JIANG Jian,ZHUGE Jian-Wei,DUAN Hai-Xin,WU Jian-Ping

DOI: https://doi.org/10.3724/sp.j.1001.2012.04101

2012-01-01

Abstract:Botnets are one of the most serious threats to the Internet.Researchers have done plenty of research and made significant progress.However, botnets keep evolving and have become more and more sophisticated.Due to the underlying security limitation of current system and Internet architecture, and the complexity of botnet itself, how to effectively counter the global threat of botnets is still a very challenging issue.This paper first introduces the evolving of botnet's propagation, attack, command, and control mechanisms.Then the paper summarizes recent advances of botnet defense research and categorizes into five areas: Botnet monitoring, botnet infiltration, analysis of botnet characteristics, botnet detection and botnet disruption.The limitation of current botnet defense techniques, the evolving trend of botnet, and some possible directions for future research are also discussed.

LI Qing-peng,ZHENG Lian-qing,YANG Tong,ZHANG Chuan-rong

DOI: https://doi.org/10.3969/j.issn.1000-7024.2012.01.016

2012-01-01

Abstract:For the sake of defensing Botnets,methods of bot programming and network structures are researched.A bot is designed by analyzing the functional structure and working mechanism of Botnet.The program is broken down into four modules that are scan module,exploit module,upload module and communicate module.Then the four modules are implemented by programming,and performance of bot is tested in lab environment,the data show that,botnet can achieve the desired results.Finally,some kinds of prevention measures are presented.

Donghong Sun,Xuefeng Li,Wu Liu,Jianping Wu

DOI: https://doi.org/10.1109/ctc.2010.16

2010-01-01

Abstract:A widespread botnet is often used to carry cyber attacks, which results in serious threats to networks and properties. The application of combining botnets and P2P technology is powerful but complicated. This paper shows the differences of control mechanisms, running functions and working performance between central-controlled botnets and P2P-conctrolled botnets by analysis of several famous botnets. Futher more, This paper also reseaches on Command-and- Control (C&C) mechanism which works as the core component of botnets' architecture, giving out the definition and evaluation parameters of this mechanism, finally proposing a new architecture. It is useful to finding vulnerabilities of P2P botnets and guiding defenders to design effective detection and defending methods.

Xuefeng Li,Haixin Duan,Wu Liu,Jianping Wu

DOI: https://doi.org/10.1109/icgcs.2010.5543027

2010-01-01

Abstract:Nowadays Botnets have been identified as one of the most serious threats to network security, especially the peer-to-peer (P2P)based Botnets. Security experts destroy the botnets by target-attacking the weaknesses of high degree nodes or high betweens edges of the botnets. To make this work, the security experts need to know the features of the topology of botnets. But, topics such as how botnets' topology is formed and what the features of botnets' topology are are rarely studied up to now. Inspired by the method of complex network, we propose the growing model of botnets to try to resolve these questions. As far as we know, the growing model of Botnets has not been studied. Here, we focuse on the network metrics of Botnets, present a growing model of Botnets and discusse the performance of Botnets when their topology construction parameters change.

Jing Zhuge,Thorsten Holz,Xinhui Han,Jinpeng Guo,Wei Zou

2007-01-01

Abstract:Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term measurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area. Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command \& Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.

SUN Yan-dong,LI Dong

2006-01-01

Abstract:The Botnet is a network which is composed of bots.All bots can communicate with the attacker and are controled by it.The Botnet has become a tremendous threat of our Internet.The damage of the Botnet is very serious,because the number of PCs of the Botnet is very large.The definition,the history and the damage caused by the Botnet were described.Several methods for studying the Botnet were introduced and the measures to cope with it were given.The trends of the Botnet were analyzed briefly

Junfeng Yu,Zhitang Li,Jun Hu,Feng Liu,Lingyun Zhou

DOI: https://doi.org/10.1109/nswctc.2009.289

2009-01-01

Abstract:Due to the steady evolution and increase in sophistication of peer to peer botnets, it is necessary to understand the structural potential in this type of intruder tool. We formally model the P2P botnets with the help of complex systems. We propose metrics to measure the structural potential of different types of P2P botnets. We also propose a simulative framework to investigate the robustness of P2P botnets in face of various targeted response. In particular, We have shown that naive defenses don’t work. Simply randomly remove infected nodes does not slow down the attacker much, regardless of whether the connectivity between peer bots follows a random or scale-free pattern. We found that the degree based response on P2P botnets offer best approach. Our works also show that the simulation approach revealed some invariant properties of the P2P botnets and open an insight about functional aspects of their topology in terms of robustness and communication efficiency.

