• Title/Summary/Keyword: Botnets

Search Result 30, Processing Time 0.024 seconds

Feature Selection with PCA based on DNS Query for Malicious Domain Classification (비정상도메인 분류를 위한 DNS 쿼리 기반의 주성분 분석을 이용한 성분추출)

  • Lim, Sun-Hee;Cho, Jaeik;Kim, Jong-Hyun;Lee, Byung Gil
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.1 no.1
    • /
    • pp.55-60
    • /
    • 2012
  • Recent botnets are widely using the DNS services at the connection of C&C server in order to evade botnet's detection. It is necessary to study on DNS analysis in order to counteract anomaly-based technique using the DNS. This paper studies collection of DNS traffic for experimental data and supervised learning for DNS traffic-based malicious domain classification such as query of domain name corresponding to C&C server from zombies. Especially, this paper would aim to determine significant features of DNS-based classification system for malicious domain extraction by the Principal Component Analysis(PCA).

A Discovery System of Malicious Javascript URLs hidden in Web Source Code Files

  • Park, Hweerang;Cho, Sang-Il;Park, Jungkyu;Cho, Youngho
    • Journal of the Korea Society of Computer and Information
    • /
    • v.24 no.5
    • /
    • pp.27-33
    • /
    • 2019
  • One of serious security threats is a botnet-based attack. A botnet in general consists of numerous bots, which are computing devices with networking function, such as personal computers, smartphones, or tiny IoT sensor devices compromised by malicious codes or attackers. Such botnets can launch various serious cyber-attacks like DDoS attacks, propagating mal-wares, and spreading spam e-mails over the network. To establish a botnet, attackers usually inject malicious URLs into web source codes stealthily by using data hiding methods like Javascript obfuscation techniques to avoid being discovered by traditional security systems such as Firewall, IPS(Intrusion Prevention System) or IDS(Intrusion Detection System). Meanwhile, it is non-trivial work in practice for software developers to manually find such malicious URLs which are hidden in numerous web source codes stored in web servers. In this paper, we propose a security defense system to discover such suspicious, malicious URLs hidden in web source codes, and present experiment results that show its discovery performance. In particular, based on our experiment results, our proposed system discovered 100% of URLs hidden by Javascript encoding obfuscation within sample web source files.

Detecting Members of P2P Botnets Using Probabilistic Dye-Pumping Algorithm (Probabilistic Dye-Pumping 알고리즘을 이용한 P2P 봇넷 멤버 탐지)

  • Choi, Seung-hwan;Park, Hyo-seong;Kim, Ki-chang
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2012.10a
    • /
    • pp.744-748
    • /
    • 2012
  • Botnet is a network that consists of bot hosts infected by malware. The C&C server of centralized botnet, which is being used widely, is relatively easy to detect, while detecting P2P botnet is not a trivial problem because of the existence of many avoiding techniques. In this paper, we separate the network into inner and outer sub-network at the location of the router, and analyze the method of detecting botnet using path of packet and infection probability. We have extended Dye-Pumping algorithm in order to detect P2P botnet members more accurately, and we expect that the analysis of the results can be used as a basis of techniques that detect and block P2P botnet in the networks.

  • PDF

Intrusion Artifact Acquisition Method based on IoT Botnet Malware (IoT 봇넷 악성코드 기반 침해사고 흔적 수집 방법)

  • Lee, Hyung-Woo
    • Journal of Internet of Things and Convergence
    • /
    • v.7 no.3
    • /
    • pp.1-8
    • /
    • 2021
  • With the rapid increase in the use of IoT and mobile devices, cyber criminals targeting IoT devices are also on the rise. Among IoT devices, when using a wireless access point (AP), problems such as packets being exposed to the outside due to their own security vulnerabilities or easily infected with malicious codes such as bots, causing DDoS attack traffic, are being discovered. Therefore, in this study, in order to actively respond to cyber attacks targeting IoT devices that are rapidly increasing in recent years, we proposed a method to collect traces of intrusion incidents artifacts from IoT devices, and to improve the validity of intrusion analysis data. Specifically, we presented a method to acquire and analyze digital forensics artifacts in the compromised system after identifying the causes of vulnerabilities by reproducing the behavior of the sample IoT malware. Accordingly, it is expected that it will be possible to establish a system that can efficiently detect intrusion incidents on targeting large-scale IoT devices.

