Abstract: The Mirai botnet, composed primarily of embedded and IoT devices, took the Internet by storm in late 2016 when it overwhelmed several high-profile targets with massive distributed denial-of-service (DDoS) attacks. In this paper, we provide a seven-month retrospective analysis of Mirai's growth to a peak of 600k infections and a history of its DDoS victims. By combining a variety of measurement perspectives, we analyze how the botnet emerged, what classes of devices were affected, and how Mirai variants evolved and competed for vulnerable hosts. Our measurements serve as a lens into the fragile ecosystem of IoT devices. We argue that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, demonstrate that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets. To address this risk, we recommend technical and nontechnical interventions, as well as propose future research directions.

Abstract: Recent distributed denial-of-service attacks demonstrate the high vulnerability of Internet of Things (IoT) systems and devices. Addressing this challenge will require scalable security solutions optimized for the IoT ecosystem.

Abstract: In this paper we uncover a network of Twitterbots comprising 13,493 accounts that tweeted the U.K. E.U. membership referendum, only to disappear from Twitter shortly after the ballot. We compare active users to this set of political bots with respect to temporal tweeting behavior, the size and speed of retweet cascades, and the composition of their retweet cascades (user-to-bot vs. bot-to-bot) to evidence strategies for bot deployment. Our results move forward the analysis of political bots by showing that Twitterbots can be effective at rapidly generating small to medium-sized cascades; that the retweeted content comprises user-generated hyperpartisan news, which is not strictly fake news, but whose shelf life is remarkably short; and, finally, that a botnet may be organized in specialized tiers or clusters dedicated to replicating either active users or content generated by other bots.

Abstract: The rapidly growing presence of Internet of Things (IoT) devices is becoming a continuously alluring playground for malicious actors who try to harness their vast numbers and diverse locations. One of their primary goals is to assemble botnets that can serve their nefarious purposes, ranging from Denial of Service (DoS) to spam and advertisement fraud. The most recent example that highlights the severity of the problem is the Mirai family of malware, which is accountable for a plethora of massive DDoS attacks of unprecedented volume and diversity. The aim of this paper is to offer a comprehensive state-of-the-art review of the IoT botnet landscape and the underlying reasons of its success with a particular focus on Mirai and major similar worms. To this end, we provide extensive details on the internal workings of IoT malware, examine their interrelationships, and elaborate on the possible strategies for defending against them.

Abstract: Internet of Things (IoT) is the next big evolutionary step in the world of internet. The main intention behind the IoT is to enable safer living and risk mitigation on different levels of life. With the advent of IoT botnets, the view towards IoT devices has changed from enabler of enhanced living into Internet of vulnerabilities for cyber criminals. IoT botnets has exposed two different glaring issues, 1) A large number of IoT devices are accessible over public Internet. 2) Security (if considered at all) is often an afterthought in the architecture of many wide spread IoT devices. In this article, we briefly outline the anatomy of the IoT botnets and their basic mode of operations. Some of the major DDoS incidents using IoT botnets in recent times along with the corresponding exploited vulnerabilities will be discussed. We also provide remedies and recommendations to mitigate IoT related cyber risks and briefly illustrate the importance of cyber insurance in the modern connected world.

Abstract: Detecting botnets in a network is crucial because bots impact numerous areas such as cyber security, finance, health care, law enforcement, and more. Botnets are becoming more sophisticated and dangerous day-by-day, and most of the existing rule based and flow based detection methods may not be capable of detecting bot activities in an efficient and effective manner. Hence, designing a robust and fast botnet detection method is of high significance. In this study, we propose a novel botnet detection methodology based on topological features of nodes within a graph: in degree, out degree, in degree weight, out degree weight, clustering coefficient, node betweenness, and eigenvector centrality. A self-organizing map clustering method is applied to establish clusters of nodes in the network based on these features. Our method is capable of isolating bots in clusters of small sizes while containing the majority of normal nodes in the same big cluster. Thus, bots can be detected by searching a limited number of nodes. A filtering procedure is also developed to further enhance the algorithm efficiency by removing inactive nodes from consideration. The methodology is verified using the CTU-13 datasets, and benchmarked against a classification-based detection method. The results show that our proposed method can efficiently detect the bots despite their varying behaviors.

