The mobile botnet, developed from the traditional PC-based botnets, has become a practical underlying trend. In this paper, we design a mobile botnet, which exploits a novel command and control (CC) strategy named P...The mobile botnet, developed from the traditional PC-based botnets, has become a practical underlying trend. In this paper, we design a mobile botnet, which exploits a novel command and control (CC) strategy named Push-Styled CC. It utilizes Google cloud messaging (GCM) service as the botnet channel. Compared with traditional botnet, Push-Styled CC avoids direct communications between botmasters and bots, which makes mobile botnets more stealthy and resilient. Since mobile devices users are sensitive to battery power and traffic consumption, Push- Styled botnet also applies adaptive network connection strategy to reduce traffic consumption and cost. To prove the efficacy of our design, we implemented the prototype of Push-Style CC in Android. The experiment results show that botnet traffic can be concealed in legal GCM traffic with low traffic cost.展开更多
The cyber-criminal compromises end-hosts(bots)to configure a network of bots(botnet).The cyber-criminals are also looking for an evolved architecture that makes their techniques more resilient and stealthier such as P...The cyber-criminal compromises end-hosts(bots)to configure a network of bots(botnet).The cyber-criminals are also looking for an evolved architecture that makes their techniques more resilient and stealthier such as Peer-to-Peer(P2P)networks.The P2P botnets leverage the privileges of the decentralized nature of P2P networks.Consequently,the P2P botnets exploit the resilience of this architecture to be arduous against take-down procedures.Some P2P botnets are smarter to be stealthy in their Commandand-Control mechanisms(C2)and elude the standard discovery mechanisms.Therefore,the other side of this cyberwar is the monitor.The P2P botnet monitoring is an exacting mission because the monitoring must care about many aspects simultaneously.Some aspects pertain to the existing monitoring approaches,some pertain to the nature of P2P networks,and some to counter the botnets,i.e.,the anti-monitoring mechanisms.All these challenges should be considered in P2P botnet monitoring.To begin with,this paper provides an anatomy of P2P botnets.Thereafter,this paper exhaustively reviews the existing monitoring approaches of P2P botnets and thoroughly discusses each to reveal its advantages and disadvantages.In addition,this paper groups the monitoring approaches into three groups:passive,active,and hybrid monitoring approaches.Furthermore,this paper also discusses the functional and non-functional requirements of advanced monitoring.In conclusion,this paper ends by epitomizing the challenges of various aspects and gives future avenues for better monitoring of P2P botnets.展开更多
The rapid expansion of the Internet of Things(IoT)and Edge Artificial Intelligence(AI)has redefined automation and connectivity acrossmodern networks.However,the heterogeneity and limited resources of IoT devices expo...The rapid expansion of the Internet of Things(IoT)and Edge Artificial Intelligence(AI)has redefined automation and connectivity acrossmodern networks.However,the heterogeneity and limited resources of IoT devices expose them to increasingly sophisticated and persistentmalware attacks.These adaptive and stealthy threats can evade conventional detection,establish remote control,propagate across devices,exfiltrate sensitive data,and compromise network integrity.This study presents a Software-Defined Internet of Things(SD-IoT)control-plane-based,AI-driven framework that integrates Gated Recurrent Units(GRU)and Long Short-TermMemory(LSTM)networks for efficient detection of evolving multi-vector,malware-driven botnet attacks.The proposed CUDA-enabled hybrid deep learning(DL)framework performs centralized real-time detection without adding computational overhead to IoT nodes.A feature selection strategy combining variable clustering,attribute evaluation,one-R attribute evaluation,correlation analysis,and principal component analysis(PCA)enhances detection accuracy and reduces complexity.The framework is rigorously evaluated using the N_BaIoT dataset under k-fold cross-validation.Experimental results achieve 99.96%detection accuracy,a false positive rate(FPR)of 0.0035%,and a detection latency of 0.18 ms,confirming its high efficiency and scalability.The findings demonstrate the framework’s potential as a robust and intelligent security solution for next-generation IoT ecosystems.展开更多
