A Botnets Circumspection: The Current Threat Landscape, and What We Know So Far
Abstract
:1. Introduction
1.1. The Origin of Cybercrimes and the Rise of Modern Botnets
- (a)
- Approximately 77% of the world is still a relatively safe haven for cybercriminals and their activities; therefore,
- (b)
- The treaty does not yet bear the force of the law in at least four (8%) of the countries that are signatories to it;
- (c)
- At least 10 (amounting to 5%) countries of the world that are not members of the Council of Europe have ratified the provisions and specifications of the treaty into law, even though they are not signatories to the treaty; therefore,
- (d)
- There is still no globally acceptable (by democratic standards of at least a majority of the countries of the world) legal standard through which cybercriminals could be unilaterally prosecuted.
1.2. Typology of Attackers & Botnet Owners
- (a)
- Hackers/Skilled Individuals: This class of attackers are basically individuals that possess an extensive knowledge and skillset in the art of scripting and coding. They are often loners who understand the internal workings of information and communication technologies, systems, and networks well enough to be able to obfuscate and bypass routine processes and procedures, in order to gain access and privileges within secure environments where they are not authorised. This class of botnet owners tend to use their botnets primarily for financial crimes and identity thefts, and often wield a rather limited amount of resources. They usually cover their tracks very carefully for fear of being found out and prosecuted in line with their jurisdictional cyber laws.
- (b)
- Hacker Groups: This class of attackers are organised groups of hackers that share a common vision, mission and/or ideology. They possess more resource strength when compared to skilled individual hackers, as they are able to pool skillset, influence and finances to orchestrate coordinated attacks with more organisation, precision and impact. In recent times, we have seen a rise in the numbers and popularity of such hacker groups, such as: Anonymous, Chaos Computer Club and Legion of Doom, amongst many others. Because the composition of these groups typically span across several nationalities and jurisdictions with variations in cybercrime legislation, the individual members often seem insulated from the consequences of the group’s activities due to the technical complexities associated with the trans-jurisdictional policing of cybercrimes.
- (c)
- Government/Nation-state Actors: Until recently, it was not commonplace to see government and nation-state actors as active players in the activities of cyber offence. Today we have seen several governments come up to claim responsibility for the actions of botnets and similar other malware that have featured in the annals of cyberspace offensives. One popular example was the 2014 Denial of Service attack launched against Sony Pictures by the North Korean Government [35]. Such offensives and attacks are usually of a high-impact nature, owing to the very vast and seemingly limitless resource base that governments and nation-states are usually able to access.
2. Synchronous & Asynchronous Botnet Attacks
Known Botnet Control Architectures
- (a)
- Direct: This is shown in Figure 3a. In this architecture, botmasters exert direct control over their botnets and the individual bots that compose it. The botmasters are able to directly recruit and interact with the bots and disseminate commands directly, either towards achieving the same (coordinated) or different goals. In this method, only the botmasters are able to know all of the bots in the botnet, because the various bot machines in the botnet typically do not have any form of interaction with each other. Even though this architecture lost popularity as cybercriminal laws became more stringent and penal, because it was possible to trace bots and botnets directly to the botmaster, its popularity is now beginning to rise as more sophisticated machine identity obfuscation techniques are emerging.
- (b)
- Centralised: In the centralised C&C architecture shown in Figure 3b, all the bots in the botnet rely on connection to a centralised C&C server in order to remain a part of the botnet, receive commands and updates, and also make status and operations reports. This method is gradually ceasing to be the preferred method by botmasters because of the ease of takeout. Once the centralised C&C server is located and taken out, the botnet is dislodged, and its operations can no longer cohere. However, botmasters have devised a way of making this method more sophisticated by distributing and deepening the hierarchy of the centralisation, primarily through layering. This sophistication is similar to what was discussed as the Hierarchical (variant) by Marupally and Paruchuri in [38].