Abstract: The IoT is a network of interconnected everyday objects called “things” that have been augmented with a small measure of computing capabilities. Lately, the IoT has been affected by a variety of different botnet activities. As botnets have been the cause of serious security risks and financial damage over the years, existing Network forensic techniques cannot identify and track current sophisticated methods of botnets. This is because commercial tools mainly depend on signature-based approaches that cannot discover new forms of botnet. In literature, several studies have conducted the use of Machine Learning (ML) techniques in order to train and validate a model for defining such attacks, but they still produce high false alarm rates with the challenge of investigating the tracks of botnets. This paper investigates the role of ML techniques for developing a Network forensic mechanism based on network flow identifiers that can track suspicious activities of botnets. The experimental results using the UNSW-NB15 dataset revealed that ML techniques with flow identifiers can effectively and efficiently detect botnets’ attacks and their tracks.

Abstract: Botnet is a thorny and a grave problem of today's Internet, resulting in economic damage for organizations and individuals. Botnet is a group of compromised hosts running malicious software program for malicious purposes, known as bots. It is also worth mentioning that the current trend of botnets is to hide their identities (i.e., the command and control server) using the DNS services to hinder their identification process. Fortunately, different approaches have been proposed and developed to tackle the problem of botnets; however, the problem still rises and emerges causing serious threat to the cyberspace-based businesses and individuals. Therefore, this paper comes up to explore the various botnet detection techniques through providing a survey to observe the current state of the art in the field of botnet detection techniques based on DNS traffic analysis. To the best of our knowledge, this is the first survey to discuss DNS-based botnet detection techniques in which the problems, existing solutions and the future research direction in the field of botnet detection based on DNS traffic analysis for effective botnet detection mechanisms in the future are explored and clarified.

Abstract: We introduce a novel two-stage approach for the important cybersecurity problem of detecting the presence of a botnet and identifying the compromised nodes (the bots), ideally before the botnet becomes active. The first stage detects anomalies by leveraging large deviations of an empirical distribution. We propose two approaches to create the empirical distribution: 1) a flow-based approach estimating the histogram of quantized flows and 2) a graph-based approach estimating the degree distribution of node interaction graphs, encompassing both Erdős-Renyi graphs and scale-free graphs. The second stage detects the bots using ideas from social network community detection in a graph that captures correlations of interactions among nodes over time. Community detection is performed by maximizing a modularity measure in this graph. The modularity maximization problem is nonconvex. We propose a convex relaxation, an effective randomization algorithm, and establish sharp bounds on the suboptimality gap. We apply our method to real-world botnet traffic and compare its performance with other methods.

Abstract: The Internet of Things (IoT), a platform and phenomenon allowing everything to process information and communicate data, is populated by ‘things’ which are introducing a multitude of new security vulnerabilities to the cyber-ecosystem. These vulnerable ‘things’ typically lack the ability to support security technologies due to the required lightweightness and a rush to market. There have recently been several high-profile Distributed Denial of Service (DDoS) attacks which utilized a botnet army of IoT devices. We first discuss challenges to cybersecurity in the IoT environment. We then examine the use of IoT botnets, the characteristics of the IoT cyber ecosystem that make it vulnerable to botnets, and make a deep dive into the recently discovered IoTbased Mirai botnet malware. Finally, we consider options to mitigate the risk of IoT devices being conscripted into a botnet army.

Abstract: Industries, people's activities and urban infrastructure rely more and more on "Internet of Things" (IoT) devices for all kinds of activities and operations. Although securing a computer network has always been a difficult task, it transmutes into a massive challenge with the exponentially-growing network size and heterogenity in these systems. A recent example in that vein is a major security violation in the form of DDoS attacks which were performed by a huge number of IoT devices infected with a botnet called "Mirai". Moreover, the role of these devices as control, sensing and communication substrate in critical infrastructures aggravate such problems. Nevertheless, there are some new networking concepts and technologies which promise to offer remedies for the aforementioned challenges; one is software-defined networking (SDN) and another one is fog computing, which primarily provide global network control and local services, respectively. In this paper, we introduce a edge-oriented detection/mitigation scheme against DDoS in IoT using SDN and Fog approaches while utilizing Mirai as the case study.

