Bot Infections Research Articles

Real-time bot infection detection system using DNS fingerprinting and machine-learning

In today’s cyberattacks, botnets are used as an advanced technique to generate sophisticated and coordinated attacks. Infected systems connect to a command and control (C&C) server to receive commands and attack. Thus, detecting infected hosts makes it possible to protect the network’s resources and prevent them from illicit activities toward third parties. This research elaborates on the design, implementation, and results of a bot infection detection system based on Domain Name System (DNS) traffic events for a network corporation. An infection detection feasibility analysis is performed by creating fingerprints. The traces are generated from a numerical analysis of 13 attributes. These attributes are obtained from the DNS logs of a DNS server. It looks for fingerprint anomalies using Isolation Forest to label a host as infected or not. In addition, on the traces cataloged as anomalous, a search will be carried out for queries to domains generated by Domain Generation Algorithms (DGA). Then, Random Forest generates a model that detects future bot infections on hosts. The devised system integrates the ELK stack and Python. This integration facilitates the management, transformation, and storage of events, generation of fingerprints, machine learning application, and analysis of fingerprint classification results with a precision greater than 99%.

Identifying bot infection using neural networks on DNS traffic

Data security and privacy concerns on the Internet are continuously rising considering security breaches. These security breaches are often due to the presence of host(s) infected with malware called bots. As a result, bot-infection detection in enterprise networks is getting a greater research focus. From the perspective of law enforcement, the focus is to detect and destroy the botnet infrastructure which comprises mostly of Command and Control server along with the technique used for communication. From an enterprise perspective, it is important to detect and quarantine bot-infected machines thereby preventing the chance of any security breach. While many efforts have been made to detect malicious domains, limited research is done to detect infected machines in an enterprise network. This paper presents a deep learning-based technique for detecting bot-infected machines in a network applied to the hourly hosts' Domain Name System (DNS) fingerprint. Multi feature anomaly detection technique was implemented to detect bots in the campus network thereby minimizing the number of false positives. The results indicate a significant improvement over previous work. Finally, a GUI tool named DeepDAD is presented to facilitate investigating and detecting bots in a network traffic using DNS traffic analysis.

Gravity-Law Based Critical Bots Identification in Large-Scale Heterogeneous Bot Infection Network

The explosive growth of botnets has posed an unprecedented potent threat to the internet. It calls for more efficient ways to screen influential bots, and thus precisely bring the whole botnet down beforehand. In this paper, we propose a gravity-based critical bots identification scheme to assess the influence of bots in a large-scale botnet infection. Specifically, we first model the propagation of the botnet as a Heterogeneous Bot Infection Network (HBIN). An improved SEIR model is embedded into HBIN to extract both heterogeneous spatial and temporal dependencies. Within built-up HBIN, we elaborate a gravity-based influential bots identification algorithm where intrinsic influence and infection diffusion influence are specifically designed to disclose significant bots traits. Experimental results based on large-scale sample collections from the implemented prototype system demonstrate the promising performance of our scheme, comparing it with other state-of-the-art baselines.

Dynamics of Botnet Propagation in Software Defined Networks Using Epidemic Models

During COVID-19 the new normal became an increased reliance on remote connectivity, and that fact is far away to change any time soon. The increasing number of networked devices connected to the Internet is causing an exponential growth of botnets. Subsequently, the number of DDoS (Distributed Denial of Service) attacks registered around the world also increased, especially during the pandemic lockdown. Therefore, it is crucial to understand how botnets are formed and how bots propagate within networks. In particular, analytic modelling of the botnets epidemic process is an essential component for understanding DDoS attacks, and thus mitigate their impact. In this paper, we propose two analytic epidemic models; (i) the first one for enterprise Software Define Networks (SDN) based on the SEIRS (Susceptible - Exposed - Infected - Recovered) approach, while (ii) the second model is designed for service providers’ SDN, and it is based on a novel extension of a SEIRS-SEIRS vector-borne approach. Both models illustrate how bots spread in different types of SDN networks. We found that bot infection behaves in a similar way to human epidemics, such as the novel COVID-19 outbreak. We present the calculation of the basic reproduction number $R_{\mathrm {o}}$ for both models and we test the system stability using the next generation matrix approach. We have validated the models using the final value theorem (FVT), with which we can determine the steady-state values that provide a better understanding of the propagation process.

Botnet Fingerprinting: A Frequency Distributions Scheme for Lightweight Bot Detection

Efficient bot detection is a crucial security matter and widely explored in the past years. Recent approaches supplant flow-based detection techniques and exploit graph-based features, incurring however in scalability issues, with high time and space complexity. Bots exhibit specific communication patterns: they use particular protocols, contact specific domains, hence can be identified by analyzing their communication with the outside. A way we follow to simplify the communication graph and avoid scalability issues is looking at frequency distributions of protocol attributes capturing the specificity of botnets behaviour. We propose a bot detection technique named BotFP , for BotFingerPrinting , which acts by (i) characterizing hosts behaviour with attribute frequency distribution signatures, (ii) learning benign hosts and bots behaviours through either clustering or supervised Machine Learning (ML), and (iii) classifying new hosts either as bots or benign ones, using distances to labelled clusters or relying on a ML algorithm. We validate BotFP on the CTU-13 dataset, which contains 13 scenarios of bot infections, connecting to a Command-and-Control (C&C) channel and launching malicious actions such as port scanning or Denial-of-Service (DDoS) attacks. Compared to state-of-the-art techniques, we show that BotFP is more lightweight, can handle large amounts of data, and shows better accuracy.