Jinquan Zeng,Weiwen Tang,Caiming Liu,Jianbin Hu,Lingxi Peng

DOI: https://doi.org/10.1007/978-3-642-34038-3_79

2012-01-01

Abstract:Botnet is an attack network composed of hundreds of millions of compromised computers. Botnet is emerging as the most serious threat against cyber-security and is used to launch Distributed Denial of Service (DDoS) attacks, malware dissemination, phishing, remote control, click fraud, and etc. Although botnet has posed serious security threat on Internet, the research of detecting and preventing botnet is still in its infancy. One effective technique for botnet detection is to identify botnet C&C traffic. In this paper, we present a case study of the IRC-based botnet C&C communication and then present a novel method to detect botnet C&C communications. We develop quantitative ways to assess the C&C communications between the bot and the C&C server; furthermore, we also illustrate the correlation methods within the same botnet's C&C communications to decrease the false positive rate.

Zhitang Li,Jun Hu,Zhengbing Hu,Bingbing Wang,Liang Tang,Xin Yi

DOI: https://doi.org/10.4304/jnw.5.1.98-105

2010-01-01

Journal of Networks

Abstract:Botnets have become one of the most serious threats to the Internet. They are now the key platform for many Internet attacks, such as spa m, distributed denial-of-service(DDoS), and we call these attacks “the second character of bots”. I n this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam nodes traffic properties. M easurement of botnets is an important and challenging work. H owever, most existing approaches work only o n specific botnet command and control (c&c) protocols (e.g., IRC) and structures (e.g., centralized). I n this paper, we present two measurement frameworks (MFNL and MFAL) that based on the second character of bots to measure the size of the botnet. W e have easily implemented our prototype system and evaluated it using many real network traces , and we also compare these two app r oaches from several points.

HAN Xin-hui,GUO Jin-peng,ZHOU Yong-lin,ZHUGE Jian-wei,ZOU Wei

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.029

2007-01-01

Abstract:Botnets have become the first-choice attack platform for the network attackers to launch distributed denial of service attacks,steal sensitive information and send spam.They have raised serious threats to normal operation of the Internet and the benefits of the Internet users.The investigation on the wild botnets activities is the necessary for the fur-ther monitering and countermeasure against world-wide botnets.Based on the investigation and analysis on tracking re-cords of 1 961 wild botnets,it shows the statistical results of botnet activities,including amount of botnets,command and control channel distributions,botnet size and end-host distributions,and various types of botnet attack activities.

Shuhao Li,Xiaochun Yun,Zhiyu Hao,Yongzheng Zhang,Xiang Cui,Yipeng Wang

DOI: https://doi.org/10.1007/978-3-642-30436-1_22

2012-01-01

Abstract:In recent years, widely spreading botnets in social networks are becoming a major security threat to both social networking services and the privacy of their users. In order to have a better understanding of the dynamics of these botnets, defenders should model the process of their propagation. However, previous studies on botnet propagation model have tended to focus solely on characterizing the vulnerability propagation on one infection domain, and left two key properties (cross-domain mobility and user dynamics) untouched. In this paper, we formalize a new propagation model to reveal the general infection process of social engineering botnets in multiple social networks. This proposed model is based on stochastic process, and investigates two important factors involved in botnet propagation: (i) bot spreading across multiple domains, and (ii) user behaviors in social networks. Furthermore, with statistical data obtained from four real-world social networks, a botnet simulation platform is built based on OMNeT++ to test the validity of our model. The experimental results indicate that our model can accurately predict the infection process of these new advanced botnets with less than 5% deviation.

Jianping Wu

2012-01-01

Abstract:The key problems in the construction of P2P-botnets are how to identify the honeynet(the network of honeypots) and how to avoid integrating the honeypots into the P2P-botnet.P2P-botnet construction includes propagation,node joining,and topology construction.This paper presents a construction method for a honeynet-aware P2P-botnet based on three modules.The propagation module includes the monitoring nodes in the designed attack list.The node joining module differentiates botnet nodes from the honeypot.The topology construction module constructs the topology of the P2P-botnet using a genetic algorithm.The construction mechanism effectively identifies the honeypots,constructs the P2P-botnet propagation model,and compares it with the honeypot-aware botnet model.The results show that this method is more efficient for certain conditions.Methods are given to defend against honeynet-aware attacks.