A Deep Learning Approach with Stacking Architecture to Identify Botnet Traffic

  • Kang, Koohong
    • Journal of the Korea Society of Computer and Information
    • /
    • v.26 no.12
    • /
    • pp.123-132
    • /
    • 2021
  • Malicious activities of Botnets are responsible for huge financial losses to Internet Service Providers, companies, governments and even home users. In this paper, we try to confirm the possibility of detecting botnet traffic by applying the deep learning model Convolutional Neural Network (CNN) using the CTU-13 botnet traffic dataset. In particular, we classify three classes, such as the C&C traffic between bots and C&C servers to detect C&C servers, traffic generated by bots other than C&C communication to detect bots, and normal traffic. Performance metrics were presented by accuracy, precision, recall, and F1 score on classifying both known and unknown botnet traffic. Moreover, we propose a stackable botnet detection system that can load modules for each botnet type considering scalability and operability on the real field.

VPN-Filter Malware Techniques and Countermeasures in IoT Environment (사물인터넷 환경에서의 VPN-Filter malware 기술과 대응방법)

  • Kim, Seung-Ho;Lee, Keun-Ho
    • Journal of Convergence for Information Technology
    • /
    • v.8 no.6
    • /
    • pp.231-236
    • /
    • 2018
  • Recently, a wide variety of IoT environment is being created due to the rapid development of information and communication technology. And accordingly in a variety of network structures, a countless number of attack techniques and new types of vulnerabilities are producing a social disturbance. In May of 2018, Talos Intelligence, the Cisco threat intelligence team has newly discovered 'VPN-Filter', which constitutes a large-scale IoT-based botnet, is infecting consumer routers in over 54 countries around the world. In this paper, types of IoT-based botnets and the attack techniques utilizing botnet will be examined and the countermeasure technique through EXIF metadata removal method which is the cause of connection method of C & C Server will be proposed by examining the characteristics of attack vulnerabilities and attack scenarios of VPN-Filter.

An Experimental Study on AutoEncoder to Detect Botnet Traffic Using NetFlow-Timewindow Scheme: Revisited (넷플로우-타임윈도우 기반 봇넷 검출을 위한 오토엔코더 실험적 재고찰)

  • Koohong Kang
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.33 no.4
    • /
    • pp.687-697
    • /
    • 2023
  • Botnets, whose attack patterns are becoming more sophisticated and diverse, are recognized as one of the most serious cybersecurity threats today. This paper revisits the experimental results of botnet detection using autoencoder, a semi-supervised deep learning model, for UGR and CTU-13 data sets. To prepare the input vectors of autoencoder, we create data points by grouping the NetFlow records into sliding windows based on source IP address and aggregating them to form features. In particular, we discover a simple power-law; that is the number of data points that have some flow-degree is proportional to the number of NetFlow records aggregated in them. Moreover, we show that our power-law fits the real data very well resulting in correlation coefficients of 97% or higher. We also show that this power-law has an impact on the learning of autoencoder and, as a result, influences the performance of botnet detection. Furthermore, we evaluate the performance of autoencoder using the area under the Receiver Operating Characteristic (ROC) curve.

