To see the other types of publications on this topic, follow the link: Botnet.
Dissertations / Theses on the topic 'Botnet'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Botnet.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Ramesh, Babu Lokesh Babu. "Covert Botnet Implementation and Defense Against Covert Botnets." DigitalCommons@USU, 2009. https://digitalcommons.usu.edu/etd/398.
Full textAbstract:
The advent of the Internet and its benevolent use has benefited mankind in private and business use alike. However, like any other technology, the Internet is often used for malevolent purposes. One such malevolent purpose is to attack computers using botnets. Botnets are stealthy, and the victims are typically unaware of the malicious activities and the resultant havoc they can cause. Computer security experts seek to combat the botnet menace. However, attackers come up with new botnet designs that exploit the weaknesses in existing defense mechanisms and, thus, continue to evade detection.
Therefore, it is necessary to analyze the weaknesses of existing defense mechanisms to find the lacunae in them and design new models of bot infection before the attackers do so. It is also necessary to validate the analysis and the design of such a model by implementing the attack and fine-tuning the design. This thesis validates the weaknesses found in existing defense mechanisms against botnets by implementing a new model of botnet and carrying out experiments on it.
To merely analyze and present the weaknesses of a defense would open the door for attackers and make their job easier. Thus, creating a defense mechanism against the new attack is equally important. This thesis proposes a design against the new model of bot infection and also implements the design. Experiments were conducted to validate and fine-tune the design and eliminate flaws in the new defense mechanism.
2
Mukamurenzi, Nelly Marylise. "Storm Worm: A P2P Botnet." Thesis, Norwegian University of Science and Technology, Department of Telematics, 2008. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-9671.
Full textAbstract:
In this thesis, P2P botnets are studied and analysed using Storm Worm as the case study. A theoretical honeypot experiment is described for the purpose of observing the attack method, behaviour and pattern of Storm Worm and potentially collect forensic evidence to help in investigations of malware attacks of this kind.
3
Orvalho, André. "Botnet Detection by Correlation Analysis." Thesis, KTH, Skolan för informations- och kommunikationsteknik (ICT), 2012. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-105096.
Full textAbstract:
When a bot master uses a control and commander (C&C) mechanism to assemble a large number of bots, infecting them by using well known vulnerabilities, it forms a botnet. Botnets can vary in C&C architecture (Centralized C&C or P2P are the most common), communication protocols used (IRC, HTTP or others like P2P) and observable botnet activities. They are nowadays one of the largest threats on cyber security and it is very important to specify the different characteristics of botnets in order to detect them, the same way a hunter needs to know its prey before preparing methods to catch it. There are 2 important places to look for botnet activity: The network and the infected host. This project intends to present a study that correlates the behavior on the network with the behavior on the host in order to help detection, studies like [SLWL07] (based on network behavior) and [SM07] (based on host behavior) are two good start points to help on the research. The choice of the architecture was done by looking at the botnet characteristics especially the capacity of changing and evolving which makes methods for detection by misuse obsolete. The system is designed to first look at 4 features of system calls on the host side: First which system call it is, second the name of the application using the system call, third the time between this system call and the last system call and for last the sequence of the past three system calls. A technique of unsupervised learning (the K-means algorithm) will be used to calculate the values for the threshold using an unclassified training set. when on the real world the collection is used to calculate the values to compare with the threshold. If it passes the threshold than the necessary information is passed to the network evaluation block. On the network side and before receiving any data from the host side, it will calculate the threshold for the flows given on the training set. When using the data from the host to narrow down the number of flows to look at, it very if their values pass the threshold. The feature used to calculate the threshold is the time between flows. If the network finds flows that pass the threshold for the network evaluation block than it will emit reports and alarms to the user. The small experiences done show some promising signs for use on the real world even though a lot more further testing is needed especially on the network bit. The prototype shows some limitations that can be overcome by further testing and using other techniques to evolve the prototype.
4
Lino, Fábio Blessa Fernandes. "Development of a botnet detection system." Master's thesis, Universidade de Aveiro, 2009. http://hdl.handle.net/10773/2194.
Full textAbstract:
Mestrado em Engenharia de Computadores e TelemáticaO tráfego ilícito é um dos maiores problemas da segurança em redes. É necessária uma estratégia global contra esta ameaça, uma vez que este problema pode afectar a economia gerada pela internet a um nível global nos próximos anos. As técnicas tradicionais de detecção de computadores zombie, como antivírus, firewalls e anti-spywares não são eficientes contra esta ameaça. A principal razão para este fracasso é a limitação imposta pelas metodologias tradicionais face ás novas ameaças que constantemente aparecem. Para ultrapassar esta limitação, propomos uma nova abordagem diferente dos actuais sistemas de detecção de intrusões, que conjugada com os métodos tradicionais pode garantir um nível elevado de segurança. Esta nova abordagem é baseada na identificação de padrões de tráfego de rede. Cada serviço de rede tem uma característica que o define e, sendo assim, podemos tirar partido desse facto para identificar o tráfego ilícito correspondente a botnets e outros malwares. Para identificar o que é tráfego ilícito e o que é lícito, é usada uma Rede Neuronal Artificial que é treinada para identificar os padrões de tráfego de rede correspondentes ao tráfico ilícito. Depois de identificado o tráfego ilícito, o sistema proposto neste trabalho vai gerar alarmes que alertarão o administrador do sistema em caso de identificação de computadores zombie ou infectados. O próximo passo será tomar uma medida preventiva, que pode ir desde bloquear o endereço IP correspondente a essa máquina até colocá-la sob um nível de vigilância extra. Os resultados obtidos mostram que esta metodologia de identificação de tráfego ilícito é uma técnica possível de ser usada no dia-a-dia devido à sua elevada taxa de identificação e à sua baixa carga computacional. Esta técnica pode identificar problemas actualmente indetectáveis pelas metodologias vulgarmente usadas. ABSTRACT: Illicit traffic is one of the major issues in network security. A strategy for a global partnership against it is needed in order to avoid illicit traffic from becoming a serious threat to the Internet economy and to global security in the forthcoming years. Traditional Zombie detection techniques, such as antivirus, firewalls and anti-spyware are not effective against this threat. The main reason for this failure is the limitation of these traditional methodologies to detect new threats. To overcome this limitation, we propose a new intrusion detection approach that works together with traditional methods in order to ensure a higher level of protection/security. This new approach is based on the identification of traffic patterns. Each network service, as well as illicit traffic corresponding to botnets and other malwares, has a characteristic traffic pattern that can univocally identify it. In order to decide which network traffic is illicit or licit, we use an Artificial Neural Network that is trained to identify the illicit patterns. After identifying the illicit traffic, the proposed system will generate alarms to the system administrator in order to alert him about a Zombie or an infected computer. After this identification phase, the system administrator can take a security action, like blocking the corresponding IP Address or putting it under a deeper surveillance. The results obtained show that this is a feasible and efficient methodology, since it provides high detection rates with low computational overhead. So, we believe that this methodology can be an emergent technique that will deal with untraceable threats that current methodologies are unable to deal with.
5
Lee, Christopher Patrick. "Framework for botnet emulation and analysis." Diss., Atlanta, Ga. : Georgia Institute of Technology, 2009. http://hdl.handle.net/1853/28191.
Full textAbstract:
Thesis (M. S.)--Electrical and Computer Engineering, Georgia Institute of Technology, 2009.Committee Chair: Copeland, John; Committee Member: Durgin, Gregory; Committee Member: Goodman, Seymour; Committee Member: Owen, Henry; Committee Member: Riley, George.
6
Shirley, Brandon Lyle. "Covert Botnet Design and Defense Analysis." DigitalCommons@USU, 2009. https://digitalcommons.usu.edu/etd/500.
Full textAbstract:
Intrusion defense system (IDS) development has been largely reactionary in nature. This is especially troubling given that botnets are capable of compromising and controlling thousands of computers before security professionals develop a mitigation technique. As new exploits are created, new mitigation techniques are developed to detect infections and, where possible, remove them. This thesis breaks from this tradition of reacting to malware. Instead, it looks at possible malicious software models through analyzing existing defense systems for exploitable weaknesses. First, this thesis presents a new specialized botnet that circumvents current network intrusion detection mechanisms. The proposed botnet coordinates external communication among bots located within the same switched network. This model is designed to prevent a perimeter-based IDS from adequately correlating external communication for a given internal host. The idea is to localize botnet communication, thus enabling a portion of the compromised systems to hide from existing detection techniques without a significant increase in network monitoring points - an increase that currently has not been effectively addressed. Second, this thesis presents a prototype of an IDS that addresses the aforementioned weakness in current IDSs. The proposed method augments existing IDSs in order to efficiently detect this new botnet specialization or "sub-botnet''. Our method has added lightweight monitoring points within its switched network. These points relay necessary information back to a centralized perimeter-based IDS instance for bot detection. The IDS is also able to effectively relay signature information to the additional monitoring points for analysis.