Haoyu Gao,Leixiao Li,Xiangyang Chang,Jianxiong Wan,Jie Li,Jinze Du,Xiaoxu Zhang

DOI: https://doi.org/10.3390/electronics11071065

IF: 2.9

2022-03-28

Electronics

Abstract:Although the traditional P2P botnet has significant resilience against termination, its dependence on neighbor lists (NL) has left it vulnerable to infiltration and destruction. In addition, it is not sufficient in protecting the botmaster’s identity. To overcome these weaknesses, we proposed BlockchainBot, a botnet model that leveraged IoT devices as maintainers, and integrated blockchain, also known as distributed ledger technology (DLT). The BlockchainBot was able to fully deploy bots on public blockchains. It was versatile for multiple botnet applications and eliminated the dependence on NL. In addition, we further introduced a novel method, the forking of a channel, to kick out spy nodes that infiltrate a botnet. To further enforce the resistance against a single point of failure (SPoF), we introduced bot-cluster dispersing to prevent clustering around full nodes and more evenly scatter bots to prevent hostile takeovers. The analysis of the security of BlockchainBot indicated that it had strong resilience against DDoS attacks, Sybil attacks, and forensic investigations. Furthermore, the security of the forking of the channel and bot-cluster dispersing were also shown to be effective. The robustness of the BlockchainBot against the Sybil attack was also briefly discussed. Experimental results authenticated the effectiveness and performance of the BlockchainBot, as compared to previous models.

engineering, electrical & electronic,computer science, information systems,physics, applied

Mehdi Asadi,Mohammad Ali Jabraeil Jamali,Arash Heidari,Nima Jafari Navimipour

DOI: https://doi.org/10.1002/ett.5056

IF: 3.6

2024-10-22

Transactions on Emerging Telecommunications Technologies

Abstract:ABSTRACT Botnets have emerged as a significant internet security threat, comprising networks of compromised computers under the control of command and control (C&C) servers. These malevolent entities enable a range of malicious activities, from denial of service (DoS) attacks to spam distribution and phishing. Each bot operates as a malicious binary code on vulnerable hosts, granting remote control to attackers who can harness the combined processing power of these compromised hosts for synchronized, highly destructive attacks while maintaining anonymity. This survey explores botnets and their evolution, covering aspects such as their life cycles, C&C models, botnet communication protocols, detection methods, the unique environments botnets operate in, and strategies to evade detection tools. It analyzes research challenges and future directions related to botnets, with a particular focus on evasion and detection techniques, including methods like encryption and the use of covert channels for detection and the reinforcement of botnets. By reviewing existing research, the survey provides a comprehensive overview of botnets, from their origins to their evolving tactics, and evaluates how botnets evade detection and how to counteract their activities. Its primary goal is to inform the research community about the changing landscape of botnets and the challenges in combating these threats, offering guidance on addressing security concerns effectively through the highlighting of evasion and detection methods. The survey concludes by presenting future research directions, including using encryption and covert channels for detection and strategies to strengthen botnets. This aims to guide researchers in developing more robust security measures to combat botnets effectively.

telecommunications

Weiming Li,Songlin Xie,Jie Luo,Xiaodong Zhu

DOI: https://doi.org/10.2991/icsem.2013.100

2013-01-01

Abstract:How to detect Botnet has become a very important problem in security network. The existent detection methods based on network traffic and host behaviors can’t handle the emergency Botnets. In this paper we present an optimized method to analyze the similarity and time period of Botnets behaviors. In the end, our method gets an effective result. Our method uses the IDS-like architecture, which develops six specific components to detect six important Botnets abnormal behaviors. And it builds correlation rules to calculate match score. Through the experiments described in the paper, we can see that our method can not only detect already known Botnets precisely, but also detect unknown Botnets to some extent. The experiments prove that our method is effective and it has some advantages compared with other methods. At last, the paper proposes the future direction and the points that need to be improved.