Abstract: Botnets compromised of IoT devices have been on the rise recently with attacks originating from compromised refrigerators, DVRs, security cameras, and other consumer networking equipment. Most owners of these devices are neither security aware or motivated to secure their IoT devices. Manufacturers of these devices are not currently motivated by market forces or regulatory requirements to improve the security of their products. At 7:00 a.m. on October 21st of 2016 the Mirai IoT botnet launched a DDoS attack against Dyn, a major DNS provider. The attacking hosts generated 1.2 terabits of malicious traffic forcing Dyn off the Internet for hours. This was the second high profile attack by the Mirai botnet. Noted security blogger Brian Krebs' site was the target of the first high profile Mirai attack on September 20, 2016. As a result of the publicity the source code for the botnet was published in early October. We have reviewed the source code and devised a tactic that will use the same compromise vector as the Mirai botnet to catalog vulnerable IoT devices and motivate operators to address their poor security practices. In this paper we discuss our approach and show experimental results that indicate feasibility.

Abstract: The Internet of Things (IoT) revolution promises to make our lives easier by providing cheap and always connected smart embedded devices, which can interact on the Internet and create added values for human needs. But all that glitters is not gold. Indeed, the other side of the coin is that, from a security perspective, this IoT revolution represents a potential disaster. This plethora of IoT devices that flooded the market were very badly protected, thus an easy prey for several families of malwares that can enslave and incorporate them in very large botnets. This, eventually, brought back to the top Distributed Denial of Service (DDoS) attacks, making them more powerful and easier to achieve than ever. This paper aims at provide an up-to-date picture of DDoS attacks in the specific subject of the IoT, studying how these attacks work and considering the most common families in the IoT context, in terms of their nature and evolution through the years. It also explores the additional offensive capabilities that this arsenal of IoT malwares has available, to mine the security of Internet users and systems. We think that this up-to-date picture will be a valuable reference to the scientific community in order to take a first crucial step to tackle this urgent security issue.

Abstract: Multiple news stories, articles, incidents, and attacks have consistently brought to light that IoT devices have a major lack of security. Developing a solution to protect and secure these devices is difficult because of the multitude of devices available on the market, each with their own requirements. This paper will focus on a particularly widespread piece of IoT malware known as the Mirai botnet by examining what its capabilities are, how it spreads to new devices, the impact that it has already had, and propose mitigation solutions to help prevent future attacks.

Abstract: It is known that many Twitter users are bots, which are accounts controlled and sometimes created by computers. Twitter bots can send spam tweets, manipulate public opinion and be used for online fraud. Here we report the discovery, retrieval, and analysis of the `Star Wars' botnet in Twitter, which consists of more than 350,000 bots tweeting random quotations exclusively from Star Wars novels. The botnet contains a single type of bot, showing exactly the same properties throughout the botnet. It is unusually large, many times larger than other available datasets. It provides a valuable source of ground truth for research on Twitter bots. We analysed and revealed rich details on how the botnet was designed and created. As of this writing, the Star Wars bots are still alive in Twitter. They have survived since their creation in 2013, despite the increasing efforts in recent years to detect and remove Twitter bots.We also reflect on the `unconventional' way in which we discovered the Star Wars bots, and discuss the current problems and future challenges of Twitter bot detection.

Abstract: Intrusion detection is extremely crucial to prevent computer systems from being compromised. However, as numerous complicated attack types have growingly appeared and evolved in recent years, obtaining quite high detection rates is increasingly difficult. Also, traditional heavily hand-crafted evaluation datasets for network intrusion detection have not been practical. In addition, deep learning techniques have shown extraordinary capabilities in various application fields. The primary goal of this research is utilizing unsupervised deep learning techniques to automatically learn essential features from raw network traffics and achieve quite high detection accuracy. In this paper, we propose a session-based network intrusion detection model using a deep learning architecture. Comparative experiments demonstrate that the proposed model can achieve incredibly high performance to detect botnet network traffics.

Abstract: In this paper, a novel method to do feature selection to detect botnets at their phase of Command and Control (C&C) is presented. A major problem is that researchers have proposed features based on their expertise, but there is no a method to evaluate these features since some of these features could get a lower detection rate than other. To this aim, we find the feature set based on connections of botnets at their phase of C&C, that maximizes the detection rate of these botnets. A Genetic Algorithm (GA) was used to select the set of features that gives the highest detection rate. We used the machine learning algorithm C4.5, this algorithm did the classification between connections belonging or not to a botnet. The datasets used in this paper were extracted from the repositories ISOT and ISCX. Some tests were done to get the best parameters in a GA and the algorithm C4.5. We also performed experiments in order to obtain the best set of features for each botnet analyzed (specific), and for each type of botnet (general) too. The results are shown at the end of the paper, in which a considerable reduction of features and a higher detection rate than the related work presented were obtained.

