botnet detection
در نشریات گروه برق-
Today, the Internet of Things is expanding due to a wide range of applications and services. The variety of devices connected to the Internet has made discussing security in these networks a challenging issue. Security includes various aspects such as botnets. Botnets are a collection of devices such as smartphones, computers, and other devices infected by a program. This program, which is a herder bot, performs many harmful operations and leads to various anomalies in the network. Identifying botnets is one of the main challenges in IoT security due to their unique complexity. In this article, we have reviewed the botnet detection methods in IoT. Since there are different botnet detection methods in IoT, we need to do detailed research on different botnet detection methods and their strengths and weaknesses. In a way that shows the evolution of these malwares. Concepts such as life cycle, command and control models, communication protocols, botnet protocols, and botnet detection methods are described in this research. In the following, the advantages and disadvantages of botnet detection methods are discussed and these methods are compared.Keywords: Internet of Things, Botnet detection, True positive, Security, Feature extraction
-
بات نتها یکی از محبوبترین انواع بدافزارها در میان مجرمان اینترنتی هستند، به طوریکه اخیرا پایه ی اصلی بیشتر جرایم سایبری بوده اند. اغلب روش های تشخیص بات نت موجود نمی توانند آنها را به صورت بلادرنگ و قبل از مشارکت در یک حمله سایبری، تشخیص دهند. در این مقاله یک سیستم تشخیص بات نت مبتنی بر مدل مخفی مارکوف ارایه می شود. این سیستم قادر به تشخیص بات نت در بازه های زمانی خیلی کوچک از جریان شبکه بدون نیاز به بررسی کل جریان است. همچنین این روش علاوه بر تشخیص بات نت در مراحل اولیه از چرخه حیات، مرحله فعالیت آن (کانال فرمان و کنترل یا حمله) را نیز در هر لحظه تعیین می کند. بات نت BlackEnergy یکی از خطرناک ترین انواع بات نتهای مبتنی بر HTTP است، که در این پژوهش ترافیک شبکه آن مورد تحلیل و بررسی قرار می گیرد. ویژگی های شاخص و الگوهای رفتاری این بات نت در مراحل مختلف چرخه حیاتش استخراج می شود. سپس مدل مخفی مارکوف پیشنهادی جهت تشخیص بات نت BlackEnergy براساس ویژگی ها و الگوهای رفتاری آن ارایه می شود. برای ارزیابی مدل ارایه شده، از مجموعه داده جامع و معتبری از ترافیک شبکه استفاده می شود که نشان می دهد روش پیشنهادی حتی در پنجره های زمانی خیلی کوچک، دقت تشخیص بالایی نسبت به بسیاری از روش های دیگر دارد.
کلید واژگان: تشخیص بات نت، مدل مخفی مارکوف، وقفه زمانی، جریان شبکه، مرحله فرمان و کنترلBotnets are known to be among the most popular malwares in cyber criminals for their practicality in carrying many cyber-crimes as reported in the recent news. While many detection schemes have been developed, botnets remain the most powerful attack platform by constantly and continuously adopting new techniques and strategies. Thus, early identification and timely detection of botnets can take an effective step towards making perfect defense system. Most of existing botnet detection methods cannot detect botnets in real-time and in an early stage of their lifecycle before participating in a cyber-crime. In this work, we propose a novel approach to detect the BlackEnergy botnet traffic using Hidden Markov Model (HMM) within flow Intervals. In BlackEnergy, bots are controlled by attackers under a HTTP base command and control (C&C) infrastructure. First we analysis BlackEnergy’s network traffic and extract its main features and network behavior patterns. Then we adapt the proposed HMM model with BlackEnergy botnet patterns and features. In addition to detecting the botnet communication traffic in both Attack and C&C stages, inferred HMM defines the stage of botnet lifecycle. Our proposed method detects botnet activity in small time intervals without having seen a complete network flow. Using existing datasets, we show experimentally that it is possible to identify the presence of botnets activity with high accuracy even in very small time windows.
Keywords: Botnet detection, Hidden markov model, time interval, flow interval, network flow, command, control stage -
Nowadays, botnets are considered as essential tools for planning serious cyber attacks. Botnets are used to perform various malicious activities such as DDoS attacks and sending spam emails. Different approaches are presented to detect botnets; however most of them may be ineffective when there are only a few infected hosts in monitored network, as they rely on similarity in bots activities to detect the botnet. In this paper, we present a host-based method that can detect individual bot-infected hosts. This approach is based on botnet life-cycle, which includes common symptoms of almost all types of botnet despite their differences. We analyze network activities of each process running on the host and propose some heuristics to distinguish behavioral patterns of bot process from legitimate ones based on statistical features of packet sequences and evaluating an overall security risk for it. To show the effectiveness of the approach, a tool named BotRevealer has been implemented and evaluated using real botnets and several popular applications. The results show that in spite of diversity of botnets, BotRevealer can effectively detect the bot process among other active processes.Keywords: Botnet Detection, Botnet Life-Cycle, Host-Based Intrusion Detection, Heuristic Algorithm
-
Botnets are recognized as one of the most dangerous threats to the Internet infrastructure. They are used for malicious activities such as launching distributed denial of service attacks, sending spam, and leaking personal information. Existing botnet detection methods produce a number of good ideas, but they are far from complete yet, since most of them cannot detect botnets in an early stage of their lifecycle; moreover, they depend on a particular command and control (C&C) protocol. In this paper, we address these issues and propose an online unsupervised method, called BotOnus, for botnet detection that does not require a priori knowledge of botnets. It extracts a set of ow feature vectors from the network traffic at the end of each time period, and then groups them to some flow clusters by a novel online fixed-width clustering algorithm. Flow clusters that have at least two members, and their intra-cluster similarity is above a similarity threshold, are identified as suspicious botnet clusters, and all hosts in such clusters are identified as bot infected.We demonstrate the effectiveness of BotOnus to detect various botnets including HTTP-, IRC-, and P2P-based botnets using a testbed network. The results of experiments show that it can successfully detect various botnets with an average detection rate of 94:33% and an average false alarm rate of 3.74%.Keywords: Botnet Detection, Botnet Lifecycle, Command, Control Channel, Online Clustering
- نتایج بر اساس تاریخ انتشار مرتب شدهاند.
- کلیدواژه مورد نظر شما تنها در فیلد کلیدواژگان مقالات جستجو شدهاست. به منظور حذف نتایج غیر مرتبط، جستجو تنها در مقالات مجلاتی انجام شده که با مجله ماخذ هم موضوع هستند.
- در صورتی که میخواهید جستجو را در همه موضوعات و با شرایط دیگر تکرار کنید به صفحه جستجوی پیشرفته مجلات مراجعه کنید.
©2000-2025 magiran.com All Rights Reserved.