7
Gu, Guofei. "Correlation-based Botnet Detection in Enterprise Networks." Diss., Georgia Institute of Technology, 2008. http://hdl.handle.net/1853/24634.
Full textAbstract:
Most of the attacks and fraudulent activities on the Internet are carried out by malware. In particular, botnets, as state-of-the-art malware, are now considered as the largest threat to Internet security.
In this thesis, we focus on addressing the botnet detection problem in an enterprise-like network environment. We present a comprehensive correlation-based framework for multi-perspective botnet detection consisting of detection technologies demonstrated in four complementary systems: BotHunter, BotSniffer, BotMiner, and BotProbe. The common thread of these systems is correlation analysis, i.e., vertical correlation (dialog correlation), horizontal correlation, and cause-effect correlation. All these Bot* systems have been evaluated in live networks and/or real-world network traces. The evaluation results show that they can accurately detect real-world botnets for their desired detection purposes with a very low false positive rate.
We find that correlation analysis techniques are of particular value for detecting advanced malware such as botnets. Dialog correlation can be effective as long as malware infections need multiple stages. Horizontal correlation can be effective as long as malware tends to be distributed and coordinated. In addition, active techniques can greatly complement passive approaches, if carefully used. We believe our experience and lessons are of great benefit to future malware detection.
8
Wang, Ping. "The next generation botnet attacks and defenses." Doctoral diss., University of Central Florida, 2010. http://digital.library.ucf.edu/cdm/ref/collection/ETD/id/4673.
Full textAbstract:
A "botnet" is a network of compromised computers (bots) that are controlled by an attacker (botmasters). Botnets are one of the most serious threats to today's Internet; they are the root cause of many current Internet attacks, such as email spam, distributed denial of service (DDoS) attacks, click fraud, etc. There have been many researches on how to detect, monitor, and defend against botnets that have appeared and their attack techniques. However, it is equally important for us to investigate possible attack techniques that could be used by the next generation botnets, and develop effective defense techniques accordingly in order to be well prepared for future botnet attacks. In this dissertation, we focus on two areas of the next generation botnet attacks and defenses: the peer-to-peer (P2P) structured botnets and the possible honeypot detection techniques used by future botnets. Currently, most botnets have centralized command and control (C&C) architecture. However, P2P structured botnets have gradually emerged as a new advanced form of botnets. Without C&C servers, P2P botnets are more resilient to defense countermeasures than traditional centralized botnets. Therefore, we first systematically study P2P botnets along multiple dimensions: bot candidate selection, network construction and C&C mechanisms and communication protocols. As a further illustration of P2P botnets, we then present the design of an advanced hybrid P2P botnet, which could be developed by botmasters in the near future. Compared with current botnets, the proposed botnet is harder to be shut down, monitored, and hijacked. It provides robust network connectivity, individualized encryption and control traffic dispersion, limited botnet exposure by each bot, and easy monitoring and recovery by its botmaster. We suggest and analyze several possible defenses against this advanced botnet. Upon our understanding of P2P botnets, we turn our focus to P2P botnet countermeasures.; We provide mathematical analysis of two P2P botnet mitigation approaches--index poisoning defense and Sybil defense, and one monitoring technique--passive monitoring. We are able to give analytical results to evaluate their performance. And simulation-based experiments show that our analysis is accurate. Besides P2P botnets, we investigate honeypot-aware botnets as well. This is because honeypot techniques have been widely used in botnet defense systems, botmasters will have to find ways to detect honeypots in order to protect and secure their botnets. We point out a general honeypot-aware principle, that is security professionals deploying honeypots have liability constraint such that they cannot allow their honeypots to participate in real attacks that could cause damage to others, while attackers do not need to follow this constraint. Based on this principle, a hardware- and software- independent honeypot detection methodology is proposed. We present possible honeypot detection techniques that can be used in both centralized botnets and P2P botnets. Our experiments show that current standard honeypot and honeynet programs are vulnerable to the proposed honeypot detection techniques. In the meantime, we discuss some guidelines for defending against general honeypot-aware botnet attacks.ID: 029050015; System requirements: World Wide Web browser and PDF reader.; Mode of access: World Wide Web.; Thesis (Ph.D.)--University of Central Florida, 2010.; Includes bibliographical references (p. 117-131).
Ph.D.
Doctorate
Department of Electrical Engineering and Computer Science
Engineering and Computer Science
9
Akula, Ravi Kiran. "Botnet Detection Using Graph Based Feature Clustering." Thesis, Mississippi State University, 2018. http://pqdtopen.proquest.com/#viewpdf?dispub=10751733.
Full textAbstract:
Detecting botnets in a network is crucial because bot-activities impact numerous areas such as security, finance, health care, and law enforcement. Most existing rule and flow-based detection methods may not be capable of detecting bot-activities in an efficient manner. Hence, designing a robust botnet-detection method is of high significance. In this study, we propose a botnet-detection methodology based on graph-based features. Self-Organizing Map is applied to establish the clusters of nodes in the network based on these features. Our method is capable of isolating bots in small clusters while containing most normal nodes in the big-clusters. A filtering procedure is also developed to further enhance the algorithm efficiency by removing inactive nodes from bot detection. The methodology is verified using real-world CTU-13 and ISCX botnet datasets and benchmarked against classification-based detection methods. The results show that our proposed method can efficiently detect the bots despite their varying behaviors.
10
Graham, Mark. "A botnet needle in a virtual haystack." Thesis, Anglia Ruskin University, 2017. https://arro.anglia.ac.uk/id/eprint/702723/1/Graham_2017.pdf.
Full textAbstract:
The Cloud Security Alliance’s 2015 Cloud Adoption Practices and Priorities Survey reports that 73% of global IT professionals cite security as the top challenge holding back cloud services adoption. Malware with the capabilities to jump between the abstracted virtual infrastructures found within cloud service provider networks heightens the threat from botnet attack upon a cloud infrastructure. This research project aimed to provide a novel methodological approach for capturing communication traffic between botnets. The originality of this study comes from the application of standards-based IPFIX flow export protocol as a traffic capture mechanism.
The first contribution to knowledge is a critical investigation into how IPFIX export overcomes the limitations of traditional NetFlow-based botnet communication traffic capture in cloud provider networks. The second contribution is the BotProbe IPFIX template, comprising eleven IANA IPFIX information elements. Field occupancy count and Spearman’s Rank correlation on 25 million botnet flows created an IPFIX template tailored specifically for botnet traffic capture. The third contribution is BotStack, a modular, non-intrusive IPFIX monitoring framework, created upon Xen hypervisor and virtual switched platforms, to incorporate IPFIX export into existing cloud stacks. The fourth contribution is compelling empirical evidence from weighted-factor observation across multiple network vantage points, that siting IPFIX exporters on the host hypervisor provides maximum traffic visibility.
BotProbe performs on average 26.73%±0.03% quicker than traditional NetFlow v5, with 14.06%±0.01% less storage requirements. BotProbe can be extended with additional application layer attributes, for use in less privacy sensitive environments. Both novel IPFIX templates were tested on the BotStack framework, capturing four distinct traffic profiles in the life cycle of a Zeus botnet.
The techniques developed in this research can be repurposed to create IPFIX traffic capture templates for most Cybersecurity threats, including DDoS and spam, turning behavioural-based traffic capture from a big data challenge into a manageable data solution.
11
Vural, Ickin. "Spamming mobile botnet detection using computational intelligence." Diss., University of Pretoria, 2013. http://hdl.handle.net/2263/36775.
Full textAbstract:
This dissertation explores a new challenge to digital systems posed by the adaptation of mobile
devices and proposes a countermeasure to secure systems against threats to this new digital
ecosystem.
The study provides the reader with background on the topics of spam, Botnets and machine
learning before tackling the issue of mobile spam.
The study presents the reader with a three tier model that uses machine learning techniques to
combat spamming mobile Botnets. The three tier model is then developed into a prototype and
demonstrated to the reader using test scenarios.
Finally, this dissertation critically discusses the advantages of having using the three tier model
to combat spamming Botnets.Dissertation (MSc)--University of Pretoria, 2013.
gm2014
Computer Science
unrestricted
12
Graham, Mark. "A botnet needle in a virtual haystack." Thesis, Anglia Ruskin University, 2017. http://arro.anglia.ac.uk/702723/.
