• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.3
• /
• pp.37-44
• /
• 2011

Recently malicious activities that is a DDoS, spam, propagation of malware, steeling person information, phishing on the Internet are related malicious botnet. To detect malicious botnet, Many researchers study a detection system for malicious botnet, but these applies specific protocol, action or attack based botnet. In this reason, we study a selection of measurement to detec malicious botnet in this paper. we collect a traffic of malicious botnet and analyze it for feature of network traffic. And we select a feature based measurement. we expect to help a detection of malicious botnet through this study.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.4
• /
• pp.51-61
• /
• 2009

Recently, the cyber-attacks using botnets are being increased, Because these attacks pursue the money, the criminal aspect is also being increased, There are spreading of spam mail, DDoS(Distributed Denial of Service) attacks, propagations of malicious codes and malwares, phishings. leaks of sensitive informations as cyber-attacks that used botnets. There are many studies about detection and mitigation techniques against centralized botnets, namely IRC and HITP botnets. However, P2P botnets are still in an early stage of their studies. In this paper, we analyzed the traffics of the Peacomm bot that is one of P2P-based storm bot by using honeynet which is utilized in active analysis of network attacks. As a result, we could see that the Peacomm bot sends a large number of UDP packets to the zombies in wide network through P2P. Furthermore, we could know that the Peacomm bot makes the scale of botnet maintained and extended through these results. We expect that these results are used as a basis of detection and mitigation techniques against P2P botnets.

• KIPS Transactions on Computer and Communication Systems
• /
• v.1 no.1
• /
• pp.55-60
• /
• 2012

Recent botnets are widely using the DNS services at the connection of C&C server in order to evade botnet's detection. It is necessary to study on DNS analysis in order to counteract anomaly-based technique using the DNS. This paper studies collection of DNS traffic for experimental data and supervised learning for DNS traffic-based malicious domain classification such as query of domain name corresponding to C&C server from zombies. Especially, this paper would aim to determine significant features of DNS-based classification system for malicious domain extraction by the Principal Component Analysis(PCA).

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.37B no.11
• /
• pp.1082-1089
• /
• 2012

Recent malicious attempts in Cyber space are intended to emerge national threats such as Suxnet as well as to get financial benefits through a large pool of comprised botnets. The evolved botnets use the Domain Name System(DNS) to communicate with the C&C server and zombies. DNS is one of the core and most important components of the Internet and DNS traffic are continually increased by the popular wireless Internet service. On the other hand, domain names are popular for malicious use. This paper studies on DNS-based cyber threats domain detection by data classification based on supervised learning. Furthermore, the developed cyber threats domain detection system using DNS traffic analysis provides collection, analysis, and normal/abnormal domain classification of huge amounts of DNS data.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.10
• /
• pp.4176-4197
• /
• 2020

Botnet is a type of dangerous malware. Botnet attack with a collection of bots attacking a similar target and activity pattern is called bot group activities. The detection of bot group activities using intrusion detection models can only detect single bot activities but cannot detect bots' behavioral relation on bot group attack. Detection of bot group activities could help network administrators isolate an activity or access a bot group attacks and determine the relations between bots that can measure the correlation. This paper proposed a new model to measure the similarity between bot activities using the intersections-probability concept to define bot group activities called as B-Corr Model. The B-Corr model consisted of several stages, such as extraction feature from bot activity flows, measurement of intersections between bots, and similarity value production. B-Corr model categorizes similar bots with a similar target to specify bot group activities. To achieve a more comprehensive view, the B-Corr model visualizes the similarity values between bots in the form of a similar bot graph. Furthermore, extensive experiments have been conducted using real botnet datasets with high detection accuracy in various scenarios.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2008.11a
• /
• pp.1429-1432
• /
• 2008

최근 DDoS 공격의 의도와 공격형태가 날로 다양해지고 그 피해규모가 심각해짐에 따라 DDoS를 탐지하고 이를 방어하기 위한 연구들이 활발하게 진행되고 있다. 한편, 봇넷은 이러한 DDoS 공격을 수행하는 도구로서 여러 연구기관들에 의해 새로운 위협적인 요소로 보고되고 있다. 본 연구에서는 보안상 상대적으로 취약하다고 알려져 있는 교내망에서 실제 봇넷 트래픽을 찾아내고 분석하였다. 이를 통해 봇넷의 특성을 밝혀내고 이와 관련된 연구의 기초자료로 사용될 수 있을 것이다.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.8 no.12
• /
• pp.1849-1856
• /
• 2013

DOS attack, the short of Denial of Service attack is an internet intrusion technique which harasses service availability of legitimate users. To respond the DDoS attack, a lot of methods focusing attack source, target and intermediate network, have been proposed, but there have not been a clear solution. In this paper, we purpose the prevention of malicious activity and early detection of DDoS attack by detecting and removing the activity of botnets, or other malicious codes. For the purpose, the proposed method monitors the network traffic, especially DSN traffic, which is originated from botnets or malicious codes.

• Journal of Internet of Things and Convergence
• /
• v.7 no.3
• /
• pp.1-8
• /
• 2021

With the rapid increase in the use of IoT and mobile devices, cyber criminals targeting IoT devices are also on the rise. Among IoT devices, when using a wireless access point (AP), problems such as packets being exposed to the outside due to their own security vulnerabilities or easily infected with malicious codes such as bots, causing DDoS attack traffic, are being discovered. Therefore, in this study, in order to actively respond to cyber attacks targeting IoT devices that are rapidly increasing in recent years, we proposed a method to collect traces of intrusion incidents artifacts from IoT devices, and to improve the validity of intrusion analysis data. Specifically, we presented a method to acquire and analyze digital forensics artifacts in the compromised system after identifying the causes of vulnerabilities by reproducing the behavior of the sample IoT malware. Accordingly, it is expected that it will be possible to establish a system that can efficiently detect intrusion incidents on targeting large-scale IoT devices.