Abstract: It is known that many Twitter users are bots, which are accounts controlled and sometimes created by computers. Twitter bots can send spam tweets, manipulate public opinion and be used for online fraud. Here we report the discovery, retrieval, and analysis of the 'Star Wars' botnet in Twitter, which consists of more than 350,000 bots tweeting random quotations exclusively from Star Wars novels. The botnet contains a single type of bot, showing exactly the same properties throughout the botnet. It is unusually large, many times larger than other available datasets. It provides a valuable source of ground truth for research on Twitter bots. We analysed and revealed rich details on how the botnet was designed and created. As of this writing, the Star Wars bots are still alive in Twitter. They have survived since their creation in 2013, despite the increasing efforts in recent years to detect and remove Twitter bots. We also reflect on the 'unconventional' way in which we discovered the Star Wars bots, and discuss the current problems and future challenges of Twitter bot detection.

Abstract: This paper tries to shed more light on Mirai malware, with an aim to facilitate its easier detection and prevention. This malware was used in several recent high profile DDoS attacks. Mirai is used to create and control botnet of IoT devices. The code of this malware is analysed and explanation of its parts provided. Virtual environment for dynamic analysis of Mirai is created. Special settings that were needed to install, start and use Mirai in this environment are explained. Mirai CNC user environment with list of commands is presented. Controlled DDoS attack was successfully executed. Traffic generated during controlled attacks was used to generate signature for Mirai detection. Conclusion of static and dynamic analysis is given together with some mitigation advices.

Abstract: Day by day more and more devices are getting connected to the Internet and with the advent of the Internet of Things, this rate has had an exponential growth. The lack of security in devices connected to the IoT is making them hot targets for cyber-criminals and strength of botnet attacks have increased drastically. Botnets are the technological backbones of multitudinous attacks including Distributed Denial of Service (DDoS), SPAM, identity theft and organizational spying. The 2016 Dyn cyber attack involved multiple DDoS attacks with an estimated throughput of 1.2 terabits per second; the attack is the largest DDoS attack on record. In this paper, we compare three different techniques for botnet detection with each having its unique use cases. The results of the detection methods were verified using ISCX Intrusion Detection Dataset and the CTU-13 Dataset.

Abstract: Recently, advances in cyber-physical systems and IoT led to an increase in devices connected to the internet. This rise of functionality also comes with an increased attack surface for cyber criminals. A proven method for forensic investigations of trends and developments in crimes conducted in the virtual world are honeypots. We set up a medium interaction honeypot offering telnet and SSH services. With this honeypot we captured data from attack sessions. This data was used for statistical and behavioural analysis, such as distributions of attacks and different attacker IPs, originating countries, employed anonymisation services, skill level of an adversary and commonly targeted embedded devices. Furthermore, machine learning techniques that are capable of identifying unique types of sessions based on issued commands and provided credentials are presented in this work. There are strong indicators that most of the traffic captured during our research is caused by botnet activities, which corresponds to findings of different research activities.

Abstract: Distributed Denial-of-Service (DDoS) attacks are usually launched through the botnet , an “army” of compromised nodes hidden in the network. Inferential tools for DDoS mitigation should accordingly enable an early and reliable discrimination of the normal users from the compromised ones. Unfortunately, the recent emergence of attacks performed at the application layer has multiplied the number of possibilities that a botnet can exploit to conceal its malicious activities. New challenges arise, which cannot be addressed by simply borrowing the tools that have been successfully applied so far to earlier DDoS paradigms. In this paper, we offer basically three contributions: 1) we introduce an abstract model for the aforementioned class of attacks, where the botnet emulates normal traffic by continually learning admissible patterns from the environment; 2) we devise an inference algorithm that is shown to provide a consistent (i.e., converging to the true solution as time elapses) estimate of the botnet possibly hidden in the network; and 3) we verify the validity of the proposed inferential strategy on a test-bed environment. Our tests show that, for several scenarios of implementation, the proposed botnet identification algorithm needs an observation time in the order of (or even less than) 1 min to identify correctly almost all bots, without affecting the normal users’ activity.

