A Moving Target Defense Approach to Disrupting Stealthy Botnets

Botnets are increasingly being used for exfiltrating sensitive data from mission-critical systems. Research has shown that botnets have become extremely sophisticated and can operate in stealth mode by minimizing their host and network footprint. In order to defeat exfiltration by modern botnets, we propose a moving target defense approach for dynamically deploying detectors across a network. Specifically, we propose several strategies based on centrality measures to periodically change the placement of detectors. Our objective is to increase the attacker's effort and likelihood of detection by creating uncertainty about the location of detectors and forcing botmasters to perform additional actions in an attempt to create detector-free paths through the network. We present metrics to evaluate the proposed strategies and an algorithm to compute a lower bound on the detection probability. We validate our approach through simulations, and results confirm that the proposed solution effectively reduces the likelihood of successful exfiltration campaigns.

[1]  John C. Mitchell,et al.  Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods , 2008, WOOT.

[2]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[3]  Yoichi Shinoda,et al.  Vulnerabilities of Passive Internet Threat Monitors , 2005, USENIX Security Symposium.

[4]  Brent Byunghoon Kang,et al.  The waledac protocol: The how and why , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[5]  Ibrahim Matta,et al.  BRITE: an approach to universal topology generation , 2001, MASCOTS 2001, Proceedings Ninth International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems.

[6]  Ratul Mahajan,et al.  Measuring ISP topologies with Rocketfuel , 2004, IEEE/ACM Transactions on Networking.

[7]  Robert E. Tarjan,et al.  Fibonacci heaps and their uses in improved network optimization algorithms , 1984, JACM.

[8]  Dennis Andriesse,et al.  An Analysis of the Zeus Peer-to-Peer Protocol , 2014 .

[9]  Giovane C. M. Moura,et al.  Internet Bad Neighborhoods , 2013 .

[10]  Sushil Jajodia,et al.  Disrupting stealthy botnets through strategic placement of detectors , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[11]  Xiapu Luo,et al.  Building a Scalable System for Stealthy P2P-Botnet Detection , 2014, IEEE Transactions on Information Forensics and Security.

[12]  Ari Juels,et al.  Sherlock Holmes and the Case of the Advanced Persistent Threat , 2012, LEET.

[13]  Joseph B. Kadane,et al.  Using uncleanliness to predict future botnet addresses , 2007, IMC '07.

[14]  Kang G. Shin,et al.  Detection of botnets using combined host- and network-level information , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[15]  Ali A. Ghorbani,et al.  Towards effective feature selection in machine learning-based botnet detection approaches , 2014, 2014 IEEE Conference on Communications and Network Security.

[16]  Herbert Bos,et al.  SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets , 2013, 2013 IEEE Symposium on Security and Privacy.

[17]  George Cybenko,et al.  Identifying and Exploiting the Cyber High Ground for Botnets , 2015, Cyber Warfare.

[18]  David Dittrich,et al.  So You Want to Take Over a Botnet , 2012, LEET.

[19]  Guanhua Yan,et al.  On the effectiveness of structural detection and defense against P2P-based botnets , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[20]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[21]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[22]  Vitaly Shmatikov,et al.  Security against probe-response attacks in collaborative intrusion detection , 2007, LSAD '07.

[23]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[24]  Prateek Mittal,et al.  BotGrep: Finding P2P Bots with Structured Graph Analysis , 2010, USENIX Security Symposium.