, usage pattern based attacks and repackaging attacks. The possible countermeasures are also proposed. Then a detailed analysis of one of the proposed novel malware methods is explained. Finally the paper concludes by summarizing the paper.

Abstract: Researches have been conducted to overcome Distributed Denial of Service (DDoS) flooding attack. Beside the use of signature based detection, anomaly based detection is also used to detect the attack. Several methods such as statistic, information theory, data mining and forecasting have been proposed. In several researches, they just focused to detect the traffic anomaly, but not to recognize the types of anomaly that were detected such as flashcrowd, types of botnet, types of DDoS, and prevention action. In this paper we categorize anomaly traffic detection system based on process and capability focus. Anomaly detection system process including traffic features, preprocessing, and detection process. Capability focus based on each main research problem to be solved, there are detectingonly anomaly, types of anomaly, and prevention system that include process to overcome the attack. At the end of paper, we provide overview of research direction and opportunities that may be done in future research.

Abstract: Techniques for network security analysis have historically focused on the actions of the network hosts. Outside of forensic analysis, little has been done to detect or predict malicious or infected nodes strictly based on their association with other known malicious nodes. This methodology is highly prevalent in the graph analytics world, however, and is referred to as community detection. In this paper, we present a method for detecting malicious and infected nodes on both monitored networks and the external Internet. We leverage prior community detection and graphical modeling work by propagating threat probabilities across network nodes, given an initial set of known malicious nodes. We enhance prior work by employing constraints that remove the adverse effect of cyclic propagation that is a byproduct of current methods. We demonstrate the effectiveness of probabilistic threat propagation on the tasks of detecting botnets and malicious web destinations.