- (c)
- Peer-to-Peer (P2P) or Decentralised: In the P2P C&C architecture, each infected host possesses the capability to serve both as a bot and as a C&C server to at least one other computer connected to it. Using the P2P method, the botmaster has no need to maintain forward communication with all of the bots and the botnet, especially at the infiltration level, because the bot code is engineered to be a self-sufficient unit; once released onto the network, the bot code is both able to recruit new bots to join the botnet, and also infuse each bot with the C&C capability, such that only reverse communication (which may then be redirected through several external servers for added layers of anonymity) to the botmaster is necessary to make status and operations reports. It is the lack of a single point of the failure of the botnet modelled in this architecture that makes them more resilient to most modern take down measures [6,39,40]. This architecture is shown in Figure 3c.
- (d)
- Hybrid: As shown in Figure 3d, in the hybrid approach, the strengths of the Direct, P2P and Centralised methods may be combined to create the most resilient deployment of a botnet C&C server. Most modern botnets that have threatened the Internet in recent years (such as Conficker) have been discovered to feature a C&C mechanism [41] that exhibits some form of hybridisation, which has made them quite difficult to exterminate. Marupally and Paruchuri discuss the Multi-Server P2P Model [38], which illustrates the working principles of the hybrid botnet C&C architecture.
3. Lifecycle of Botnets
- (a)
- Infection/Doping: This is the first stage of the botnet lifecycle. The botmaster releases a carefully engineered and structured bot code into the network. This code then seeks to exploit certain vulnerabilities in software or network configurations that may already be known to the botmaster (following proper reconnaissance). Once machines are located on the network that feature (these) vulnerabilities, they are infused with the bot code; turning them into zombies, whereby control of these machines are remotely ceded to the botmaster. These machines have now been doped.Infection/Doping of vulnerable machines could employ either active procedures (such as scanning, flooding, war driving and injection, or physical trans-loading/infusion, amongst others) or passive procedures (such as drive-by downloads, trans-loading from various removable media, or social engineering, emails, ads, cloned URLs, games, bugged/pirated Software, amongst others) [1,8,32].
- (b)
- Recruitment & Rallying: This is the second stage of the botnet lifecycle, and one which the botmaster arguably may consider as the most important stage. This is because the strength of a botnet has been discovered to be directly proportional to its bot-army strength [44]. At this stage of the botnet lifecycle, newer targets with similar vulnerabilities are acquired and enumerated as members of the botnet [6,8].Rallying mechanisms used in recent botnets include: Hard coded or generated Domain Name Services (DNS) commands; or hardcoded IP Addresses [8].
- (c)
- Synchronisation & Reporting: This is the third stage of the botnet lifecycle. At this stage, the enumerated members of the botnet would be synchronised with the C&C centre, from whence they would henceforth receive commands and directives for action, and also report their status and results of their operations [6,8]. Attackers could decide to either use existing protocols or neoteric protocols for C&C [8]. Following this stage, the bots need to maintain synchronisation with the C&C system at all times in order to receive new commands, infiltration parameters and takeover specifications, which they readily execute. Next, backdoors are installed on the zombies, unused ports are opened up and/or hijacked, such that even after firewalls upgrades and security patch updates, these would still remain difficult to shut off [1]. These guarantee future access to the bot by the C&C server and the botmaster when the need arises.
4. Typology of Existing Botnets
- (a)
- Spam Botnets: This class of botnets are involved in sending and disseminating large amounts of spamware daily, and seeking to exploit naïve users typically by emails. Popular examples of botnets that belong to the class are the Necrus and Gamut botnets of June 2016 and around early 2013 respectively, which were reported by the McAfee Labs March 2018 Threat Report to comprise a combined 97% of the global spam botnet traffic [45]. Others include Bagle of early 2004, the Storm botnet of early 2007, and the Marina botnet, amongst preponderant others. Xie, et al. [46] discovered that this class of botnets feature a lot of similarities in bot IP address distribution, email sending patterns and behaviours, email properties and sending time.