Full textAbstract:
The Cloud Security Alliance’s 2015 Cloud Adoption Practices and Priorities Survey reports that 73% of global IT professionals cite security as the top challenge holding back cloud services adoption. Malware with the capabilities to jump between the abstracted virtual infrastructures found within cloud service provider networks heightens the threat from botnet attack upon a cloud infrastructure. This research project aimed to provide a novel methodological approach for capturing communication traffic between botnets. The originality of this study comes from the application of standards-based IPFIX flow export protocol as a traffic capture mechanism. The first contribution to knowledge is a critical investigation into how IPFIX export overcomes the limitations of traditional NetFlow-based botnet communication traffic capture in cloud provider networks. The second contribution is the BotProbe IPFIX template, comprising eleven IANA IPFIX information elements. Field occupancy count and Spearman’s Rank correlation on 25 million botnet flows created an IPFIX template tailored specifically for botnet traffic capture. The third contribution is BotStack, a modular, non-intrusive IPFIX monitoring framework, created upon Xen hypervisor and virtual switched platforms, to incorporate IPFIX export into existing cloud stacks. The fourth contribution is compelling empirical evidence from weighted-factor observation across multiple network vantage points, that siting IPFIX exporters on the host hypervisor provides maximum traffic visibility. BotProbe performs on average 26.73%±0.03% quicker than traditional NetFlow v5, with 14.06%±0.01% less storage requirements. BotProbe can be extended with additional application layer attributes, for use in less privacy sensitive environments. Both novel IPFIX templates were tested on the BotStack framework, capturing four distinct traffic profiles in the life cycle of a Zeus botnet. The techniques developed in this research can be repurposed to create IPFIX traffic capture templates for most Cybersecurity threats, including DDoS and spam, turning behavioural-based traffic capture from a big data challenge into a manageable data solution.
13
Muzzi, Fernando Augusto Garcia. "Análise de botnet utilizando plataforma de simulação com máquinas virtuais visando detecção e contenção." Universidade de São Paulo, 2010. http://www.teses.usp.br/teses/disponiveis/3/3142/tde-01032011-130343/.
Full textAbstract:
As redes de computadores e a internet são ambientes cada vez mais complexos e surgem a cada dia novos serviços, usuários e infraestruturas. A segurança e a privacidade da Informação tornam-se fundamentais para a evolução desses ambientes. O anonimato, a fragilidade da segurança e outros fatores muitas vezes estimulam indivíduos mal-intencionados a criarem ferramentas e técnicas de ataque a sistemas computacionais, resultando em prejuízos de diversas naturezas. A internet cresceu muito nos últimos anos e junto com esse crescimento surgiram novas ameaças, por exemplo, as botnets. Botnet é uma rede formada por bots (robôs), que tornam o computador da vítima infectado e monitorado por agente externo. O grande problema das botnets é que podem ser usadas por grupos mal-intencionados para promover ataques, com efeito prejudicial às pessoas, entidades, organizações e nações. Todavia, apesar de uma grande quantidade de estudos realizados pela comunidade de segurança nos últimos anos, há necessidade de mais estudos sobre o comportamento, propagação e contenção, até pelo fato de haver uma grande variação de métodos de infecção e propagação nesse tipo de ataque. Nesse contexto, esta tese analisa o comportamento da botnet Rxbot e implementa serviços de segurança, como IDS, regras de filtro de pacotes, para analisar e conter a propagação das botnets. É utilizada para análise uma plataforma de simulação, utilizando máquinas virtuais que provêem um ambiente com sistema operacional Windows. As principais contribuições são a detecção e contenção da propagação da botnet utilizando diversos serviços de segurança e análise da propagação dos pacotes do tipo SMTP, por meio da utilização da plataforma de simulação.Computer networks and the Internet are increasingly complex and new services, users and infrastructure appear every day. The security and privacy of information become critical for the evolution of these infrastructures and services. The anonymity, the fragility of security, and other factors often encourage the malintentioned persons to create tools and techniques to attack computer systems, resulting in losses of various kinds. The Internet has grown in recent years and along with this growth come new threats, such as botnets. Botnet is a network of bots (robots) that make the victim\'s computer become infected and monitored or controled by an external agent. The big problem of botnets is that they can be used by groups to promote malicious attacks, with detrimental effect to people, groups, organizations and nations. However, despite a large amount of studies conducted by the security community in recent years, there is need for further studies on the behavior, spread and containment, due to variation of methods of infection and spread in such attacks. In this context, this thesis analyzes the behavior of botnet Rxbot and implements security services such as IDS, packet filter rules, to analyze and contain the spread of botnets. A simulation platform with virtual machine, providing Windows operating system environment is used. The main contributions are the detection and containment of the spread of botnet using various security services and propagation analysis packages like SMTP by using the simulation platform.
14
Zhang, Junjie. "Effective and scalable botnet detection in network traffic." Diss., Georgia Institute of Technology, 2012. http://hdl.handle.net/1853/44837.
Full textAbstract:
Botnets represent one of the most serious threats against Internet security since they serve as platforms that are responsible for the vast majority of large-scale and coordinated cyber attacks, such as distributed denial of service, spamming, and information stolen. Detecting botnets is therefore of great importance and a number of network-based botnet detection systems have been proposed. However, as botnets perform attacks in an increasingly stealthy way and the volume of network traffic is rapidly growing, existing botnet detection systems are faced with significant challenges in terms of effectiveness and scalability.
The objective of this dissertation is to build novel network-based solutions that can boost both the effectiveness of existing botnet detection systems by detecting botnets whose attacks are very hard to be observed in network traffic, and their scalability by adaptively sampling network packets that are likely to be generated by botnets. To be specific, this dissertation describes three unique contributions.
First, we built a new system to detect drive-by download attacks, which represent one of the most significant and popular methods for botnet infection. The goal of our system is to boost the effectiveness of existing drive-by download detection systems by detecting a large number of drive-by download attacks that are missed by these existing detection efforts.
Second, we built a new system to detect botnets with peer-to-peer (P2P) command&control (C&C) structures (i.e., P2P botnets), where P2P C&Cs represent currently the most robust C&C structures against disruption efforts. Our system aims to boost the effectiveness of existing P2P botnet detection by detecting P2P botnets in two challenging scenarios: i) botnets perform stealthy attacks that are extremely hard to be observed in the network traffic; ii) bot-infected hosts are also running legitimate P2P applications (e.g., Bittorrent and Skype).
Finally, we built a novel traffic analysis framework to boost the scalability of existing botnet detection systems. Our framework can effectively and efficiently identify a small percentage of hosts that are likely to be bots, and then forward network traffic associated with these hosts to existing detection systems for fine-grained analysis, thereby boosting the scalability of existing detection systems. Our traffic analysis framework includes a novel botnet-aware and adaptive packet sampling algorithm, and a scalable flow-correlation technique.
15
Ramsbrock, Daniel. "Mitigating the botnet problem from victim to botmaster /." Fairfax, VA : George Mason University, 2008. http://hdl.handle.net/1920/3136.
Full textAbstract:
Thesis (M.S.)--George Mason University, 2008.Vita: p. 82. Thesis director: Xinyuan Wang. Submitted in partial fulfillment of the requirements for the degree of Master of Science in Information Security and Assurance. Title from PDF t.p. (viewed July 7, 2008). Includes bibliographical references (p. 78-81). Also issued in print.
16
Meng, Xim. "An integrated network-based mobile botnet detection system." Thesis, City, University of London, 2018. http://openaccess.city.ac.uk/19840/.
Full textAbstract:
The increase in the use of mobile devices has made them target for attackers, through the use of sophisticated malware. One of the most significant types of such malware is mobile botnets. Due to their continually evolving nature, botnets are difficult to tackle through signature and traditional anomaly based detection methods. Machine learning techniques have also been used for this purpose. However, the study of their effectiveness has shown methodological weaknesses that have prevented the emergence of conclusive and thorough evidence about their merit. To address this problem, in this thesis we propose a mobile botnet detection system, called MBotCS and report the outcomes of a comprehensive experimental study of mobile botnet detection using supervised machine learning techniques to analyse network traffic and system calls on Android mobile devices. The research covers a range of botnet detection scenarios that is wider from what explored so far, explores atomic and box learning algorithms, and investigates thoroughly the sensitivity of the algorithm performance on different factors (algorithms, features of network traffic, system call data aggregation periods, and botnets vs normal applications and so on). These experiments have been evaluated using real mobile device traffic, and system call captured from Android mobile devices, running normal apps and mobile botnets. The experiments study has several superiorities comparing with existing research. Firstly, experiments use not only atomic but also box ML classifiers. Secondly, a comprehensive set of Android mobile botnets, which had not been considered previously, without relying on any form of synthetic training data. Thirdly, experiments contain a wider set of detection scenarios including unknown botnets and normal applications. Finally, experiments include the statistical significance of differences in detection performance measures with respect to different factors. The study resulted in positive evidence about the effectiveness of the supervised learning approach, as a solution to the mobile botnet detection problem.