Detecting bot-infected machines using DNS fingerprinting

The never-ending menace of botnet is causing many serious problems on the Internet. Although there are significant efforts on detecting botnet at the global level which rely heavily on finding failed queries and domain flux information for botnet detection, there are very few efforts being made to detect bot infection at an enterprise level. Detecting bot-infected machines is vital for any organization in combating various security threats. This work proposes a novel anomaly-based detection technique which considers hourly hosts DNS fingerprint and attempts to find anomalous behavior which is quite different from normal machine behavior. This work successfully demonstrates the DNS Anomaly Detection (named BotDAD) technique for detecting bot-infected machine in a network using DNS fingerprinting.

Bot detection using unsupervised machine learning

This research focuses on bot detection through implementation of techniques such as traffic analysis, unsupervised machine learning, and similarity analysis between benign traffic data and bot traffic data. In this study, we tested and experimented with different clustering algorithms and recorded their accuracy with our prepared datasets. Later, the best clustering algorithm was used to proceed with the next steps of the methodology such as determination of majority clusters (cluster with most flows), removal of duplicate flows, and calculation of similarity analysis. Results were recorded for the removal of duplicate flows stage, the results indicate how many flows each majority cluster contains and how many duplicate flows were removed from this majority cluster. Next, results for similarity analysis indicate the value of the similarity coefficient for the comparisons between all datasets (bot datasets and benign dataset). With these results we can present some heuristic conclusion for determining possible bot infection in a certain host.

Diagnosing bot infections using Bayesian inference

Prior research in botnet detection has used the bot lifecycle to build detection systems. These systems, however, use rule-based decision engines which lack automated adaptability and learning, accuracy tunability, the ability to cope with gaps in training data, and the ability to incorporate local security policies. To counter these limitations, we propose to replace the rigid decision engines in contemporary bot detectors with a more formal Bayesian inference engine. Bottleneck, our prototype implementation, builds confidence in bot infections based on the causal bot lifecycle encoded in a Bayesian network. We evaluate Bottleneck by applying it as a post-processing decision engine on lifecycle events generated by two existing bot detectors (BotHunter and BotFlex) on two independently-collected datasets. Our experimental results show that Bottleneck consistently achieves comparable or better accuracy than the existing rule-based detectors when the test data is similar to the training data. For differing training and test data, Bottleneck, due to its automated learning and inference models, easily surpasses the accuracies of rule-based systems. Moreover, Bottleneck’s stochastic nature allows its accuracy to be tuned with respect to organizational needs. Extending Bottleneck’s Bayesian network into an influence diagram allows for local security policies to be defined within our framework. Lastly, we show that Bottleneck can also be extended to incorporate evidence trustscore for false alarm reduction.

A mathematical exploitation of simulated uniform scanning botnet propagation dynamics for early stage detection and management

The contribution of this paper is two-fold. Firstly, we propose a botnet detection approach that is sufficiently timely to enable a containment of the botnet outbreak in a supervised network. Secondly, we show that mathematical models of botnet propagation dynamics are a viable means of achieving that level of defense from bot infections in a supervised network. Our approach is built on the idea of processing network traffic such as to localize a weakly connected subgraph within a graph that models network communications between hosts, and thus consider that subgraph as representative of a suspected botnet. We devise applied statistics to infer the propagation dynamics that would characterize the suspected botnet if this latter were indeed a botnet. The inferred dynamics are materialized into a model graph. A subgraph isomorphism search determines whether or not there is an approximate match between the model graph and any subgraph of the weakly connected subgraph. An approximate match between the two leads to a timely identification of infected hosts. We have implemented this research in the Matlab and Perl programming languages, and have validated it in practice in the Emulab network testbed. In the paper, we describe our approach in detail, and discuss experiments along with experimental data that are indicative of the effectiveness of our approach.

Occurrence and Prevalence of Bot Flies, Metacuterebra apicalis (Diptera: Cuterebridae), in Rodents of Cerrado from Central Brazil

The occurrence and prevalence of Metacuterebra apicalis (Diptera: Cuterebridae) in natural populations of Oryzomys subflavus, Bolomys lasiurus, and Thalpomys cerradensis (Rodentia: Muridae) from August 1990 to July 1992 in the cerrado, a common savanna-like vegetation type of central Brazil, are reported. An increase in bot infection in the 3 rodent species between October 1991 and July 1992 without correlation to precipitation was detected. The prevalence was lower than in neotropical forest formations. Mean intensity was 1.3 bots (range 1-2) for T. cerradensis and 1 bot for B. lasiurus and O. subflavus. This is the first record of T. cerradensis as host of bot flies.

Effect of temperature on embryonic development and egg hatchability of the horse bot, Gasterophilus intestinalis (Diptera: Gasterophilidae).

Five species of bot flies infect horses world-wide. Four of these are found in the United States, but only 2, Gasterophilus intestinalis and Gasterophilus nasalis , are common. Of these, the common horse bot G. intestinalis is more widely distributed and infests 99% of the horses in Kentucky. Although deaths from bot infections are rare, ovipositing by female flies annoys horses and larvae produce lesions in the mouth and stomach.