- (b)
- Information Gathering/Reconnaissance Botnets: This class of botnets are used to mine information over the Internet in large quantities on a daily basis. They also feature in the espionage operations of coordinated cybercrime syndicates. A popular example of a botnet that belongs in this class is the Mirai botnet that was discovered in August 2016 to have been scanning the Internet for the IP addresses of vulnerable devices that are part of the Internet of Things (IoT) [47], and then goes on to infect them to be enlisted as part of the botnet; which was later discovered to have been behind the October 2016 Dyn cyber-attack [48]. Kolias, et al. [49] and Kambourakis, et al. [50] present a detailed analysis of the Mirai botnet, covering its internal structure, system of operations, variants of the Mirai botnet and the realities that Mirai and related botnets portend for the future of the IoT. The Satori botnet is a more dreaded variant of the Mirai botnet that was discovered in May 2018 to feature operations similar to its parent form, but was instead focused on mining information pertaining to vulnerable cryptocurrency remote management infrastructures for the purpose of later infiltrating user wallets to steal cryptocurrencies [51]. Another example was the Asprox botnet that hit the Internet around 2008.
- (c)
- Identity Theft Botnets: This class of botnets are involved in stealing large amounts of private user identity information, such as social security and credit card details, health record information, login usernames and passwords, among other forms of sensitive information, typically for fraudulent purposes. Popular examples of botnets that belong in this class include the Zeus botnet that “compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek”, stealing sensitive banking information through web browser keystroke logging and form grabbing [52], and also the Bredolab botnet, which was developed in 2009 by 27-year-old Russian Hacker Georgy Avanesov to siphon bank account passwords and other confidential information from infected computers [53]. Others include the Torpig botnet of since 2005, the Alureon botnet of around 2010, and the Mariposa botnet of December 2008, amongst others.
- (d)
- Click-Fraud Botnets: This class of botnets attempt to mimic legitimate human click-ad behaviour in a bid to con Internet advertisers into believing that their online adverts have been engaged with by a legitimate, actual human audience, thereby accumulating financial revenue for the botherders as the botnet click-advertising web traffic continues to mount. One popular example of a botnet belonging to this class is the Chameleon botnet of February 2013, which was reported to have amassed a monthly revenue of over $6 million USD for the botnet owners following an infection of over 120,000 Windows® machines [54].
- (e)
- Crypto Botnets: This class of botnets are used by criminals in mining crypto currencies and resources for financial gain. Examples include the high-profile Smominru and ADB.Miner cryptomining botnets.
5. Botnet Countermeasures
- (a)
- Prevention [P]: This goal is aimed at increasing the chances/possibility of averting the occurrence of a botnet attack in a network. Techniques that seek to achieve this goal are most often implemented around the edge (entry and exit) points of the network environment/infrastructure, so as to make sure that traffic and data coming into the network are legitimate and non-malicious. Examples of such proposed techniques include that proposed by Luo et al. [60], amongst others.
- (b)
- Detection [D]: The goal here is to spot the presence of a botnet within a production network. Techniques that are tailored towards this goal typically focus on analysing packets, traffic and communications that take place within the network, so as to identify those of malicious compositions, operations and intent, and to alert the administrators accordingly. These techniques may sometimes do little to prevent the botnets from attacking the network, but they basically aim to identify the presence of botnets in the network. However, in some deployment cases, these techniques are used alongside another technique(s) that focuses on one of the other goals, so as to make it more potent and sophisticated. For example, Böck et al. [36] propose a novel approach to detecting botnets that are fully-distributed and asynchronous in their operations, using a novel mechanism known as Trust Based Botnet Monitoring Countermeasure (TrustBotMC), and then proposing a follow-up mitigation strategy. Khattak et al. [8] offer further insight into the dimensions for botnet detection that have been proposed in literature.The task of detecting botnets in actual implementations is often made further difficult by a phenomenon known as flash crowds. Flash Crowds occur when a large crowd of legitimate users repeatedly try to gain access to a server resource or service at the same time, often around a time that can be considered as the peak period(s) of such service(s) (known as a flash event), and may wrongly be flagged off as a persistent threat/attack situation. Indeed, Flash Crowds can also cause DoS to occur, and in fact go a long way to further complicate the task of detecting and controlling DoS attacks. This is so because flash crowd traffic and DoS attack traffic have certain characteristics in common, and distinguishing them under the rush and load of DoS traffic can be a really difficult task. Peng et al. [44] and Alsaleem et al. [61] proposed a rule-based mechanism by which HTTP denial of service (DoS) attacks could be detected and isolated during flash events, while in the same vein, Saad et al. [62] proposed a rule-based technique for the detection of anomalous ICMPv6 behaviours; all for the purpose of reducing the rates of false positives and negatives in threat situations. Also, Jazi et al. [63] proposed a technique for detecting HTTP-based DoS attacks at the application layers of web servers using sampling techniques, while Behal et al. [64] reviews existing strategies and methods for characterising and isolating Distributed Denial of Service (DDoS) attacks, even in the midst of flash events. Lonea [65] proposed a quantitative method for detecting DDoS attacks in cloud environments by analysing intrusion detection system alerts, while D’Cruze [66] proposed an efficient and flexible Software-Defined Networking (SDN) solution to mitigate DDoS attacks on Internet Service Provider (ISP) networks.
