Behavioral Analysis of Zombie Armies

Zombie armies or botnets, i.e., large groups of compromised machines controlled remotely by a same entity pose today a significant threat to national security. Recent cyber-conficts have indeed demonstrated that botnets can be easily turned into digital weapons, which can be used by cybercriminals to attack the network resources of a country by performing simple Distributed Denial-of Service (DDoS) attacks against critical web services. A deep understanding of the longterm behavior of botnet armies, and their strategic evolution, is thus a vital requirement to combat effectively those latent threats. In this paper, we show how to enable such a long-term, strategic analysis, and how to study the dynamic behaviors and the global characteristics of these complex, large-scale phenomena by applying different techniques from the area of knowledge discovery on attack traces collected on the Internet. We illustrate our method with some experimental results obtained from a set of worldwide distributed server honeypots, which have monitored attack activity in 18 different IP subnets for more than 640 days. Our preliminary results highlight several interesting findings, such as i) the strong resilience of zombie armies on the Internet, with survival times going up to several months; ii) the high degree of coordination among zombies; iii) the highly uneven spatial distribution of bots in a limited number of “unclean networks”, and iv) the large proportion of home users’ machines with high-speed Internet connexions among the bot population.

[1]  Ronald R. Yager,et al.  On ordered weighted averaging aggregation operators in multicriteria decisionmaking , 1988, IEEE Trans. Syst. Man Cybern..

[2]  Anil K. Jain,et al.  Algorithms for Clustering Data , 1988 .

[3]  Jianhua Lin,et al.  Divergence measures based on the Shannon entropy , 1991, IEEE Trans. Inf. Theory.

[4]  Huaiyu Zhu On Information and Sufficiency , 1997 .

[5]  Geoffrey E. Hinton,et al.  Stochastic Neighbor Embedding , 2002, NIPS.

[6]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[7]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[8]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[9]  Fabien Pouget,et al.  Honeypot-based forensics , 2004 .

[10]  Marc Dacier,et al.  ScriptGen: an automated script generation tool for Honeyd , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[11]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[12]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[13]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[14]  Joseph B. Kadane,et al.  Using uncleanliness to predict future botnet addresses , 2007, IMC '07.

[15]  D. Barroso,et al.  Botnets – The Silent Threat , 2007 .

[16]  Wenke Lee,et al.  Botnet Detection: Countering the Largest Security Threat , 2010, Botnet Detection.

[17]  Geoffrey E. Hinton,et al.  Visualizing Data using t-SNE , 2008 .

[18]  Paul Barford,et al.  Spatial-Temporal Characteristics of Internet Malicious Sources , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[19]  Van-Hau Pham,et al.  The Quest for Multi-headed Worms , 2008, DIMVA.

[20]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[21]  M. Dacier,et al.  The Leurre.com Project: Collecting Internet Threats Information Using a Worldwide Distributed Honeynet , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[22]  Marc Dacier,et al.  Actionable Knowledge Discovery for Threats Intelligence Support Using a Multi-dimensional Data Mining Methodology , 2008, 2008 IEEE International Conference on Data Mining Workshops.

[23]  Marc Dacier,et al.  A framework for attack patterns' discovery in honeynet data , 2008 .

[24]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[25]  Marc Dacier,et al.  Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making , 2009, CSI-KDD '09.