17
Eklund, Martin, and Patrik Ståhlberg. "Distributed denial of service attacks : Protection, Mitigation, and Economic Consequences." Thesis, KTH, Radio Systems Laboratory (RS Lab), 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-170924.
Full textAbstract:
Distributed Denial of Service attacks is a problem that constantly threatens companies that rely on the internet for major parts of their business. A successful DDoS attack that manages to penetrate a company’s network can lead to devastating damages in the form of lost income, reduced productivity, increase in costs, and damage to the company’s image and reputation. The different DDoS attacks are many and of different character and often Offer different parts of the network, which makes it very difficult to defend against. It is also very clear that DDoS attacks are increasing in both numbers and size every year. From our experiments we have proven that anyone with little knowledge and limited resources can perform DDoS attacks that will make a website unavailable. This fact should cause companies that base their business on the internet, aware that they are likely to someday be subject to a DDoS attack. From our research we have found a variety of different DDoS solutions on the market that promise to offer protection. Many of which claim to protect against all different types of DDoS attacks. In practice it is impossible to find something that guarantees 100% safety. According to earlier research in the field, there are many different ways of protecting a network against DDoS attacks, e.g. via Software Defined Networking, Hop-Count Filtering, or Kill-bots. Our own tests show that a virtual firewall can offer protection against DDoS attacks on a low scale, but that such a solution has a number of weaknesses. If the firewall does protect the website, the attacker could instead shift to attacking the firewall itself. Our research also shows that the most common motives behind DDoS attacks are criminal purposes. Criminals use DDoS attacks to earn money by offering directed DDoS attacks against websites or by trying to blackmail companies into paying a fee for not being attacked. We have also seen that the economic consequence of DDoS attacks are devastating if not handled with a sufficiently fast response. After investigating the e-commerce company CDON.com we learned that they could potentially lose roughly 36 410 SEK per minute when a DDoS attack is underway against them. In today’s business climate it is important for companies to be able to rely on the internet for their activity and for customers to have easy access to the company’s products and services. However, companies’ websites are being attacked and thus these companies need an explicit plan of how to mitigate such attacks.Distributed Denial of Service (DDoS) attacker är ett problem som ständigt hotar företag, som förlitar sig till internet för centrala delar av sin verksamhet. En DDoS-attack som lyckas penetrerar ett företags nätverk kan medföra förödande skador i form av förlorade intäkter, minskad produktivitet, ökade kostnader samt skada på företagets rykte/varumärke. DDoS-attackerna är många och av olika karaktär, som attackerar olika delar av ett företags nätverk, vilket leder till att det är svårt att effektivt skydda sig mot DDoS-attacker. Det står också klart att DDoS-attacker ökar både till antalet och storleksmässigt för varje år som går. Utifrån våra egna experiment har vi kunnat bevisa att vem som helst med små medel och begränsade kunskaper kan utföra en DDoS-attack som sänker en webbsida. Ett faktum som gör att alla företag vars verksamhet är baserad på internet bör räkna med att de någon gång bli utsatta för en DDoS-attack. Utifrån våra undersökningar kan vi se att det finns en uppsjö av olika DDoS-skydd på marknaden, skydd som hanterar några problem som DDoS-attacker medför, men det finns inga kompletta skydd som kan garantera 100 % säkerhet. Utifrån tidigare forskning på området framgår det att det finns många olika sätt att skydda sig mot DDoS-attacker, t.ex. genom Software Defined Networks, Hop-Count Filtering eller Kill-bots. Våra egna tester visar på att en virtuell brandvägg kan vara ett sätt att skydda sig mot DDoS-attacker, men testerna visar också att en sådan lösning inte heller är säker då man kan förstöra åtkomsten till webbsidan genom att överbelasta brandväggen.<p> Undersökningen visar också att ett av de vanligaste motiven bakom DDoS-attacker är kriminella ändamål. Kriminella som använder DDoS-attacker för att tjäna pengar genom att erbjuda riktade DDoS-attacker mot websidor eller genom försök att utpressa till betalning med DDoS-attacker som ett hot. Vi har kommit fram till att de ekonomiska konsekvenserna av DDoS-attacker kan vara ödestigna för företag om det inte hanteras i tid. Genom våra egna beräkningar har vi visat att e-handelsföretaget CDON.com riskerar att förlora ca 36 415,90 kr per minut som en DDoS-attack pågår mot företaget. Anledningen till av vi valt att ägnad denna uppsats åt DDoS-problemet, är den skrämmande ökningen av DDoS-attacker som man kan se sker årligen. Attackerna blir flera, de ökar storleksmässigt och de blir allt mer sofistikerade. Attackerna utförs också tillsynes omotiverat i vissa fall, men också välplanerade attacker utförs för att skada företag ekonomiskt. I dagens företagsklimat är det viktigt att företaget har möjlighet att använda sig av internet för att driva verksamheten och göra det enkelt för kunder att ta del av företagets produkter/tjänster. Att företags webbsidor blir utslagen på grund av en DDoS-attacker är idag en verklighet, och en tydlig plan för att hur man ska hantera en sådan incident bör finns på plats inom företag.
18
Donaldson, Jonathon W. "Anomaly-based botnet detection for 10 Gb/s networks /." Online version of thesis, 2007. http://hdl.handle.net/1850/4769.
Full text
19
du, Bruyn Jeremy Cecil. "Toward an automated botnet analysis framework: a darkcomet case-study." Thesis, Rhodes University, 2016. http://hdl.handle.net/10962/2937.
Full text
20
Chen, Bor-An, and 陳柏安. "Automatically Extract Botnet Features Using an Autoencoder to Detect Botnets." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/c7z8gk.
Full textAbstract:
碩士國立交通大學
網路工程研究所
107
Botnet is one of the major threats on the Internet for cybercrimes, such as spreading spams, DDoS attack, etc. In 2016, there was a famous cybercrime by using botnet. The hacker using botnet to control lots of IOT devices launched a DDoS attack. This event made some famous network service interrupted. In the past years, there are many researcher work on botnet detection. Early, researchers focus on signature-based botnet detection. In recent years, researchers use machine learning technique like supervised learning to detect botnet. When researchers want to using supervised learning technique to detect botnet, they need to familiar with botnet and analyze the botnet dataset so they can propose the effective feature. We propose an automate botnet feature extraction method. This method can extract features from a large feature set by using autoencoder and train a classifier. With this method, we can achieve an accuracy of up to 99.6% in different data sets. Our method not only can subtract the researcher’s efforts to find effective features, can also reduce the original feature set dimension. In addition, the training of autoencoder data does not need to be labeled, and the autoencoder training can be improved with unlabeled data. Finally, we also use the autoencoder to take advantage of the characteristics of the unlabeled data and only use the general network flow to build the model to achieve anomaly detection.
21
Venkatesh, Bharath. "Fast Identification of Structured P2P Botnets Using Community Detection Algorithms." Thesis, 2013. http://etd.iisc.ac.in/handle/2005/3470.
Full textAbstract:
Botnets are a global problem, and effective botnet detection requires cooperation of large Internet Service Providers, allowing near global visibility of traffic that can be exploited to detect them. The global visibility comes with huge challenges, especially in the amount of data that has to be analysed. To handle such large volumes of data, a robust and effective detection method is the need of the hour and it must rely primarily on a reduced or abstracted form of data such as a graph of hosts, with the presence of an edge between two hosts if there is any data communication between them. Such an abstraction would be easy to construct and store, as very little of the packet needs to be looked at.
Structured P2P command and control have been shown to be robust against targeted and random node failures, thus are ideal mechanisms for botmasters to organize and command their botnets effectively. Thus this thesis develops a scalable, efficient and robust algorithm for the detection of structured P2P botnets in large traffic graphs. It draws from the advances in the state of the art in Community Detection, which aim to partition a graph into dense communities.
Popular Community Detection Algorithms with low theoretical time complexities such as Label Propagation, Infomap and Louvain Method have been implemented and compared on large LFR benchmark graphs to study their efficiency. Louvain method is found to be capable of handling graphs of millions of vertices and billions of edges. This thesis analyses the performance of this method with two objective functions, Modularity and Stability and found that neither of them are robust and general.
