Karwan Mustafa Kareem

2024-05-12

Abstract:Onion routing networks, also known as darknets, are private networks that enable anonymous communication over the Internet. They are used by individuals and organizations to protect their privacy, but they also attract cybercriminals who exploit the anonymity provided by these networks for illegal activities. This paper comprehensively analyzes cybercrime threats and countermeasures in onion routing networks. We review the various types of cybercrime that occur in these networks, including drug trafficking, fraud, hacking, and other illicit activities. We then discuss the challenges associated with detecting and mitigating cybercrime in onion routing networks, such as the difficulty of tracing illegal activities back to their source due to the strong anonymity guarantees provided by these networks. We also explore the countermeasures that have been proposed and implemented to combat cybercrime in onion routing networks, including law enforcement efforts, technological solutions, and policy interventions. Finally, we highlight the limitations of existing countermeasures and identify potential directions for future research in this area, including the need for interdisciplinary approaches that combine technical, legal, and social perspectives to effectively combat cybercrime in onion routing networks.

Cryptography and Security,Networking and Internet Architecture

Norah Abokhodair,Daisy Yoo,David W. McDonald

DOI: https://doi.org/10.1145/2675133.2675208

2016-04-13

Abstract:Social botnets have become an important phenomenon on social media. There are many ways in which social bots can disrupt or influence online discourse, such as, spam hashtags, scam twitter users, and astroturfing. In this paper we considered one specific social botnet in Twitter to understand how it grows over time, how the content of tweets by the social botnet differ from regular users in the same dataset, and lastly, how the social botnet may have influenced the relevant discussions. Our analysis is based on a qualitative coding for approximately 3000 tweets in Arabic and English from the Syrian social bot that was active for 35 weeks on Twitter before it was shutdown. We find that the growth, behavior and content of this particular botnet did not specifically align with common conceptions of botnets. Further we identify interesting aspects of the botnet that distinguish it from regular users.

Computers and Society,Computation and Language,Social and Information Networks

Yang Yang,Christophe Leung

DOI: https://doi.org/10.48550/arXiv.1512.06447

2015-12-21

Abstract:In this paper, we explore various technologies and their roles in subverting the privacy infrastructure of the Internet. We also provide mitigation techniques on the attack vectors the technologies provide, and assess the overall severity of these threats.

Cryptography and Security

Morteza Safaei Pour,Antonio Mangino,Kurt Friday,Matthias Rathbun,Elias Bou-Harb,Farkhund Iqbal,Sagar Samtani,Jorge Crichigno,Nasir Ghani

DOI: https://doi.org/10.1016/j.cose.2019.101707

2020-04-01

Abstract:The insecurity of the Internet-of-Things (IoT) paradigm continues to wreak havoc in consumer and critical infrastructures. The highly heterogeneous nature of IoT devices and their widespread deployments has led to the rise of several key security and measurement-based challenges, significantly crippling the process of collecting, analyzing and correlating IoT-centric data. To this end, this paper explores macroscopic, passive empirical data to shed light on this evolving threat phenomena. The proposed work aims to classify and infer Internet-scale compromised IoT devices by solely observing one-way network traffic, while also uncovering, reporting and thoroughly analyzing "in the wild" IoT botnets. To prepare a relevant dataset, a novel probabilistic model is developed to cleanse unrelated traffic by removing noise samples (i.e., misconfigured network traffic). Subsequently, several shallow and deep learning models are evaluated in an effort to train an effective multi-window convolutional neural network. By leveraging active and passing measurements when generating the training dataset, the neural network aims to accurately identify compromised IoT devices. Consequently, to infer orchestrated and unsolicited activities that have been generated by well-coordinated IoT botnets, hierarchical agglomerative clustering is employed by scrutinizing a set of innovative and efficient network feature sets. Analyzing 3.6 TB of recently captured darknet traffic revealed a momentous 440,000 compromised IoT devices and generated evidence-based artifacts related to 350 IoT botnets. Moreover, by conducting thorough analysis of such inferred campaigns, we reveal their scanning behaviors, packet inter-arrival times, employed rates and geo-distributions. Although several campaigns exhibit significant differences in these aspects, some are more distinguishable; by being limited to specific geo-locations or by executing scans on random ports besides their core targets. While many of the inferred botnets belong to previously documented campaigns such as Hide and Seek, Hajime and Fbot, newly discovered events portray the evolving nature of such IoT threat phenomena by demonstrating growing cryptojacking capabilities or by targeting industrial control services. To motivate empirical (and operational) IoT cyber security initiatives as well as aid in reproducibility of the obtained results, we make the source codes of all the developed methods and techniques available to the research community at large.