A Study on the Vulnerability Management of Internet Connection Devices based on Internet-Wide Scan (인터넷 와이드 스캔 기술 기반 인터넷 연결 디바이스의 취약점 관리 구조 연구)

  • Kim, Taeeun;Jung, Yong Hoon;Jun, Moon-Seog
    • Journal of the Korea Academia-Industrial cooperation Society
    • /
    • v.20 no.9
    • /
    • pp.504-509
    • /
    • 2019
  • Recently, both wireless communications technology and the performance of small devices have developed exponentially, while the number of services using various types of Internet of Things (IoT) devices has also massively increased in line with the ongoing technological and environmental changes. Furthermore, ever more devices that were previously used in the offline environment-including small-size sensors and CCTV-are being connected to the Internet due to the huge increase in IoT services. However, many IoT devices are not equipped with security functions, and use vulnerable open source software as it is. In addition, conventional network equipment, such as switches and gateways, operates with vulnerabilities, because users tend not to update the equipment on a regular basis. Recently, the simple vulnerability of IoT devices has been exploited through the distributed denial of service (DDoS) from attackers creating a large number of botnets. This paper proposes a system that is capable of identifying Internet-connected devices quickly, analyzing and managing the vulnerability of such devices using Internet-wide scan technology. In addition, the vulnerability analysis rate of the proposed technology was verified through collected banner information. In the future, the company plans to automate and upgrade the proposed system so that it can be used as a technology to prevent cyber attacks.

Construction of an Audio Steganography Botnet Based on Telegram Messenger (텔레그램 메신저 기반의 오디오 스테가노그래피 봇넷 구축)

  • Jeon, Jin;Cho, Youngho
    • Journal of Internet Computing and Services
    • /
    • v.23 no.5
    • /
    • pp.127-134
    • /
    • 2022
  • Steganography is a hidden technique in which secret messages are hidden in various multimedia files, and it is widely exploited for cyber crime and attacks because it is very difficult for third parties other than senders and receivers to identify the presence of hidden information in communication messages. Botnet typically consists of botmasters, bots, and C&C (Command & Control) servers, and is a botmasters-controlled network with various structures such as centralized, distributed (P2P), and hybrid. Recently, in order to enhance the concealment of botnets, research on Stego Botnet, which uses SNS platforms instead of C&C servers and performs C&C communication by applying steganography techniques, has been actively conducted, but image or video media-oriented stego botnet techniques have been studied. On the other hand, audio files such as various sound sources and recording files are also actively shared on SNS, so research on stego botnet based on audio steganography is needed. Therefore, in this study, we present the results of comparative analysis on hidden capacity by file type and tool through experiments, using a stego botnet that performs C&C hidden communication using audio files as a cover medium in Telegram Messenger.

A Preemptive Detection Method for Unknown IoT Botnet Based on Darknet Traffic (다크넷 트래픽 기반의 알려지지 않은 IoT 봇넷 선제탐지 방안)

  • Gunyang Park;Jungsuk Song;Heejun Roh
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.33 no.2
    • /
    • pp.267-280
    • /
    • 2023
  • With development of computing and communications technologies, IoT environments based on high-speed networks have been extending rapidly. Especially, from home to an office or a factory, applications of IoT devices with sensing environment and performing computations are increasing. Unfortunately, IoT devices which have limited hardware resources can be vulnerable to cyber attacks. Hence, there is a concern that an IoT botnet can give rise to information leakage as a national cyber security crisis arising from abuse as a malicious waypoint or propagation through connected networks. In order to response in advance from unknown cyber threats in IoT networks, in this paper, We firstly define four types of We firstly define four types of characteristics by analyzing darknet traffic accessed from an IoT botnet. Using the characteristic, a suspicious IP address is filtered quickly. Secondly, the filtered address is identified by Cyber Threat Intelligence (CTI) or Open Source INTelligence (OSINT) in terms of an unknown suspicious host. The identified IP address is finally fingerprinted to determine whether the IP is a malicious host or not. To verify a validation of the proposed method, we apply to a Darknet on real-world SOC. As a result, about 1,000 hosts who are detected and blocked preemptively by the proposed method are confirmed as real IoT botnets.