In order to overcome the limitations of these objective functions, a third objective function proposed in the literature is considered. This objective function has previously been used in the case of Protein Interaction Networks successfully, and used in this thesis to detect structured P2P botnets for the first time. Further, the differences in the topological properties - assortativity and density, of structured P2P botnet communities and benign communities are discussed. In order to exploit these differences, a novel measure based on mean regular degree is proposed, which captures both the assortativity and the density of a graph and its properties are studied.
This thesis proposes a robust and efficient algorithm that combines the use of greedy community detection and community filtering using the proposed measure mean regular degree. The proposed algorithm is tested extensively on a large number of datasets and found to be comparable in performance in most cases to an existing botnet detection algorithm called BotGrep and found to be significantly faster.
22
Venkatesh, Bharath. "Fast Identification of Structured P2P Botnets Using Community Detection Algorithms." Thesis, 2013. http://etd.iisc.ernet.in/2005/3470.
Full textAbstract:
Botnets are a global problem, and effective botnet detection requires cooperation of large Internet Service Providers, allowing near global visibility of traffic that can be exploited to detect them. The global visibility comes with huge challenges, especially in the amount of data that has to be analysed. To handle such large volumes of data, a robust and effective detection method is the need of the hour and it must rely primarily on a reduced or abstracted form of data such as a graph of hosts, with the presence of an edge between two hosts if there is any data communication between them. Such an abstraction would be easy to construct and store, as very little of the packet needs to be looked at.
Structured P2P command and control have been shown to be robust against targeted and random node failures, thus are ideal mechanisms for botmasters to organize and command their botnets effectively. Thus this thesis develops a scalable, efficient and robust algorithm for the detection of structured P2P botnets in large traffic graphs. It draws from the advances in the state of the art in Community Detection, which aim to partition a graph into dense communities.
Popular Community Detection Algorithms with low theoretical time complexities such as Label Propagation, Infomap and Louvain Method have been implemented and compared on large LFR benchmark graphs to study their efficiency. Louvain method is found to be capable of handling graphs of millions of vertices and billions of edges. This thesis analyses the performance of this method with two objective functions, Modularity and Stability and found that neither of them are robust and general.
In order to overcome the limitations of these objective functions, a third objective function proposed in the literature is considered. This objective function has previously been used in the case of Protein Interaction Networks successfully, and used in this thesis to detect structured P2P botnets for the first time. Further, the differences in the topological properties - assortativity and density, of structured P2P botnet communities and benign communities are discussed. In order to exploit these differences, a novel measure based on mean regular degree is proposed, which captures both the assortativity and the density of a graph and its properties are studied.
This thesis proposes a robust and efficient algorithm that combines the use of greedy community detection and community filtering using the proposed measure mean regular degree. The proposed algorithm is tested extensively on a large number of datasets and found to be comparable in performance in most cases to an existing botnet detection algorithm called BotGrep and found to be significantly faster.
23
Camelo, Pedro Miguel Bairrão de Seixas. "Botnet cluster identification." Master's thesis, 2014. http://hdl.handle.net/10362/14181.
Full textAbstract:
Botnets are a group of computers infected with a specific sub-set of a malware family
and controlled by one individual, called botmaster. This kind of networks are used not
only, but also for virtual extorsion, spam campaigns and identity theft. They implement
different types of evasion techniques that make it harder for one to group and detect
botnet traffic.
This thesis introduces one methodology, called CONDENSER, that outputs clusters
through a self-organizing map and that identify domain names generated by an unknown
pseudo-random seed that is known by the botnet herder(s). Aditionally DNS
Crawler is proposed, this system saves historic DNS data for fast-flux and double fastflux detection, and is used to identify live C&Cs IPs used by real botnets. A program, called CHEWER, was developed to automate the calculation of the SVM parameters and features that better perform against the available domain names associated with DGAs.
CONDENSER and DNS Crawler were developed with scalability in mind so the detection
of fast-flux and double fast-flux networks become faster.
We used a SVM for the DGA classififer, selecting a total of 11 attributes and achieving a Precision of 77,9% and a F-Measure of 83,2%. The feature selection method identified the 3 most significant attributes of the total set of attributes. For clustering, a Self-Organizing Map was used on a total of 81 attributes.
The conclusions of this thesis were accepted in Botconf through a submited article.
Botconf is known conferênce for research, mitigation and discovery of botnets tailled for the industry, where is presented current work and research. This conference is known for having security and anti-virus companies, law enforcement agencies and researchers.
24
Huang, Ming-Zong, and 黃銘宗. "Hybrid Botnet Detection." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/42294863093808242913.
Full textAbstract:
碩士國立中山大學
資訊管理學系研究所
98
There are three mail types of Botnet: IRC-based Botnet, P2P-based Botnet,Web-based Botnet and they have become major threat to the Internet recently. Web-based Botnet is popular and more harmful to users. The architecture of Web-based Botnet is simpler than P2P-based Botnet, and its malicious traffic can be hidden in a large number of normal traffic. In this study, we built an experimental environment of using malicious bot programs to detect suspicious traffic and malware features. Except network attacking and identity theft, Botnet could also be used by hackers to extend the life time of rouge websites by combining with the technology of Fast Flux Domain. Botnet and the technology of Fast Flux Domain closely link to each other in the real world. Both of Web-based Botnet and Fast Flux Domain technology use HTTP protocol to communicate, and Botnet provides a large number of infected hosts to be Fast Flux Agents which act like a relay station to block the direct link of malicious websites from clients, but completes the mutual connection. In the research, not only the analysis and detection of Web-based Botnet are focused, but also the impact of Fast Flux Domain technology is included. We expect to clear the architecture of Botnet and the technology of Fast Flux Domain, and make the detection mechanism more precisely.
25
KARAMVEER. "IOT BOTNET DETECTION." Thesis, 2022. http://dspace.dtu.ac.in:8080/jspui/handle/repository/19143.
Full textAbstract:
The Internet consists of multiple interconnected systems/networks, one of which
being the “Internet of Things”. In spite of their flexibility, numerous IoT
devices/gadgets are technically weak in terms of security, which makes them an
ideal target for a variety of security breaches, including botnet assaults. IoT
applications in the smart city are currently being targeted by advanced persistent
threats (APT). Botnets are a piece of malware that permits hackers to take control of
several systems and carry out destructive operations. IoT-based botnet assaults have
become increasingly common as a result of the development of IoT gadgets, which
are more readily hacked than desktop PCs. To combat this new danger, advanced
approaches for identifying attacks initiated from infected IoT devices and
distinguishing between day and milliseconds duration assaults must be developed.
This study aimed to find, assess, and present a comprehensive overview of
experimental works on IoT botnet detection research. The identification methods
used to identify IoT botnets, their stages, and the botnet stealth strategies were all
investigated in this study. The writers examined the nominated study as well as the
major approaches used in it. The authors analyzed the botnet stages when detection
is done and categorized the detection methods depending on the strategies utilized.
The authors examined current research gaps and proposed future research topics as
a consequence of this investigation and proposed a network-based anomalous
detector that leverages deep learning to identify aberrant network traffic flowing
from exploited IoT nodes by extracting network behavioral snapshots. On the
UNSW dataset with a slew of neural network architectures and hidden layers, the
suggested model combining CNN and LSTM has been trained and assessed. To test
our strategy, I employed a dataset of various commercial IoT nodes infiltrated with
iv
Mirai and BASHLITE, two popular IoT botnets. The results of our tests showed that
our suggested strategy could correctly and quickly detect assaults as they were
launched from hacked IoT nodes that were members of a botnet.
26
Klubal, Martin. "Problematika sítí typu botnet." Master's thesis, 2013. http://www.nusl.cz/ntk/nusl-169035.
Full text
27
Agarwal, Sudhir. "Performance analysis of peer-to-peer botnets using "The Storm Botnet" as an exemplar." Thesis, 2010. http://hdl.handle.net/1828/2689.
Full textAbstract:
Among malicious codes like computer viruses and worms, botnets have attracted a significant attention and have been one of the biggest threats on the Internet. Botnets have evolved to incorporate peer-to-peer communications for the purpose of propagating instructions to large numbers of computers (also known as bot) under the botmaster's control. The impact of the botnet lies in its ability for a bot master to execute large scale attacks while remaining hidden as the true director of the attack. One such recently known botnet is the Storm botnet. Storm is based on the Overnet Distributed Hash Table (DHT) protocol which in turn is based on the Kademlia DHT protocol. Significant research has been done for determining its operational size, behaviour and mitigation approaches.