computer science, information systems

Jeremy Kepner,Jonathan Bernays,Stephen Buckley,Kenjiro Cho,Cary Conrad,Leslie Daigle,Keeley Erhardt,Vijay Gadepally,Barry Greene,Michael Jones,Robert Knake,Bruce Maggs,Peter Michaleas,Chad Meiners,Andrew Morris,Alex Pentland,Sandeep Pisharody,Sarah Powazek,Andrew Prout,Philip Reiner,Koichi Suzuki,Kenji Takahashi,Tony Tauber,Leah Walker,Douglas Stetson

DOI: https://doi.org/10.48550/arXiv.2201.06068

2022-01-16

Abstract:Adversarial Internet robots (botnets) represent a growing threat to the safe use and stability of the Internet. Botnets can play a role in launching adversary reconnaissance (scanning and phishing), influence operations (upvoting), and financing operations (ransomware, market manipulation, denial of service, spamming, and ad click fraud) while obfuscating tailored tactical operations. Reducing the presence of botnets on the Internet, with the aspirational target of zero, is a powerful vision for galvanizing policy action. Setting a global goal, encouraging international cooperation, creating incentives for improving networks, and supporting entities for botnet takedowns are among several policies that could advance this goal. These policies raise significant questions regarding proper authorities/access that cannot be answered in the abstract. Systems analysis has been widely used in other domains to achieve sufficient detail to enable these questions to be dealt with in concrete terms. Defeating botnets using an observe-pursue-counter architecture is analyzed, the technical feasibility is affirmed, and the authorities/access questions are significantly narrowed. Recommended next steps include: supporting the international botnet takedown community, expanding network observatories, enhancing the underlying network science at scale, conducting detailed systems analysis, and developing appropriate policy frameworks.

Cryptography and Security,Computers and Society,Networking and Internet Architecture,Social and Information Networks

Mehdi Asadi,Mohammad Ali Jabraeil Jamali,Arash Heidari,Nima Jafari Navimipour

DOI: https://doi.org/10.1002/ett.5056

IF: 3.6

2024-10-22

Transactions on Emerging Telecommunications Technologies

Abstract:ABSTRACT Botnets have emerged as a significant internet security threat, comprising networks of compromised computers under the control of command and control (C&C) servers. These malevolent entities enable a range of malicious activities, from denial of service (DoS) attacks to spam distribution and phishing. Each bot operates as a malicious binary code on vulnerable hosts, granting remote control to attackers who can harness the combined processing power of these compromised hosts for synchronized, highly destructive attacks while maintaining anonymity. This survey explores botnets and their evolution, covering aspects such as their life cycles, C&C models, botnet communication protocols, detection methods, the unique environments botnets operate in, and strategies to evade detection tools. It analyzes research challenges and future directions related to botnets, with a particular focus on evasion and detection techniques, including methods like encryption and the use of covert channels for detection and the reinforcement of botnets. By reviewing existing research, the survey provides a comprehensive overview of botnets, from their origins to their evolving tactics, and evaluates how botnets evade detection and how to counteract their activities. Its primary goal is to inform the research community about the changing landscape of botnets and the challenges in combating these threats, offering guidance on addressing security concerns effectively through the highlighting of evasion and detection methods. The survey concludes by presenting future research directions, including using encryption and covert channels for detection and strategies to strengthen botnets. This aims to guide researchers in developing more robust security measures to combat botnets effectively.

