Adaptive Cyber Defenses for Botnet Detection and Mitigation

Organizations increasingly rely on complex networked systems to maintain operational efficiency. While the widespread adoption of network-based IT solutions brings significant benefits to both commercial and government organizations, it also exposes them to an array of novel threats. Specifically, malicious actors can use networks of compromised and remotely controlled hosts, known as botnets, to execute a number of different cyber-attacks and engage in criminal or otherwise unauthorized activities. Most notably, botnets can be used to exfiltrate highly sensitive data from target networks, including military intelligence from government agencies and proprietary data from enterprise networks. What makes the problem even more complex is the recent trend towards stealthier and more resilient botnet architectures, which depart from traditional centralized architectures and enable botnets to evade detection and persist in a system for extended periods of time. A promising approach to botnet detection and mitigation relies on Adaptive Cyber Defense (ACD), a novel and game-changing approach to cyber defense. We show that detecting and mitigating stealthy botnets is a multi-faceted problem that requires addressing multiple related research challenges, and show how an ACD approach can help us address these challenges effectively.

[1]  Abhijit Gosavi,et al.  Simulation-Based Optimization: Parametric Optimization Techniques and Reinforcement Learning , 2003 .

[2]  Philip S. Yu,et al.  On Periodicity Detection and Structural Periodic Similarity , 2005, SDM.

[3]  Yoichi Shinoda,et al.  Vulnerabilities of Passive Internet Threat Monitors , 2005, USENIX Security Symposium.

[4]  Michael P. Wellman,et al.  A Stackelberg Game Model for Botnet Data Exfiltration , 2017, GameSec.

[5]  J. Scargle Studies in astronomical time series analysis. II - Statistical aspects of spectral analysis of unevenly spaced data , 1982 .

[6]  R. Bellman Dynamic programming. , 1957, Science.

[7]  Joseph B. Kadane,et al.  Using uncleanliness to predict future botnet addresses , 2007, IMC '07.

[8]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[9]  Ratul Mahajan,et al.  Measuring ISP topologies with rocketfuel , 2002, TNET.

[10]  Kang G. Shin,et al.  Detection of botnets using combined host- and network-level information , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[11]  Abhijit Gosavi,et al.  Simulation-Based Optimization: Parametric Optimization Techniques and Reinforcement Learning , 2003 .

[12]  Vincent Conitzer,et al.  Stackelberg vs. Nash in Security Games: An Extended Investigation of Interchangeability, Equivalence, and Uniqueness , 2011, J. Artif. Intell. Res..

[13]  Manish Jain,et al.  Computing optimal randomized resource allocations for massive security games , 2009, AAMAS 2009.

[14]  Yang Xiang,et al.  Modeling the Propagation of Worms in Networks: A Survey , 2014, IEEE Communications Surveys & Tutorials.

[15]  John C. Mitchell,et al.  Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods , 2008, WOOT.

[16]  Robert E. Tarjan,et al.  Fibonacci heaps and their uses in improved network optimization algorithms , 1987, JACM.

[17]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..

[18]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[19]  Avrim Blum,et al.  Planning in the Presence of Cost Functions Controlled by an Adversary , 2003, ICML.

[20]  Ali A. Ghorbani,et al.  Towards effective feature selection in machine learning-based botnet detection approaches , 2014, 2014 IEEE Conference on Communications and Network Security.

[21]  Herbert Bos,et al.  SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Giuseppe Piccioni,et al.  Solar migrating atmospheric tides in the winds of the polar region of Venus , 2012 .

[23]  Michael P. Wellman,et al.  Empirical Game-Theoretic Analysis of an Adaptive Cyber-Defense Scenario (Preliminary Report) , 2014, GameSec.

[24]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[25]  Ibrahim Matta,et al.  BRITE: an approach to universal topology generation , 2001, MASCOTS 2001, Proceedings Ninth International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems.

[26]  Vincent Conitzer,et al.  A double oracle algorithm for zero-sum security games on graphs , 2011, AAMAS.

[27]  Sushil Jajodia,et al.  Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning , 2016, ACM Trans. Intell. Syst. Technol..

[28]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[29]  Xiapu Luo,et al.  Building a Scalable System for Stealthy P2P-Botnet Detection , 2014, IEEE Transactions on Information Forensics and Security.

[30]  Sushil Jajodia,et al.  Detecting Stealthy Botnets in a Resource-Constrained Environment using Reinforcement Learning , 2017, MTD@CCS.

[31]  Warren B. Powell,et al.  “Approximate dynamic programming: Solving the curses of dimensionality” by Warren B. Powell , 2007, Wiley Series in Probability and Statistics.

[32]  Sushil Jajodia,et al.  A Moving Target Defense Approach to Disrupting Stealthy Botnets , 2016, MTD@CCS.

[33]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[34]  Vitaly Shmatikov,et al.  Security against probe-response attacks in collaborative intrusion detection , 2007, LSAD '07.

[35]  Sarvapali D. Ramchurn,et al.  Algorithms for Graph-Constrained Coalition Formation in the Real World , 2017, TIST.

[36]  Hans-Peter Kriegel,et al.  OPTICS: ordering points to identify the clustering structure , 1999, SIGMOD '99.

[37]  Michael West Chapter 2 – Preventing System Intrusions , 2014, NSS 2014.

[38]  Sushil Jajodia,et al.  Disrupting stealthy botnets through strategic placement of detectors , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[39]  Warren B. Powell,et al.  An Optimal Approximate Dynamic Programming Algorithm for the Lagged Asset Acquisition Problem , 2009, Math. Oper. Res..

[40]  Ananthram Swami,et al.  Optimal Monitor Placement for Detection of Persistent Threats , 2016, 2016 IEEE Global Communications Conference (GLOBECOM).

[41]  Yitzchak M. Gottlieb,et al.  CyberVAN: A Cyber Security Virtual Assured Network testbed , 2016, MILCOM 2016 - 2016 IEEE Military Communications Conference.

[42]  Tansu Alpcan,et al.  A Malware Detector Placement Game for Intrusion Detection , 2007, CRITIS.

[43]  Giovane C. M. Moura,et al.  Internet Bad Neighborhoods , 2013 .