In this research, the peer-to-peer behaviour of Storm is studied by simulating its actual packet level network behaviour. The packet level simulator is developed via the simulation framework OMNET++ to determine the impact of design parameters on botnets performance and resilience. Parameters such as botnet size, peer list size, the number of bot masters and the key propagation time have been explored. Furthermore, two mitigation strategies are considered: a) random removal strategy (disinfection strategy), that removes selected bots randomly from the botnet; b) Sybil disruption strategy, that introduces fake bots into the botnet with the task of propagating Sybil values into the botnet to disrupt the communication channels between the controllers and the compromised machines. The simulation studies demonstrate that Sybil disruption strategies outperform random removal strategies. The simulation results also indicate that random removal strategies are not even effective for a small sized networks. The results of the simulation studies are particularly applicable to the Storm botnet but these results also provide insights that can be applied to peer-to-peer based botnets in general.
28
Tsai, Yun-Chin, and 蔡雲欽. "The Research of Botnet Detection." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/00452827894840459932.
Full textAbstract:
碩士國防大學理工學院
資訊科學碩士班
98
In recent years, network security events were occurred frequently. They created disasters all around the world, including Spam, Internet fraud activities, and data theft, etc. Botnet was the key culprit. Therefore, how to detect Botnet is a very important issue for network security. Using IRC protocol as a communication mechanism is the most popular until now for Botnet. This thesis introduces the origin and structure of Botnet, and focuses on IRC-based Botnet. In this work, we use Testbed@TWISC to build experiment environment to collect and analyze Botnet packets, developing Botnet detection program that combine nickname similarity algorithm and private message similarity algorithm. This work, by this two network characteristics of Botnet, online monitor network packets and detect Botnet in real-time.
29
Liu, En-Bang, and 劉恩榜. "Mobile Botnet Detection on Android." Thesis, 2011. http://ndltd.ncl.edu.tw/handle/72436850018843213186.
Full textAbstract:
碩士國立交通大學
資訊科學與工程研究所
100
Botnets are now a serious threat to the internet . The infected computers will become a puppet (zombie computer), and controlled by attacker unconsciously . This impact not only resulted in leakage of information, system damage , but also make the computers become a springboard for a major network attacks .With the high development of smart phones , the phone is not just for calling or sending messages like before , also contains the ability of surfing the internet and basic processing data ; hence many personal data , passwords , private pictures/videos are stored in the phone. The smart phone has become a mini-PC. So in recent years , many hackers continue to develop viruses , Trojan Horses , bot virus and other malicious software on mobile phones to steal private information , send advertising messages and spam e-mails. Therefore in this paper , we provide a mobile Botnet detection system on Android. Based on the group activities model and abnormal connections metric , installing the Snort IDS to detect real time traffic and the Botnet packet filter to collect abnormal traffic in the frontend. Then upload the abnormal traffic to the detection center . After collecting traffic data from many mobile phones , the center uses similarity algorithms to determine which phone is infected with the bot virus and controlled by attacker.
30
Jia-JuAn and 安家駒. "Pattern Analysis and Classification in Botnet." Thesis, 2013. http://ndltd.ncl.edu.tw/handle/96211726352850392992.
Full textAbstract:
碩士國立成功大學
電腦與通信工程研究所
101
As the organizations and the governments’ agencies relying for the information technology increasingly, information technology is an integral part of its daily operations, which are facing more security challenges. How to protect their information assets from the hackers attack, meanwhile, achieve to the confidentiality, integrity and availability of business organizations and government agencies to become an important issue. In recent years, malware has been a serious threat to information security in confidentiality, integrity and availability. It has attracted the attention from the IT business organizations, information industry and government entities on the serious security threat of the botnets. In particular botnet, it has a huge dangerous risk for information security. Duo to the hackers rapidly develops the tool and spread it all the time, and other elements including economic, the difficulties of cybercrime prevention and other factors. Botnets slowly become hackers’ tools used to steal the serial number, account passwords or other valuable information, the distributed denial of service attacks carried out (DDoS), and the springboard for the junk mail (SPAM). Due to the change in the network connection patterns, continuous services such as ADSL, FTTB. The other factor which like the awareness of the information security and the large number of infected PC becoming the victims and become the scapegoat of information security hazards. And the current research is still lack of the pattern analysis and classification model. Therefore, we hope to create a structured database collecting the data, and then we use the data mining techniques to study botnet behavior patterns and exploit specific properties to establish its own classification model, we hope we will achieve something in this field and contribute to the research of botnet.
31
Deng, LiZhong, and 鄧立忠. "P2P Botnet Traffic Analysis and Identification." Thesis, 2011. http://ndltd.ncl.edu.tw/handle/12410425287795271638.
Full textAbstract:
碩士國立新竹教育大學
資訊科學研究所
99
The Internet has become an indispensable part of the human life and it provides us with convenient services, for example, searching for information, using auction website, playing online game, and so on. Due to its convenience, hackers are trying to commit crimes to obtain some benefits. Therefore, network security has become a important issue of research area today. Usually, crackers use a variety of methods to achieve the purpose of attacks, for example, Distributed Denial of Service (DDOS) and spam mail. These methods require a large number of computers to achieve the goal; hence crackers must spread malicious software to infect the computers with lower defending mechanisms. The infected computers will become the zombies in the botnets controlled by the crackers.Thus, it is an important subject in network security to detect and defend the botnets.Among them, the Peer-to-Peer (P2P) botnet is a new type of botnets with every zombie as a peer controlled cracker and thus the defending is more difficult. The object of this research is to find out the traffic flows produced by known or unknown malicious software for defending the P2P botnet. Base on the analysis of P2P network’s connection flows and their package patterns, a mechanism containing six stages is proposed to identify P2P botnet traffics and locate the zombies, and the objective is to restrain these computers from further infection.
32
Alvarez, Jaime, and 安傑米. "Botnet Detection Using Unsupervised Machine Learning." Thesis, 2015. http://ndltd.ncl.edu.tw/handle/58203919605540228770.
Full textAbstract:
碩士國立清華大學
資訊系統與應用研究所
103
本研究使用了不同的技術來偵測殭屍網路, 我們使用了網路流量分析, 非監督式學習, 以及分析正常網路與殭屍網路之間的相似性等技術來實踐。 研究中, 我們測試了不同的分群演算法並比較它們的表現, 下一步,我們選擇表現最好的分群演算法,去決定主群體還有移除多餘且相同的網路資料, 並分析其相似度。 藉由計算出的網路相似度結果, 我們設計出了啟發式的方法來偵測殭屍網路
33
Liaw, Wen-Chyi, and 廖紋淇. "Estimating the size of P2P Botnet." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/45256055760863807083.
Full textAbstract:
碩士雲林科技大學
資訊管理系碩士班
98
In recent years, Botnets have become major security threats in Internet, since the attacker can control a large number of bots. Attackers primarily use them for DDoS attacks, e-mail spamming, or massive personal information theft. The size of a Botnet is a key index to estimate the threat of a botnet. The larger size of a Botnet, the more devastating these attacks can be. To estimate the size of a botnet becomes an important issue in Internet security. In P2P Botnet, every bot peer holds information about some other bot peers. In this study, we utilize this characteristic and capture-recapture technique to estimate the size of a P2P botnet.
34
Lu, Yu-Hua, and 呂育華. "The Development of Botnet Monitoring Platform." Thesis, 2011. http://ndltd.ncl.edu.tw/handle/73510145091718949424.
Full textAbstract:
碩士崑山科技大學
資訊管理研究所
99
Nowadays, botnet has become a new type of network attack via the use of e-mail, social network or host vulnerability that downloads bots into the infected computers. As a result, many infected hosts (i.e., zombie) have been taken over by hackers in order to perform malicious tasks. Hackers used botnet to and Zombies can be manipulated by distinct protocols such as http, ssh or p2p from Command & Control center (C&C) that leads to serious threats, for example, DDOS, SPAM and steal business information. The present study develops a botent monitoring platform to check the remote hosts, collect the abnormal behaviors of zombie and monitor the network flow. When detected the malicious behaviors of bot from suspicious hosts, the platform will send the digital antidote to recover as well as report the real-time status of hosts back to the platform via system logs. Two real-cases are conducted to show that the proposed approach can effectively monitor the botnets, distribute the digital antidote and rapidly cut the inbound/outbound of network connections that enhance the network security protection and lower the loading in network management by sending the alert message to manager.
35
Jyun-HaoLi and 李俊皜. "The Study on Botnet Topology Reconstruction." Thesis, 2011. http://ndltd.ncl.edu.tw/handle/81818956018698517749.