telecommunications

Haoyu Gao,Leixiao Li,Xiangyang Chang,Jianxiong Wan,Jie Li,Jinze Du,Xiaoxu Zhang

DOI: https://doi.org/10.3390/electronics11071065

IF: 2.9

2022-03-28

Electronics

Abstract:Although the traditional P2P botnet has significant resilience against termination, its dependence on neighbor lists (NL) has left it vulnerable to infiltration and destruction. In addition, it is not sufficient in protecting the botmaster’s identity. To overcome these weaknesses, we proposed BlockchainBot, a botnet model that leveraged IoT devices as maintainers, and integrated blockchain, also known as distributed ledger technology (DLT). The BlockchainBot was able to fully deploy bots on public blockchains. It was versatile for multiple botnet applications and eliminated the dependence on NL. In addition, we further introduced a novel method, the forking of a channel, to kick out spy nodes that infiltrate a botnet. To further enforce the resistance against a single point of failure (SPoF), we introduced bot-cluster dispersing to prevent clustering around full nodes and more evenly scatter bots to prevent hostile takeovers. The analysis of the security of BlockchainBot indicated that it had strong resilience against DDoS attacks, Sybil attacks, and forensic investigations. Furthermore, the security of the forking of the channel and bot-cluster dispersing were also shown to be effective. The robustness of the BlockchainBot against the Sybil attack was also briefly discussed. Experimental results authenticated the effectiveness and performance of the BlockchainBot, as compared to previous models.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ben Nassi,Moshe Sror,Ido Lavi,Yair Meidan,Asaf Shabtai,Yuval Elovici

DOI: https://doi.org/10.48550/arXiv.1808.02131

2018-08-06

Cryptography and Security

Abstract:The current generation of IoT devices is being used by clients and consumers to regulate resources (such as water and electricity) obtained from critical infrastructure (such as urban water services and smart grids), creating a new attack vector against critical infrastructure. In this research we show that smart irrigation systems, a new type of green technology and IoT device aimed at saving water and money, can be used by attackers as a means of attacking urban water services. We present a distributed attack model that can be used by an attacker to attack urban water services using a botnet of commercial smart irrigation systems. Then, we show how a bot running on a compromised device in a LAN can:(1) detect a connected commercial smart irrigation system (RainMachine, BlueSpray, and GreenIQ) within 15 minutes by analyzing LAN's behavior using a dedicated classification model, and (2) launch watering via a commercial smart irrigation system according to an attacker's wishes using spoofing and replay attacks. In addition, we model the damage that can be caused by performing such an attack and show that a standard water tower can be emptied in an hour using a botnet of 1,355 sprinklers and a flood water reservoir can be emptied overnight using a botnet of 23,866 sprinklers. Finally, we discuss countermeasure methods and hypothesize whether the next generation of plumbers will use Kali Linux instead of a monkey wrench.

Emmanouil Vasilomanolakis,Jan Helge Wolf,Leon Böck,Shankar Karuppayah,Max Mühlhäuser