The botnet is the network of compromised computers that have fallen under the control of hackers after being infected by malicious programs such as trojan viruses. The compromised machines are mobilized to perform var...The botnet is the network of compromised computers that have fallen under the control of hackers after being infected by malicious programs such as trojan viruses. The compromised machines are mobilized to perform various attacks including mass spamming, distributed denial of service (DDoS) and additional trojans. This is becoming one of the most serious threats to the Internet infrastructure at present. We introduce a method to uncover compromised machines and characterize their behaviors using large email logs. We report various spain campaign variants with different characteristics and introduce a statistical method to combine them. We also report the long-term evolution patterns of the spare campaigns.展开更多
Botnets are networks composed with malware-infect ed computers.They are designed and organized to be controlled by an adversary.As victims are infected through their inappropriate network behaviors in most cases,the I...Botnets are networks composed with malware-infect ed computers.They are designed and organized to be controlled by an adversary.As victims are infected through their inappropriate network behaviors in most cases,the Internet protocol(IP) addresses of infected bots are unpredictable.Plus,a bot can get an IP address through dynamic host configuration protocol(DHCP),so they need to get in touch with the controller initiatively and they should attempt continuously because a controller can't be always online.The whole process is carried out under the command and control(C&C) channel.Our goal is to characterize the network traffic under the C&C channel on the time domain.Our analysis draws upon massive data obtained from honeynet and a large Internet service provider(ISP) Network.We extract and summarize fingerprints of the bots collected in our honeynet.Next,with the fingerprints,we use deep packet inspection(DPI) Technology to search active bots and controllers in the Internet.Then,we gather and analyze flow records reported from network traffic monitoring equipments.In this paper,we propose a flow record interval analysis on the time domain characteristics of botnets control traffic,and we propose the algorithm to identify the communications in the C&C channel based on our analysis.After that,we evaluate our approach with a 3.4 GB flow record trace and the result is satisfactory.In addition,we believe that our work is also useful information in the design of botnet detection schemes with the deep flow inspection(DFI) technology.展开更多
基金Supported by the National Natural Science Foundation of China (61202353, 61272084, 61272422)Graduate Innovation Foundation of Jiangsu Province (CXLX13_464)Natural Science Foundation of Jiangsu Higher Education Institutions (12KJB520008)
文摘The mobile botnet, developed from the traditional PC-based botnets, has become a practical underlying trend. In this paper, we design a mobile botnet, which exploits a novel command and control (CC) strategy named Push-Styled CC. It utilizes Google cloud messaging (GCM) service as the botnet channel. Compared with traditional botnet, Push-Styled CC avoids direct communications between botmasters and bots, which makes mobile botnets more stealthy and resilient. Since mobile devices users are sensitive to battery power and traffic consumption, Push- Styled botnet also applies adaptive network connection strategy to reduce traffic consumption and cost. To prove the efficacy of our design, we implemented the prototype of Push-Style CC in Android. The experiment results show that botnet traffic can be concealed in legal GCM traffic with low traffic cost.
基金This work was supported by the Ministry of Higher Education Malaysia’s Fundamental Research Grant Scheme under Grant FRGS/1/2021/ICT07/USM/03/1.
文摘The cyber-criminal compromises end-hosts(bots)to configure a network of bots(botnet).The cyber-criminals are also looking for an evolved architecture that makes their techniques more resilient and stealthier such as Peer-to-Peer(P2P)networks.The P2P botnets leverage the privileges of the decentralized nature of P2P networks.Consequently,the P2P botnets exploit the resilience of this architecture to be arduous against take-down procedures.Some P2P botnets are smarter to be stealthy in their Commandand-Control mechanisms(C2)and elude the standard discovery mechanisms.Therefore,the other side of this cyberwar is the monitor.The P2P botnet monitoring is an exacting mission because the monitoring must care about many aspects simultaneously.Some aspects pertain to the existing monitoring approaches,some pertain to the nature of P2P networks,and some to counter the botnets,i.e.,the anti-monitoring mechanisms.All these challenges should be considered in P2P botnet monitoring.To begin with,this paper provides an anatomy of P2P botnets.Thereafter,this paper exhaustively reviews the existing monitoring approaches of P2P botnets and thoroughly discusses each to reveal its advantages and disadvantages.In addition,this paper groups the monitoring approaches into three groups:passive,active,and hybrid monitoring approaches.Furthermore,this paper also discusses the functional and non-functional requirements of advanced monitoring.In conclusion,this paper ends by epitomizing the challenges of various aspects and gives future avenues for better monitoring of P2P botnets.