Full text
36
Li, Yu-Yun, and 李玉雲. "Botnet Detection Based on Ant Colony." Thesis, 2012. http://ndltd.ncl.edu.tw/handle/58989658466741093732.
Full textAbstract:
碩士國立中山大學
資訊管理學系研究所
100
Botnet is the biggest threaten now. Botmasters inject bot code into normal computers so that computers become bots under control by the botmasters. Every bot connect to the botnet coordinator called Command and control server (C&C), the C&C delivers commands to bots, supervises the states of bots and keep bots alive. When C&C delivers commands from the botmasters to bots, bots have to do whatever botmasters want, such as DDoS attack, sending spam and steal private information from victims. If we can detect where the C&C is, we can prevent people from network attacking. Ant Colony Optimization (ACO) studies artificial systems that take inspiration from the behavior of real ant colonies and which are used to solve discrete optimization problems. When ants walk on the path, it will leave the pheromone on the path; more pheromone will attract more ants to walk. Quick convergence and heuristic are two main characteristics of ant algorithm, are adopted in the proposed approach on finding the C&C node. According to the features of connection between C&C and bots, ants select nodes by these features in order to detect the location of C&C and take down the botnet.
37
Liao, Hung Yi, and 廖紘毅. "An Advance Hybrid P2P Social Botnet." Thesis, 2012. http://ndltd.ncl.edu.tw/handle/90123036765350163901.
Full textAbstract:
碩士清雲科技大學
電腦通訊與系統工程研究所
100
Recently, malware attacks have become more serious over the Internet by e-mail, denial of service (DoS) or distributed denial of service (DDoS). The Botnets have become a significant part of the Internet malware attacks. The traditional botnets include three parts – botmaster, command and control (C&C) servers and bots. The C&C servers receive commands from botmaster and control the distributions of computers remotely. Bots use DNS to find the positions of C&C server. In this thesiss, we propose an advanced hybrid peer-to-peer (P2P) social botnet (AHPS botnet) using web 2.0 technology to hide the instructions from botmaster into social sites, which are regarded as C&C servers. Servent bots are regarded as sub-C&C servers to get the instructions from social sites. The AHPS botnet can evaluate the performance of servent bots, reduce DNS traffics from bots to C&C servers, and achieve harder detection bots actions than IRC-based botnets over the Internet
38
Ngan, Dang Thi Kim, and 鄧氏金銀. "HTTP Botnet detection using decision tree." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/78666177227649974399.
Full textAbstract:
碩士中國文化大學
資訊管理學系
102
Botnet is the most dangerous and widespread threat among the diverse forms of malware internet-attacks nowaday. A botnet is a group of damaged computers connected via Internet which are remotely accessed and controlled by hackers to make various network attacks. Malicious activities include DDoS attack, spam, click fraud, identity theft and information phishing. The most basic characteristic of botnets is the use of command and control channels to communicate with botnet and through which bonet can be updated and command. Botnet has become a common and effective tool used by Botmaster in many cyber-attacks. Recently malicious botnets develop to HTTP botnets instead of typical IRC botnets. HTTP botnets is the latest generations of Botnet ,and it use the standard HTTP protocol to contact with their bots. By using the normal HTTP traffic, the bots is consider as normal users of the networks, and the current network security systems cannot detect out them. To solve this problem, a method based on network behavior analysis system was evolved to improve modify and adding new features to the current methods of detecting HTTP-based Botnets and their bots.
39
Lin, Wei-Lun, and 林維倫. "Botnet Detection Based on Deep Learning." Thesis, 2019. http://ndltd.ncl.edu.tw/cgi-bin/gs32/gsweb.cgi/login?o=dnclcdr&s=id=%22107NCHU5396047%22.&searchmode=basic.
Full textAbstract:
碩士國立中興大學
資訊管理學系所
107
Botnets have been a serious problem in security for a long time. There are countless computers infected with botnets every year. The common attack methods include: distributed denial-of-service attack, spam, click fraud. Computers infected with botnets are not easily perceived by users. Therefore, detecting botnets has become an important issue. Most of the current implementations are based on network traffic and artificial extraction features, but it is also easy for the attacker to deliberately avoid the feature and escape the investigation. Because the latency of the botnet is not easily detected, the accuracy of the prediction is reduced. The concept of this paper can convert from network traffic to grayscale map. Using deep learning to classify computers for poisoning. Then, using feature visualization to assist visual observation. We hope to prevent it beforehand instead of detect afterwards. We use CTU dataset as dataset. Modeling with a single virus usingCNN、RNN、ConvLSTM and predict other type viruses. The accuracy can reach 91.59%, 90.60%, and 91.82% on average. Then, check the data and adjust dataset with visual feature maps. Finally, retraining with ConvLSTM, the accuracy is up to 99.58%.
40
Sinha, Prosenjit. "Botnet Reverse Engineering and Call Sequence Recovery." Thesis, 2011. http://spectrum.library.concordia.ca/7083/1/Sinha_MCompSc_S2012.pdf.
Full textAbstract:
The focus on computer security has increased due to the ubiquitous use of Internet. Criminals mistreat the anonymous and insidious traits of Internet to commit monetary online fraud, theft and extortion. Botnets are the prominent vehicle for committing online crimes. They provide platform for a botmaster to control a large group of infected Internetconnected computers. Botmaster exploits this large group of connected computers to send spam, commit click fraud, install adware/spyware, flood specific network from distributed locations, host phishing sites and steal personal credentials. All these activities pose serious threat for individuals and organizations. Furthermore, the situation demands more attention since the research and the development of underground criminal industry is faster than security research industry. To cope up against the ever growing botnet threats, security
researchers as well as Internet-users need cognizance on the recent trends and techniques of botnets. In this thesis, we analyze in-depth by reverse engineering two prominent botnets namely, Mariposa and Zeus. The findings of the analysis may foster the knowledge of security researchers in multiple dimensions to deal with the botnet issue.To enhance the abstraction and visualization techniques of reverse engineering, we develop a tool which is used for detailed outlook of call sequences.
41
Pei-JuHsieh and 謝佩如. "HTTP Botnet Detection by Traffic Characteristics Analysis." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/tk5w6k.
Full textAbstract:
碩士國立成功大學
電腦與通信工程研究所
102
In order to prevent the threat of HTTP botnets, this approach provided a detection scheme based on the flow characteristics observed in HTTP botnet traffic. This scheme can detect the presence of botnets precisely without analyzing the packet contents. Moreover, this research solved the non-periodic connection problem between botnet and C&C server and presented an effective scheme to identify HTTP botnet traffic from a large number of normal traffic.
42
Lo, Wen-Ling, and 羅文翎. "Botnet Detection Based on HTTP Header Anomaly." Thesis, 2015. http://ndltd.ncl.edu.tw/handle/pmebhj.
Full textAbstract:
碩士國立中山大學
資訊管理學系研究所
104
Nowadays, botnets use virus to infect computers all around the world and turn them into bots. By controlling the large number of bots, attacker can do whatever they want. Most of the botnets receive and send messages through HTTP or P2P channel. No matter which kind of botnet they are, the technology and number of the botnet keep rising in these years. In this paper, our target is to find the connection between bots and C&C Server in HTTP. We will analyze the behavior and signature of the traffic which one computer connect to one server through HTTP, and detect the malicious connections. In the study, we will analyze the traffic by the following steps. First, we will use DBSCAN to analyze the behavior of traffic, and distribute them into 4 classes. Next, we will use Ant Colony Optimization to detect whether the connection is suspicious or not. Last, we will analyze the HTTP Header’s signature in the traffic. In this study, we can detect the botnets with less information but with a faster speed, and get higher detection rate through analyzing the behavior and signature at the same time.
43
Tseng, Jui-Yu, and 曾瑞瑜. "IRC Botnet Detection Based on Activity Correlation." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/71653131966029471376.
Full textAbstract:
碩士國立成功大學
資訊工程學系碩博士班
97
Recently, Bonet has become one of the most severe threats on the Internet because it is hard to be prevented and cause huge losses. Prior intrusion detection system researches focused on traditional threats like virus, worm or Trojan. However, traditional intrusion detection system has limited ability to defend scenario attack and complicated attack, so it cannot detect Botnet activities before Botmasters launch final attack. In Botnet attack, in order to control a large amount of compromised hosts (bots), Botmasters use public internet service as communication and control channel (C&C Channel). IRC (Internet Relay Chat) is the most popular communication service which Botmasters use to send their command to bots. Once bots receive commands from Botmasters, they will do the corresponding abnormal action. In this paper, we will focus on abnormal IRC traffic analysis, we will use the two unique characteristics of Botnet ,“Group Activity” and “Homogeneous Response” to detect abnormal Botnet activities in LAN. In this paper, we develop an IRC IDS to detect abnormal IRC behavior. In the proposed system, abnormal IRC traffic can be detect and we can (1) identify the inflected hosts (bots) before Botmaster launch final attack (e.g. DDoS or Phishing) and (2) find out the malicious IRC server in LAN in real time. The experiments shows that the proposed system can indeed detect abnormal IRC traffic and prevent Botnet attack.