DOI: https://doi.org/10.48550/arXiv.1712.03713

2017-12-11

Abstract:Defending against botnets has always been a cat and mouse game. Cyber-security researchers and government agencies attempt to detect and take down botnets by playing the role of the cat. In this context, a lot of work has been done towards reverse engineering certain variants of malware families as well as understanding the network protocols of botnets to identify their weaknesses (if any) and exploit them. While this is necessary, such an approach offers the botmasters the ability to quickly counteract the defenders by simply performing small changes in their arsenals. We attempt a different approach by actually taking the role of the Botmaster, to eventually anticipate his behavior. That said, in this paper, we present a novel computational trust mechanism for fully distributed botnets that allows for a resilient and stealthy management of the infected machines (zombies). We exploit the highly researched area of computational trust to create an autonomous mechanism that ensures the avoidance of common botnet tracking mechanisms such as sensors and crawlers. In our futuristic botnet, zombies are both smart and cautious. They are cautious in the sense that they are careful with whom they communicate with. Moreover, they are smart enough to learn from their experiences and infer whether their fellow zombies are indeed who they claim to be and not government agencies' spies. We study different computational trust models, mainly based on Bayesian inference, to evaluate their advantages and disadvantages in the context of a distributed botnet. Furthermore, we show, via our experimental results, that our approach is significantly stronger than any technique that has been seen in botnets to date.

Cryptography and Security

Ashley Woodiss-Field,Michael N. Johnstone,Paul Haskell-Dowland

DOI: https://doi.org/10.3390/s24031027

IF: 3.9

2024-02-06

Sensors

Abstract:A botnet is a collection of Internet-connected computers that have been suborned and are controlled externally for malicious purposes. Concomitant with the growth of the Internet of Things (IoT), botnets have been expanding to use IoT devices as their attack vectors. IoT devices utilise specific protocols and network topologies distinct from conventional computers that may render detection techniques ineffective on compromised IoT devices. This paper describes experiments involving the acquisition of several traditional botnet detection techniques, BotMiner, BotProbe, and BotHunter, to evaluate their capabilities when applied to IoT-based botnets. Multiple simulation environments, using internally developed network traffic generation software, were created to test these techniques on traditional and IoT-based networks, with multiple scenarios differentiated by the total number of hosts, the total number of infected hosts, the botnet command and control (CnC) type, and the presence of aberrant activity. Externally acquired datasets were also used to further test and validate the capabilities of each botnet detection technique. The results indicated, contrary to expectations, that BotMiner and BotProbe were able to detect IoT-based botnets—though they exhibited certain limitations specific to their operation. The results show that traditional botnet detection techniques are capable of detecting IoT-based botnets and that the different techniques may offer capabilities that complement one another.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Paul Syverson,Matthew Finkel,Saba Eskandarian,Dan Boneh

DOI: https://doi.org/10.1145/3463676.3485610

2021-11-15

Abstract:Onion addresses encode their own public key. They are thus self-authenticating, one of the security and privacy advantages of onion services, which are typically accessed via Tor Browser. Because of the mostly random-looking appearance of onion addresses, a number of onion discovery mechanisms have been created to permit routing to an onion address associated with a more meaningful URL, such as a registered domain name. We describe novel vulnerabilities engendered by onion discovery mechanisms recently introduced by Tor Browser that facilitate hijack and tracking of user connections. We also recall previously known hijack and tracking vulnerabilities engendered by use of alternative services that are facilitated and rendered harder to detect if the alternative service is at an onion address. Self-authenticating traditional addresses (SATAs) are valid DNS addresses or URLs that also contain a commitment to an onion public key. We describe how the use of SATAs in onion discovery counters these vulnerabilities. SATAs also expand the value of onion discovery by facilitating self-authenticated access from browsers that do not connect to services via the Tor network.

Yukun He,Guangyan Zhang,Jie Wu,Qiang Li

DOI: https://doi.org/10.1002/sec.1475

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:The security implications of social bots are evident in consideration of the fact that data sharing and propagation functionality are well integrated with social media sites. Existing social bots primarily use Really Simple Syndication and OSN online social network application program interface to communicate with OSN servers. Researchers have profiled their behaviors well and have proposed various mechanisms to defend against them. We predict that a web test automation rootkit WTAR is a prospective approach for designing malicious social bots. In this paper, we first present the principles of designing WTAR-based social bots. Second, we implement three WTAR-based bot prototypes on Facebook, Twitter, and Weibo. Third, we validate this new threat by analyzing behaviors of the prototypes in a lab environment and on the Internet, and analyzing reports from widely-used antivirus software. Our analyses show that WTAR-based social bots have the following features: i they do not connect to OSN directly, and therefore produce few network flows; ii they can log in to OSNs easily and perform a variety of social activities; iii they can mimic the behaviors of a human user on an OSN. Finally, we propose several possible mechanisms in order to defend against WTAR-based social bots. Copyright © 2016 John Wiley & Sons, Ltd.