- (c)
- Offensive [O]: Here, the goal is to launch a form of counter-attack against the botnet/intrusion element, with the ultimate motive of taking it down (where possible), or forcing the individual bots to go against the commands they are receiving from the C&C server; effectively obfuscating and dislodging the botnet. One way by which this is often achieved is through sinkholing. Usually, countermeasures that are built towards this goal are designed to take advantage of freshly-discovered/already-known vulnerabilities in the botnet design architecture, by engaging with active research findings and discoveries that relate to the botnet under investigation; hence, offensive countermeasures are often not generic, but specific to certain botnet types/examples. Offensives could be direct (when they engage with the botnet directly, and are targeted towards dislodging/incapacitating specific botnet components or the botnet itself) or indirect (when they are they just targeted towards obscuring or redirecting particular botnet components, often through surrogate points in the network) [8].
- (d)
- Reconnaissance [R]: Though considered to be one of the most passive of countermeasure goals, this goal is actually what should be the foundation of any countermeasure that seeks to effectively take down any modern engineered botnet. The goal here is to passively monitor a known botnet that has been detected on a network, and gather as much information as possible relating to its mode of operations, bot members/strength, C&C architecture, malicious capabilities and obfuscation techniques, amongst others. Most offensive countermeasures that actually produce any result in real botnet scenarios rely largely on detailed and extensive ab initio/pre-engagement reconnaissance.
- (e)
- Mitigation [M]: This goal is aimed at controlling and curtailing the extent of the damage to the network and hosts, whose environment has already been breached by a rampaging botnet; it is concerned with damage control. Countermeasures focused towards this goal typically involve disinfecting bots in real-time, stopping compromised services, reinforcing firewall defences, closing up unused ports on hosts, amongst others.
