Detecting Botnets using a Collaborative Situational-aware IDPS

M. Lisa Mathews, Anupam Joshi, Tim Finin

2016

Abstract

Botnet attacks turn susceptible victim computers into bots that perform various malicious activities while under the control of a botmaster. Some examples of the damage they cause include denial of service, click fraud, spamware, and phishing. These attacks can vary in the type of architecture and communication protocol used, which might be modified during the botnet lifespan. Intrusion detection and prevention systems are one way to safeguard the cyber-physical systems we use, but they have difficulty detecting new or modified attacks, including botnets. Only known attacks whose signatures have been identified and stored in some form can be discovered by most of these systems. Also, traditional IDPSs are point-based solutions incapable of utilizing information from multiple data sources and have difficulty discovering new or more complex attacks. To address these issues, we are developing a semantic approach to intrusion detection that uses a variety of sensors collaboratively. Leveraging information from these heterogeneous sources leads to a more robust, situational-aware IDPS that is better equipped to detect complicated attacks such as botnets.

References

  1. Bailey, M., Cooke, E., Jahanian, F., Xu, Y., and Karir, M. (2009). A survey of botnet technology and defenses. In Conference For Homeland Security, 2009. CATCH'09. Cybersecurity Applications & Technology, pages 299-304. IEEE.
  2. Bechhofer, S., Van Harmelen, F., Hendler, J., Horrocks, I., McGuinness, D. L., Patel-Schneider, P. F., and Berners-Lee, T. and Connolly, D. (2014). Notation3 (N3): A readable RDF syntax. http://www.w3.org/ TeamSubmission/n3/.
  3. botherder (2012). Skynet, a Torpowered botnet straight from Reddit. http://www.reddit.com/r/netsec/comments/14etfq/ skynet a torpowered botnet straight from reddit/.
  4. Constantin, L. (2012). Tor network used to command Skynet botnet. http://www.pcworld.idg.com.au/article/444088/ tor network used command skynet botnet/.
  5. Diaz, Jr, E. and Estavillol, P. (2010). Win32/Vobfus. http://www.microsoft.com/security/portal/threat/ encyclopedia/Entry.aspx?Name=Win32%2fVobfus.
  6. Feily, M., Shahrestani, A., and Ramadass, S. (2009). A survey of botnet and botnet detection. In Emerging Security Information, Systems and Technologies, 2009. SECURWARE'09. Third International Conference on, pages 268-273. IEEE.
  7. Gu, G., Yegneswaran, V., Porras, P., Stoll, J., and Lee, W. (2009). Active botnet probing to identify obscure command and control channels. In Computer Security Applications Conference, 2009. ACSAC'09. Annual, pages 241-253. IEEE.
  8. Guarnieri, C. (2012). Skynet, a Tor-powered botnet straight from Reddit. http://community.rapid7.com/ community/infosec/blog/2012/12/06/skynet-a-torpowered-botnet-straight-from-reddit.
  9. Kumar, M. (2013). Alleged Skynet Botnet creator arrested in Germany. http://thehackernews.com/2013/12/ alleged-skynet-botnet-creator-arrested.html/.
  10. Mancuso, V. F., Minotra, D., Giacobe, N., McNeese, M., and Tyworth, M. (2012). idsnets: An experimental platform to study situation awareness for intrusion detection analysts. In Cognitive Methods in Situation Awareness and Decision Support (CogSIMA), 2012 IEEE International Multi-Disciplinary Conference on, pages 73-79. IEEE.
  11. Manola, F., Miller, E., and McBride, B. (2014). Rdf 1.1 Primer. http://www.w3.org/TR/rdf11-primer/.
  12. Mathews, M. L., Halvorsen, P., Joshi, A., and Finin, T. (2012). A collaborative approach to situational awareness for cybersecurity. In Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), 2012 8th International Conference on, pages 216-222. IEEE.
  13. McRee, R. (2006). http://holisticinfosec.org/toolsmith/ files/nov2k6/toolsmith.pcap.
  14. Mila (2012). Dec. 2012 Skynet Tor botnet / Trojan.Tbot samples. http://contagiodump.blogspot.com/2012/ 12/dec-2012-skynet-tor-botnet-trojantbot.html.
  15. Mila (2013). Trojan Nap aka Kelihos/Hlux status update by DeepEnd Research and samples. http://ontagiodump. blogspot.com/2013/02/trojan-nap-aka-kelihoshluxstatus.html.
  16. More, S., Matthews, M., Joshi, A., and Finin, T. (2012). A knowledge-based approach to intrusion detection modeling. In Security and Privacy Workshops (SPW), 2012 IEEE Symposium on, pages 75-81. IEEE.
  17. Prince, B. (2015). Obama administration proposes giving courts more power to issue botnet injunctions. http:// www.securityweek.com/obama-administrationproposes-giving-courts-more-power-issue-botnetinjunctions.
  18. RapidMiner (2015). http://rapidminer.com/.
  19. Sharma, P., Joshi, A., and Finin, T. (2013). Detecting data exfiltration by integrating information across layers. In Information Reuse and Integration (IRI), 2013 IEEE 14th International Conference on, pages 309- 316. IEEE.
  20. Shin, S., Lin, R., and Gu, G. (2011). Cross-analysis of botnet victims: New insights and implications. In Recent Advances in Intrusion Detection, pages 242-261. Springer.
  21. Spasojevi, B. (2012). Trojan. Tbot. http:// www.symantec.com/security response/writeup.jsp? docid=2012-120716-2955-99.
  22. Squicciarini, A. C., Petracca, G., Horne, W. G., and Nath, A. (2014). Situational awareness through reasoning on network incidents. In Proceedings of the 4th ACM conference on Data and application security and privacy, pages 111-122. ACM.
  23. Thuraisingham, B., Hamlen, K. W., Khan, L., and Masud, M. M. (2008). Data mining for security applications. In Embedded and Ubiquitous Computing, IEEE/IFIP International Conference on, volume 2, pages 585- 589. IEEE.
  24. Undercoffer, J., Joshi, A., and Pinkston, J. (2003). Modeling computer attacks: An ontology for intrusion detection. In Recent Advances in Intrusion Detection, pages 113-135. Springer.
  25. VirusTotal (2015). https://www.virustotal.com/en//.
  26. Wireshark (2015). http://www.wireshark.org/.
  27. Young, E., Honda, H., and Bell, H. (2009). W32.Changeup. http://www.symantec.com/security response/ writeup.jsp?docid=2009-081806-2906-99.
Download


Paper Citation


in Harvard Style

Mathews M., Joshi A. and Finin T. (2016). Detecting Botnets using a Collaborative Situational-aware IDPS . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 290-298. DOI: 10.5220/0005684902900298


in Bibtex Style

@conference{icissp16,
author={M. Lisa Mathews and Anupam Joshi and Tim Finin},
title={Detecting Botnets using a Collaborative Situational-aware IDPS},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={290-298},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005684902900298},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Detecting Botnets using a Collaborative Situational-aware IDPS
SN - 978-989-758-167-0
AU - Mathews M.
AU - Joshi A.
AU - Finin T.
PY - 2016
SP - 290
EP - 298
DO - 10.5220/0005684902900298