Tian Yunfan,Zhang Xiang

DOI: https://doi.org/10.48550/arXiv.1812.06226

2018-12-15

Abstract:Over the last two decades, the scale and complexity of Anonymous networks and its associated technologies grows exponentially as privacy has become a major concern of individuals. Also, some cyber attackers make use of privacy infrastructures including botnets and Tor to do illegal activities like drug, contraband or DDoS attack. However, anonymous networks are not perfect, there are some methods could exploit the vulnerabilities and track user information. In this paper, we analyze few of privacy infrastructures and their vulnerabilities.

Cryptography and Security

Mark Scanlon,M-Tahar Kechadi

DOI: https://doi.org/10.48550/arXiv.1409.8490

2014-09-30

Abstract:Peer-to-Peer (P2P) botnets are becoming widely used as a low-overhead, efficient, self-maintaining, distributed alternative to the traditional client/server model across a broad range of cyberattacks. These cyberattacks can take the form of distributed denial of service attacks, authentication cracking, spamming, cyberwarfare or malware distribution targeting on financial systems. These attacks can also cross over into the physical world attacking critical infrastructure causing its disruption or destruction (power, communications, water, etc.). P2P technology lends itself well to being exploited for such malicious purposes due to the minimal setup, running and maintenance costs involved in executing a globally orchestrated attack, alongside the perceived additional layer of anonymity. In the ever-evolving space of botnet technology, reducing the time lag between discovering a newly developed or updated botnet system and gaining the ability to mitigate against it is paramount. Often, numerous investigative bodies duplicate their efforts in creating bespoke tools to combat particular threats. This paper outlines a framework capable of fast tracking the investigative process through collaboration between key stakeholders.

Cryptography and Security,Networking and Internet Architecture

Farhan Sadique,Shamik Sengupta

DOI: https://doi.org/10.1109/ICC42927.2021.9500859

2021-06-09

Abstract:Traditional reactive approach of blacklisting botnets fails to adapt to the rapidly evolving landscape of cyberattacks. An automated and proactive approach to detect and block botnet hosts will immensely benefit the industry. Behavioral analysis of botnet is shown to be effective against a wide variety of attack types. Current works, however, focus solely on analyzing network traffic from and to the bots. In this work we take a different approach of analyzing the chain of commands input by attackers in a compromised host. We have deployed several honeypots to simulate Linux shells and allowed attackers access to the shells to collect a large dataset of commands. We have further developed an automated mechanism to analyze these data. For the automation we have developed a system called CYbersecurity information Exchange with Privacy (CYBEX-P). Finally, we have done a sequential analysis on the dataset to show that we can successfully predict attacker behavior from the shell commands without analyzing network traffic like previous works.

Cryptography and Security

Zhichun Li,Anup Goyal,Yan Chen,Vern Paxson

DOI: https://doi.org/10.1145/1533057.1533063

2009-01-01

Abstract:Botnets dominate today's attack landscape. In this work we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer---using purely local observation---information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

Philipp Winter,Anne Edmundson,Laura M. Roberts,Agnieszka Dutkowska-Zuk,Marshini Chetty,Nick Feamster

DOI: https://doi.org/10.48550/arXiv.1806.11278

2018-06-29

Abstract:Onion services are anonymous network services that are exposed over the Tor network. In contrast to conventional Internet services, onion services are private, generally not indexed by search engines, and use self-certifying domain names that are long and difficult for humans to read. In this paper, we study how people perceive, understand, and use onion services based on data from 17 semi-structured interviews and an online survey of 517 users. We find that users have an incomplete mental model of onion services, use these services for anonymity and have varying trust in onion services in general. Users also have difficulty discovering and tracking onion sites and authenticating them. Finally, users want technical improvements to onion services and better information on how to use them. Our findings suggest various improvements for the security and usability of Tor onion services, including ways to automatically detect phishing of onion services, more clear security indicators, and ways to manage onion domain names that are difficult to remember.

