Behavioral analysis of botnets for threat intelligence

This paper examines the behavioral patterns of fast-flux botnets for threat intelligence. The Threat Intelligence infrastructure, which we have specifically developed for fast-flux botnet detection and monitoring, enables this analysis. Cyber criminals and attackers use botnets to conduct a wide range of operations including spam campaigns, phishing scams, malware delivery, denial of service attacks, and click fraud. The most advanced botnet operators use fast-flux infrastructure and DNS record manipulation techniques to make their networks more stealthy, scalable, and resilient. Our analysis shows that such networks share common lifecycle characteristics, and form clusters based on size, growth and type of malicious behavior. We introduce a social network connectivity metric, and show that command and control and malware botnets have similar scores with this metric while spam and phishing botnets have similar scores. We describe how a Guilt-by-Association approach and connectivity metric can be used to predict membership in particular botnet families. Finally, we discuss the intelligence utility of fast-flux botnet behavior analysis as a cyber defense tool against advanced persistent threats.

[1]  Nick Feamster,et al.  Revealing Botnet Membership Using DNSBL Counter-Intelligence , 2006, SRUTI.

[2]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[3]  Lorenzo Martignoni,et al.  FluXOR: Detecting and Monitoring Fast-Flux Service Networks , 2008, DIMVA.

[4]  Minaxi Gupta,et al.  Phishing Infrastructure Fluxes All the Way , 2009, IEEE Security & Privacy.

[5]  Dustin Burke,et al.  Real-Time Detection of Fast Flux Service Networks , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[6]  E. Tufte Beautiful Evidence , 2006 .

[7]  Wei Jiang,et al.  Botnet: Survey and Case Study , 2009, 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC).

[8]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[9]  Dustin Burke,et al.  Behavioral Patterns of Fast Flux Service Networks , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[10]  Minaxi Gupta,et al.  Behind Phishing: An Examination of Phisher Modi Operandi , 2008, LEET.

[11]  Christopher Leckie,et al.  Collaborative Detection of Fast Flux Phishing Domains , 2009, J. Networks.

[12]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2008, CCS.

[13]  Dustin Burke,et al.  Behavioral analysis of fast flux service networks , 2009, CSIIRW '09.

[14]  Nick Feamster,et al.  Dynamics of Online Scam Hosting Infrastructure , 2009, PAM.

[15]  Duane Wessels,et al.  Passive Monitoring of DNS Anomalies , 2007, DIMVA.