WANG Xuan-chun,ZHANG Zhao-xin,LI Bin,XU Zheng

DOI: https://doi.org/10.3969/j.issn.2095-6835.2011.02.056

2011-01-01

Abstract:By analyzing the implementation mechanism and principles of protocol adding of PDNS, and the botnet command controlling and communication on IRC protocol, this paper presents an abstract botnet model on PDNS. The botnet, worm and DDoS security events are combined on PDNS with different strategies, and it can simulate the spreading, controlling and attacking procedure of large-scale botnet easily. Experimental results show that the botnet model on PDNS can predict the botnet according to different scanning strategies, and it can provide specific data support for predicting network security trend.

Qian Wang,Zesheng Chen,Chao Chen

DOI: https://doi.org/10.48550/arXiv.1001.1195

2010-07-18

Abstract:Internet worm infection continues to be one of top security threats and has been widely used by botnets to recruit new bots. In this work, we attempt to quantify the infection ability of individual hosts and reveal the key characteristics of the underlying topology formed by worm infection, i.e., the number of children and the generation of the worm infection family tree. Specifically, we first apply probabilistic modeling methods and a sequential growth model to analyze the infection tree of a wide class of worms. We analytically and empirically find that the number of children has asymptotically a geometric distribution with parameter 0.5. As a result, on average half of infected hosts never compromise any vulnerable host, over 98% of infected hosts have no more than five children, and a small portion of infected hosts have a large number of children. We also discover that the generation follows closely a Poisson distribution and the average path length of the worm infection family tree increases approximately logarithmically with the total number of infected hosts. Next, we empirically study the infection structure of localized-scanning worms and surprisingly find that most of the above observations also apply to localized-scanning worms. Finally, we apply our findings to develop bot detection methods and study potential countermeasures for a botnet (e.g., Conficker C) that uses scan-based peer discovery to form a P2P-based botnet. Specifically, we demonstrate that targeted detection that focuses on the nodes with the largest number of children is an efficient way to expose bots. For example, our simulation shows that when 3.125% nodes are examined, targeted detection can reveal 22.36% bots. However, we also point out that future botnets may limit the maximum number of children to weaken targeted detection, without greatly slowing down the speed of worm infection.

Cryptography and Security

DONG Kai-kun,LIU Yang,GUO Li,DONG Lan

DOI: https://doi.org/10.3969/j.issn.1009-8054.2008.04.019

2008-01-01

Abstract:Botnet is one of the most serious threats to the security of the Internet nowadays.As compared with IRC Botnets, the control of P2P Botnets is more secure, robust and stealthy. The working principles for typical P2P Botnets are presented.And then the methods for peer discovery of P2P Botnets are classified, and their weak points are analyzed respectively. Based on the analysis, the methods for detecting P2P Botnets are given.

Binbin Wang,Zhitang Li,Dong Li,Feng Liu,Hao Chen

DOI: https://doi.org/10.1109/EBISS.2010.5473532

2010-01-01

Abstract:Botnet has become a prevalent platform for malicious attacks, which poses a significant threat to Internet security. Recently, botnets are inclined to utilize HTTP to route their command and control (C&C) communication instead of using the protocol Internet Relay Chat (IRC). And these web-based C&C bots try to blend into normal HTTP traffic, which makes them more difficult to be identified. In this work, we propose an automatic approach to identify web-based C&C bots by modeling the essential network behavior of web-based bots in supervised network. Experimental results show the proposed approach is very efficient and can detect web-base bots with low false positive ratio.

Binbin Wang,Zhitang Li,Hao Tu,Jie Ma

DOI: https://doi.org/10.1109/ARES.2009.59

2009-01-01

Abstract:Currently, botnets use peer-to-peer (P2P) networks for command and control (C&C) communication. In contrast to traditional centralized-organized botnets, P2P-based botnets do not have a central point of failure for botnets and are consequently more concealable and robust, which degrades the performance of botnet detection approaches significantly. Considering that the C&C flows related to a P2P-based bot exhibit stability on statistical meaning due to the impartial position in botnet and performing pre-programmed control activities automatically, a novel detection approach based on the control flow stability is proposed in this paper. The measurement of control flow stability is firstly derived from the P2P-based C&C case study and the definition of control flow stability. After analyzing the stability of Storm bots and comparing the results to that of normal P2P client, a stability detection algorithm that can tune the accuracy of detecting results is developed. Extensive experimental results show the proposed approach is very efficient and can detect P2P-based botnet with low false positive ratio.