基金supported by Princess Nourah bint Abdulrahman University Researchers Supporting ProjectNumber(PNURSP2025R97),PrincessNourah bint AbdulrahmanUniversity,Riyadh,Saudi Arabia.
文摘The rapid expansion of the Internet of Things(IoT)and Edge Artificial Intelligence(AI)has redefined automation and connectivity acrossmodern networks.However,the heterogeneity and limited resources of IoT devices expose them to increasingly sophisticated and persistentmalware attacks.These adaptive and stealthy threats can evade conventional detection,establish remote control,propagate across devices,exfiltrate sensitive data,and compromise network integrity.This study presents a Software-Defined Internet of Things(SD-IoT)control-plane-based,AI-driven framework that integrates Gated Recurrent Units(GRU)and Long Short-TermMemory(LSTM)networks for efficient detection of evolving multi-vector,malware-driven botnet attacks.The proposed CUDA-enabled hybrid deep learning(DL)framework performs centralized real-time detection without adding computational overhead to IoT nodes.A feature selection strategy combining variable clustering,attribute evaluation,one-R attribute evaluation,correlation analysis,and principal component analysis(PCA)enhances detection accuracy and reduces complexity.The framework is rigorously evaluated using the N_BaIoT dataset under k-fold cross-validation.Experimental results achieve 99.96%detection accuracy,a false positive rate(FPR)of 0.0035%,and a detection latency of 0.18 ms,confirming its high efficiency and scalability.The findings demonstrate the framework’s potential as a robust and intelligent security solution for next-generation IoT ecosystems.
基金supported by the National Research Foundation of Korea (NRF) funded by the Ministry of Education,Science and Technology (MEST) of Korea under Grant No. 2012R1A2A2A01014729
文摘The botnet is the network of compromised computers that have fallen under the control of hackers after being infected by malicious programs such as trojan viruses. The compromised machines are mobilized to perform various attacks including mass spamming, distributed denial of service (DDoS) and additional trojans. This is becoming one of the most serious threats to the Internet infrastructure at present. We introduce a method to uncover compromised machines and characterize their behaviors using large email logs. We report various spain campaign variants with different characteristics and introduce a statistical method to combine them. We also report the long-term evolution patterns of the spare campaigns.
基金supported by the National Science & Technology Pillar Program (2008BAH37B04)
文摘Botnets are networks composed with malware-infect ed computers.They are designed and organized to be controlled by an adversary.As victims are infected through their inappropriate network behaviors in most cases,the Internet protocol(IP) addresses of infected bots are unpredictable.Plus,a bot can get an IP address through dynamic host configuration protocol(DHCP),so they need to get in touch with the controller initiatively and they should attempt continuously because a controller can't be always online.The whole process is carried out under the command and control(C&C) channel.Our goal is to characterize the network traffic under the C&C channel on the time domain.Our analysis draws upon massive data obtained from honeynet and a large Internet service provider(ISP) Network.We extract and summarize fingerprints of the bots collected in our honeynet.Next,with the fingerprints,we use deep packet inspection(DPI) Technology to search active bots and controllers in the Internet.Then,we gather and analyze flow records reported from network traffic monitoring equipments.In this paper,we propose a flow record interval analysis on the time domain characteristics of botnets control traffic,and we propose the algorithm to identify the communications in the C&C channel based on our analysis.After that,we evaluate our approach with a 3.4 GB flow record trace and the result is satisfactory.In addition,we believe that our work is also useful information in the design of botnet detection schemes with the deep flow inspection(DFI) technology.