Abstract: Botnets are one of the most powerful cyberthreats affecting continuity and delivery of existing network services. Detecting and mitigating attacks promoted by botnets become a greater challenge with the advent of 5G networks, as the number of connected devices with high mobility capabilities, the volume of exchange data, and the transmission rates increase significantly. Here, a 5G-oriented solution is proposed for proactively detecting and mitigating botnets in a highly dynamic 5G network. 5G subscribers’ mobility requires dynamic network reconfiguration, which is handled by combining software-defined network and network function virtualization techniques.

Abstract: The 2016 is remembered as the year that showed to the world how dangerous Distributed Denial of Service attacks can be. Gauge of the disruptiveness of DDoS attacks is the number of bots involved: the bigger the botnet, the more powerful the attack. This character, along with the increasing availability of connected and insecure IoT devices, makes DDoS and IoT the perfect pair for the malware industry. In this paper we present the main idea behind AntibIoTic, a palliative solution to prevent DDoS attacks perpetrated through IoT devices.

Abstract: This paper consider the problem of tracking user through the wireless fingerprint of their network interfaces. Bluetooth Low Energy (BLE) is one of these network interfaces and becomes more and more popular because of its energy efficiency and its improved security. The use of random MAC addresses and deep changes in the bluetooth communication procedure were expected to prevent the tracking of individuals through the BLE devices they carries. We reviewed popular devices and found that privacy preserving MAC address are rarely used, even when considering ubiquitous devices that are carried by users all the time. Combined with the new advertising procedure introduced in BLE, this constitute a serious flaw that can be used to track individuals. We investigate its exploitation by BLEB, a BLE Botnet comprise of smartphone and portable devices compromised by a tracking adversary. We investigate the multiple ways to implement it and show that with limited effort, an adversary using BLEB can achieve large scale, high precision and stealthy tracking. A BLEB attack can be more privacy threatening than the ones carried through WiFi or classic bluetooth during their early deployment.

Abstract: Many of today's Internet of Things (IoT) devices are vulnerable due to the large amount of overhead incurred when their operating systems are patched against emerging vulnerabilities. In addition, legacy IoT devices are no longer supported by their manufacturers, leaving customers with unpatched devices that can be easily exploited by attackers. Thus, there is an urgent need for a solution that provides a lightweight and low-cost mechanism for preventing exploitation of vulnerable IoT devices. In this paper, we propose an innovative cloud-based framework for protecting IoT devices. The proposed framework consists of a cloud service and a designated IoT security appliance. The security appliance controls the network traffic flowing to and from the vulnerable device and verifies that it does not violate a set of rules, represented by a vulnerability mitigation policy, that have been derived and synthesized by the cloud service from public corpora of Common Vulnerabilities and Exposures (CVE). We demonstrate how the proposed solution can be applied as a cost-effective solution capable of preventing exploitation of vulnerable IP cameras as part of a prominent botnet attack called Mirai.

Abstract: Modern botnets can persist in networked systems for extended periods of time by operating in a stealthy manner. Despite the progress made in the area of botnet prevention, detection, and mitigation, stealthy botnets continue to pose a significant risk to enterprises. Furthermore, existing enterprise-scale solutions require significant resources to operate effectively, thus they are not practical. In order to address this important problem in a resource-constrained environment, we propose a reinforcement learning based approach to optimally and dynamically deploy a limited number of defensive mechanisms, namely honeypots and network-based detectors, within the target network. The ultimate goal of the proposed approach is to reduce the lifetime of stealthy botnets by maximizing the number of bots identified and taken down through a sequential decision-making process. We provide a proof-of-concept of the proposed approach, and study its performance in a simulated environment. The results show that the proposed approach is promising in protecting against stealthy botnets.

Abstract: This article offers a reading of internet-based activism or ‘hacktivism’ as a phenomenon that cannot be confined to the instrumental use of information technologies. It focuses on a subset of hacktivism – the distributed-denial-of-service (DDoS) attack for political ends – that aims at making an internet host unavailable to its intended users. Since the early 2000s these attacks have been increasingly conducted by means of botnets – networks of infected computers that send bogus requests to a target website without the consent of their users. The capacity of botnets to engender a more-than-human politics is analyzed from two distinct theoretical angles. First, drawing from Deleuze and Guattari, the hacktivist DDoS is discussed as an assemblage of signifying and a-signifying components, voluntary and involuntary actions. Second, Gilbert Simondon’s notions of transindividuation and transduction allow for a conceptualization of hacktivism as a sociotechnical assemblage with a high degree of indetermination.