5.1. Categories & Limitations of Existing Botnet Countermeasures
5.1.1. Spoofing
5.1.2. Analysis-Based
5.1.3. Exploit/Take Down
5.1.4. Mining
6. Botnets in Mobile and Cloud Environments
7. The Botnets of the Future
8. Summary
9. Future Research Directions
10. Conclusions
Author Contributions
Funding
Acknowledgments
Conflicts of Interest
References
- FORTINET. Anatomy of a Botnet; Fortinet®: Sunnyvale, CA, USA, 2012. [Google Scholar]
- Hanafy, I.M.; Salama, A.A.; Abdelfattah, M.; Wazery, Y.M. AIS Model for botnet detection in MANET using fuzzy function. Int. J. Comput. Netw. Wirel. Mob. Commun. 2013, 3, 95–102. [Google Scholar]
- Geneiatakis, D.; Vrakas, N.; Lambrinoudakis, C. Utilizing bloom filters for detecting flooding attacks against SIP based services. Comput. Secur. 2009, 28, 578–591. [Google Scholar] [CrossRef]
- Garip, T.M.; Gursoy, E.M.; Reiher, P.; Gerla, M. Congestion Attacks to Autonomous Cars Using Vehicular Botnets. In Proceedings of the 2015 Network and Distributed System Security (NDSS) Workshop on Security of Emerging Networking Technologies, San Diego, CA, USA, 8 February 2015. [Google Scholar]
- Tanwar, G.S.; Goar, V. Tools, Techniques & Analysis of Botnet. In Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive Strategies, Udaipur, India, 14–16 November 2014; ACM: New York, NY, USA, 2014; pp. 1–5. [Google Scholar]
- Eslahi, M.; Salleh, R.; Anuar, N. Bots and botnets: An overview of characteristics, detection and challenges. In Proceedings of the International Conference on Control System, Computing and Engineering (ICCSCE), Penang, Malaysia, 23–25 November 2012; IEEE Press: Piscataway, NJ, USA, 2012; pp. 349–354. [Google Scholar]
- Bijalwan, A.; Pilli, E.S. Understanding botnet onInternet. In Proceedings of the IEEE International Conference on Computational Intelligence and Computing Research (ICCIC), 5 November 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 1–5. [Google Scholar]
- Khattak, S.; Ramay, N.R.; Khan, K.R.; Syed, A.A.; Khayam, S.A. A taxonomy of botnet behavior, detection, and defense. IEEE Commun. Surv. Tutor. 2013, 16, 898–924. [Google Scholar] [CrossRef]
- Barnett, R. Botnet Herders Targeting Web Servers. Tactical Web Application Security Blog. 14 May 2010. Available online: http://tacticalwebappsec.blogspot.com.ng/2010/05/botnet-herders-targeting-web-servers.html (accessed on 6 May 2018).
- Greenemeier, L. Connecting with anInternet Pioneer, 40 Years Later. Scientific American. 4 December 2009. Available online: https://www.scientificamerican.com/article/internet-pioneer-cerf/ (accessed on 8 October 2017).
- Timberg, C. Net of Insecurity: A Flaw in the Design. Washington Post. 30 May 2015. Available online: http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/?utm_term=.798dc8fff3c9 (accessed on 8 October 2017).
- Davies, A. Computational intermediation and the evolution of computation as a commodity. Appl. Econ. 2004, 36, 1131–1142. [Google Scholar] [CrossRef]
- Dittrich, D. The DoS Project’s “trinoo” Distributed Denial of Service Attack Tool. 2014. Available online: http://staff.washington.edu/dittrich/misc/trinoo.analysis (accessed on 1 February 1999).
- Qijun, G.; Liu, P. Denial of Service Attacks. San Marcos. 2007. Available online: http://s2.ist.psu.edu/paper/DDoS-Chap-Gu-June-07.pdf (accessed on 21 Ocotober 2019).
- Network Box UK Ltd. Denial of Service Attacks (DoS); Managed Security Services; Network Box: London, UK, 2010; Available online: http://www.network-box.co.uk/sites/default/files/Denial%20of%20Service.pdf (accessed on 21 Ocotober 2019).
- Kshetri, N. The simple economics of cybercrimes. IEEE Secur. Priv. 2006, 4, 33–39. [Google Scholar] [CrossRef] [Green Version]
- Gorman, S. Annual U.S. Cybercrime Costs Estimated at $100 Billion; Study Casts Doubt on Previous, Higher Figures. Wall Street Journal Publications. 22 July 2013. Available online: https://www.wsj.com/articles/SB10001424127887324328904578621880966242990 (accessed on 3 March 2018).
- Symantec. Norton Study Calculates Cost of Global Cybercrime: $114 Billion Annually; Symantec: Mountain View, CA, USA, 2011; Available online: http://www.symantec.com/about/news/release/article.jsp?prid=20110907_02 (accessed on 26 April 2015).
- Internet Crime Complaint Centre (IC3). TheInternet Crime Complaint Center Receives 3 Millionth Complaint. Available online: http://www.ic3.gov/media/2014/140519.aspx (accessed on 24 April 2015).