Cryptography and Security

Bruno Miller,Xihui Zhang

DOI: https://doi.org/10.48009/3_iis_2020_168-178

2020-01-01

Issues in Information Systems

Abstract:As the Internet of Things (IoT) becomes ubiquitous and cybersecurity attacks rapidly evolve, IoT devices must be secured.Their infection can lead to compromised networks, stolen information, service disruptions, and botnet attacks.Botnet attacks, such as Distributed Denial of Service (DDoS), strengthen with larger numbers of devices and IoT devices make great targets for this reason.As IoT devices grow in number, the strength and risk of these massive attacks grow.Infamous botnet attacks, such as Mirai, have proven this to be a serious threat.IoT security faces unique challenges including detection difficulties, device limitations, and user attitudes and education.This paper reviews and analyzes 21 articles providing information on tools and techniques for securing IoT devices against these threats.A multi-layer approach to IoT-botnet detection and prevention is suggested consisting of: the outer layer consisting of ISP architecture; the middle layer consisting of advanced detection methods and DDoS detection and mitigation; and the inner layer consisting of user attitudes, education, and security best practices.By addressing security challenges at multiple points along the botnet lifecycle and within each layer, our proposed approach provides a holistic strategy for detecting and preventing botnet attacks.

Sajjad Arshad,Maghsoud Abbaspour,Mehdi Kharrazi,Hooman Sanatkar

DOI: https://doi.org/10.1109/ICCAIE.2011.6162198

2018-11-02

Abstract:Botnets (networks of compromised computers) are often used for malicious activities such as spam, click fraud, identity theft, phishing, and distributed denial of service (DDoS) attacks. Most of previous researches have introduced fully or partially signature-based botnet detection approaches. In this paper, we propose a fully anomaly-based approach that requires no a priori knowledge of bot signatures, botnet C&C protocols, and C&C server addresses. We start from inherent characteristics of botnets. Bots connect to the C&C channel and execute the received commands. Bots belonging to the same botnet receive the same commands that causes them having similar netflows characteristics and performing same attacks. Our method clusters bots with similar netflows and attacks in different time windows and perform correlation to identify bot infected hosts. We have developed a prototype system and evaluated it with real-world traces including normal traffic and several real-world botnet traces. The results show that our approach has high detection accuracy and low false positive.

Cryptography and Security

Sergio Vidal-González,Isaías García-Rodríguez,Héctor Aláiz-Moretón,Carmen Benavides-Cuéllar,José Alberto Benítez-Andrades,María Teresa García-Ordás,Paulo Novais

DOI: https://doi.org/10.1007/978-3-030-45691-7_30

2020-01-01

Abstract:The increasing number of Internet of Things devices, and their limited built-in security, has led to a scenario where many of the most powerful and dangerous botnets nowadays are comprised of these type of compromised devices, being the source of the most important distributed denial of service attacks in history. This work proposes a solution for monitoring and studying IoT-based botnet malware activity by using a distributed system of low interaction honeypots implementing Telnet and SSH remote access services, that are used to manage the majority of IoT devices in the home environment like routers, cameras, printers and other appliances. The solution captures and displays real-time data coming from different honeypots at different locations worldwide, allowing the logging and study of the different connections and attack methodologies, and obtaining samples of the distributed malware. All the information gathered is stored for later analysis and categorization, resulting in a low-cost and relatively simple threat information and forecasting system regarding IoT botnets.