44
Su, Shang-Chiuan, and 蘇上全. "Detecting P2P Botnet in Software Defined Network." Thesis, 2015. http://ndltd.ncl.edu.tw/handle/08210034701868158903.
Full textAbstract:
碩士國立交通大學
網路工程研究所
103
As the advance of Internet, managing network traffic has been a hard work to network administrator, especially Peer-to-Peer (P2P) traffic. Most of the modern botnet also deploy their botnet architecture with Peer-to-Peer structures in order to avoid single point takedown. There have been many research proposed to detect such threats of P2P botnet. However, network administrator have to take care about it when they find victims or attackers. Software Defined Network (SDN) based on the OpenFlow protocol export control plane programmability of switched substrates. As a result, rich functionality in traffic management, load balancing, routing, firewall configuration, etc. that may pertain to specific flows they control, may be easily developed. In SDN, network administrator can no longer worry about Numerous network equipment. In this paper we proposed a novel methodology to detect and categorize P2P network traffic, include P2P botnet and benign P2P traffic in SDN architecture. With our system, we can detect and analysis network traffic with Machine Learning Algorithm, automatically and flexibility change flow rule in OpenFlow switch through SDN controller.
45
Mendonça, Luís Miguel Ferreira Costa. "Botnet detection : a numerical and heuristic analysis." Master's thesis, 2012. http://hdl.handle.net/1822/27852.
Full textAbstract:
Dissertação de mestrado em Engenharia de InformáticaInternet security has been targeted in innumerous ways throughout the ages and Internet cyber criminality has been changing its ways since the old days where attacks were greatly motivated by recognition and glory. A new era of cyber criminals are on the move. Real armies of robots (bots) swarm the internet perpetrating precise, objective and coordinated attacks on individuals and organizations. Many of these bots are now coordinated by real cybercrime organizations in an almost open-source driven development resulting in the fast proliferation of many bot variants with refined capabilities and increased detection complexity. One example of such open-source development could be found during the year 2011 in the Russian criminal underground. The release of the Zeus botnet framework source-code led to the development of, at least, a new and improved botnet framework: Ice IX. Concerning attack tools, the combination of many well-known techniques has been making botnets an untraceable, effective, dynamic and powerful mean to perpetrate all kinds of malicious activities such as Distributed Denial of Service (DDoS) attacks, espionage, email spam, malware spreading, data theft, click and identity frauds, among others. Economical and reputation damages are difficult to quantify but the scale is widening. It’s up to one’s own imagination to figure out how much was lost in April of 2007 when Estonia suffered a well-known distributed attack on its internet country-wide infrastructure. Among the techniques available to mitigate the botnet threat, detection plays an important role. Despite recent year’s evolution in botnet detection technology, a definitive solution is far from being found. New constantly appearing bot and worm developments in areas such as host infection, deployment, maintenance, control and dissimulation of bots are permanently changing the detection vectors thought and developed. In that way, research and implementation of anomaly-based botnet detection systems are fundamental to pinpoint and track all the continuously changing polymorphic botnets variants, which are impossible to identify by simple signature-based systems.
46
Liu, Pang-Wei, and 劉邦威. "An Adaptive Defence Mechanism for P2P Botnet." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/69882761662075962878.
Full textAbstract:
碩士中原大學
資訊工程研究所
97
Botnets have become major threats to the security of the Internet. By implanting malicious bots into computers owned by ordinary users through social engineering tricks, attackers are able to remotely control victim computers to carry out malicious or disturbing operations, such as DDOS attack, or spam mail delivery. Many mechanisms have been proposed to defend against botnets that are controlled through specific command nodes. The strategy adopted by these mechanisms focuses on identifying the command node and blocking messages sent from it. However, the same idea is not applicable to the recently evolved P2P botnets since any member in a P2P can take the role of a command node. Therefore, new mechanism is needed to defend against P2P botnet. In this paper, we proposed an adaptive defense mechanism against P2P botnets. Through identifying victim computers within a network environment via multistage monitoring first and with stopping potential malicious operations follows, attackers can no longer utilize victim computers to perform malicious operations.
47
Guo, Quan-Wei, and 郭權緯. "Construction P2P firewall HTTP-Botnet defense mechanism." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/00370799211936894527.
Full textAbstract:
碩士雲林科技大學
資訊管理系碩士班
98
The scale of Botnet is still increasing on the Internet in recently years. If there is no corresponding solution, there will be more serious and malicious attacks in the future. HTTP Botnet uses HTTP protocol. By using the general HTTP protocol and 80 port, the attacks not only can be hidden more easily, but go through the firewall and IDS systems without detected. In this study, we use the Repeatability Standard Deviation method to detect the connection of Botnets within HTTP protocol. Furthermore, we use the JXTA P2P network to share the results we have detected, and users can compare the packets of traffic with lists of the filtering mechanism. Using P2P technique to exchange the information we have detected, users who have been infected can find the connection of HTTP Botnet servers. And uninfected users can use this information as a comparison sample, when there are new packets. Users can use it for determining whether the connections are malicious or not, to achieve the purpose of co-defensive. Lists of filtering mechanism allow the duplicated packets entered in computers, compared only one time with the large number of blacklist. By using the P2P technique, we can not only decrease the cost of implementation, but also let the network more resilient.
48
Wei-ChengTeng and 滕韋呈. "A Ranking-Based Centralized-Botnet Detection Method." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/62w443.
Full text
49
Liu, Dai-Kuei, and 劉代奎. "Botnet anomaly detection by Gateway traffic log." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/2a8653.
Full textAbstract:
碩士國立交通大學
資訊學院資訊學程
107
There has been an unstoppably growing popularity of internet and IoT devices appli- cations these days, however as the number of IoT devices extensively and rapidly grows, what then follows is the rising security threats from Botnets, which has incurred a consid- erable economical loss, either directly or indirectly, overall up to trillions of USD dollars. Therefore, a new major focus in network security nowadays becomes how to eff ectively stop botnet infections and to prevent its spreading out, even to make early alerts. The majority of currently available botnet detection software highly relies on soft- ware vendors’continuous updates to remain functional as those software mostly depend on conventional signature database to detect botnets, and cannot provide any protection whatsoever on IoT devices. This is why this dissertation hereby proposes a specifi c net- working communication approach, which drives all traffi c to pass through gateways and successfully bypasses the conventional requirement for manual“Label”of machine learning by utilizing the unsupervised learning method in order to detect anomaly in networking communications. Our experiments have found that TCM-KNN can eff ectively recognize anomalous behaviors from all servers in the internet and that we can effi caciously improve its categorization results by adding new protocol feature into the process.
50
Chen, Yi-ling, and 陳怡綾. "IRC-Based Botnet Detection on IRC Server." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/t9rfgf.
Full textAbstract:
碩士國立中山大學
資訊管理學系研究所
97
Recently, Botnet has become one of the most severe threats on the Internet because it is hard to be prevented and cause huge losses. Prior intrusion detection system researches focused on traditional threats like virus, worm or Trojan. However, traditional intrusion detection system cannot detect Botnet activities before Botmasters launch final attack. In Botnet attack, in order to control a large amount of compromised hosts (bots), Botmasters use public internet service as communication and control channel (C&C Channel). IRC (Internet Relay Chat) is the most popular communication service which Botmasters use to send command to their bots. Once bots receive commands from Botmasters, they will do the corresponding abnormal action. It seems that Botnet activities could be detected by observing abnormal IRC traffic. In this paper, we will focus on IRC Server and, we will use four unique characteristics of abnormal channel, (1) the prefix of Botmaster communication in C&C channel, (2) the response messages of bots, (3) average response time from bots, and (4) average length of message, to detect abnormal Channel in IRC Server. We develop an on-line IRC IDS to detect abnormal IRC channel. In the proposed system, abnormal IRC channel can be detect and we can (1) identify the infected hosts (bots) and Botmaster in C&C Channel, (2) trackback the IP of Bots and Botmaster, (3) identify Bots before Botmasters launch final attack, and (4) find the pattern of abnormal channel. The experiments show that the proposed system can indeed detect abnormal IRC channel and find out bots and Botmaster.