- World Economic Forum (WEF). The Global Risks Report 2018, 13th ed.; World Economic Forum: Geneva, Switzerland, 2018; Available online: http://www3.weforum.org/docs/WEF_GRR18_Report.pdf (accessed on 19 January 2018).
- Internet Crime Complaint Centre (IC3). 2010 Internet Crime Report. Available online: http://www.ic3.gov/media/annualreport/2010_IC3Report.pdf (accessed on 24 April 2015).
- Council of Europe. Convention on Cybercrime; The Council of Europe’s Official Treaty Office: Strasbourg, France, 2001; Available online: http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm (accessed on 24 April 2015).
- United Nations Educational, Scientific and Cultural Organisation (UNESCO). The COE International Convention on Cybercrime before Its Entry Into Force; United Nations Educational, Scientific and Cultural Organisation: Paris, France, 2014; Available online: http://portal.unesco.org/culture/en/files/19556/11515912361coe_e.pdf/coe_e.pdf (accessed on 24 April 2015).
- Council of Europe. Convention on Cybercrime-CETS No.: 185; The Council of Europe’s Official Treaty Office: Strasbourg, France, 2001; Available online: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures (accessed on 23 January 2018).
- Sinrod, E.J.; Reilly, W.P. Cyber-crimes: A practical approach to the application of federal computer crime laws. St. Clara Comput. High Tech. LJ 2000, 16, 177. [Google Scholar]
- Lee, T.B. How a Grad Student Trying to Build the First Botnet Brought the Internet to Its Knees; The Washington Post: Washington, DC, USA, 2013. [Google Scholar]
- Egg Development Team. Eggdrop: Open Source IRC Bot. Available online: http://www.eggheads.org/ (accessed on 21 Ocotober 2019).
- Mashevsky, Y. The Bagle Botnet. SECURELIST-Information about Viruses, Hackers and Spam. 22 April 2005. Available online: http://securelist.com/analysis/36046/the-bagle-botnet/ (accessed on 26 April 2015).
- Cuevas, A. Botnets: Zombies, Spam, and Attacks; Sites At Penn State: State College, PA, USA, 2015; Available online: http://sites.psu.edu/psucybersecuritycuevas/2015/02/18/botnets-zombies-spam-and-attacks/ (accessed on 26 April 2015).
- Miller, C. Researchers Hijack Control of Torpig Botnet. IT Security News and Security Product Reviews-SC Magazine. 2 May 2009. Available online: http://www.scmagazine.com/researchers-hijack-control-of-torpig-botnet/article/136207/ (accessed on 26 April 2015).
- Gupta, B.B.; Joshi, R.C.; Misra, M. Distributed Denial of Service Prevention Techniques. Int. J. Comput. Electr. Eng. 2010, 2, 268–276. [Google Scholar] [CrossRef]
- SOPHOS. Security Threat Report 2014; SOPHOS: Oxford, UK, 2014. [Google Scholar]
- Stackpole, B. Is Your Firm Resting on its Security Laurals? Symantec Blog. 28 November 2017. Available online: https://www.symantec.com/blogs/feature-stories/your-firm-resting-its-security-laurels?es_p=5721813 (accessed on 1 January 2018).
- KPMG. Cybercrime Survey Report 2014; KPMG: Mumbai, India, 2014; Available online: https://www.kpmg.com/IN/en/IssuesAndInsights/ArticlesPublications/Documents/KPMG_Cyber_Crime_survey_report_2014.pdf (accessed on 26 April 2015).
- DeSimone, A.; Horton, N. Sony’s Nightmare before Christmas: The 2014 North Korean Cyber Attack on Sony and Lessons for US Government Actions in Cyberspace; National Security Report; The Johns Hopkins University Applied Physics Laboratory LLC: Laurel, MD, USA, 2017; Available online: https://www.jhuapl.edu/Content/documents/SonyNightmareBeforeChristmas.pdf (accessed on 25 October 2019).
- Böck, L.; