Запис Детальніше

Discovering New Indicators for Botnet Traffic Detection

Електронного архіву Харківського національного університету радіоелектроніки (Open Access Repository of KHNURE)

Переглянути архів Інформація
 
 
Поле Співвідношення
 
Creator Alexander Adamov, Vladimir Hahanov, Anders Carlsson
 
Date 2016-07-06T08:26:13Z
2016-07-06T08:26:13Z
2014
 
Identifier Alexander Adamov Discovering New Indicators for Botnet Traffic Detection/Alexander Adamov, Vladimir Hahanov, Anders Carlsson//Proceedings of IEEE East-West Design & Test Symposium (EWDTS’2014)
http://hdl.handle.net/123456789/3133
 
Description A modern society sees an increase in cyber attacks
that is attempted to be mitigated by antivirus and other
security companies. Nowadays an Individual
Cyberspace is highly vulnerable against identity and
money theft on the Internet. The most spread and
dangerous threat for every Internet user is botnets that
conquer more and more user computers and turning
them into “cyber zombies”. Despite numerous
takedown attempts the botnets are still alive and
continue successfully stealing users’ credentials.
Detecting botnet is a complex task because of two
major reasons: using encryption for transferred data,
involving numerous infected bots as proxy layers to
deliver data to C&C. Currently the botnets became an
unbreakable despite of recent takedowns of Kelihos
and Zeus botnets because of distributed nature of
botnets and using several layers of proxy-bots. The
latest Tovar Operation jointly run by FBI, NCA,
Europol and antivirus companies in the beginning of
June disconnected Zeus bots from mothership
C&C(Command and Control) servers.
Botnets became the powerful cyber weapon that
involves tens of millions of infected computers –
“cyber zombies” – all over the world. The security
industry makes efforts to prevent spreading botnets and
compromising an Individual Cyberspace (IC)[1] of
users in such way. However, botnets continue existing
despite numerous takedowns initiated by antivirus
companies, Microsoft, FBI, Europol and others.
In this paper we investigate existed methods of
traffic detection represented mostly by IDS system and
discover new indicators that can be utilized for
improving botnet traffic detection. To do this we
analyse the most prevalent backdoors communication
protocols that stay behind of the popular botnets. As a
result, we extracted new data that might be used in
detection routines of IDS (Intrusion Detection System).
An objective of the study is mining new indicators
of compromise from botnet traffic and using them to
identify cyber-attacks on IC.
The analysis method assumes analysis of a
communication protocol of the top botnet backdoors.
The discovered results that can be used to improve
detection of infected hosts in a local network are
presented in this paper.
IEEE Computer Society Test Technology Technical Council
 
Language en
 
Publisher EWDTS
 
Subject botnet
detection
IDS
Individual Cyberspace
traffic
encryption
signature
Indicator-of- Compromise
 
Title Discovering New Indicators for Botnet Traffic Detection
 
Type Article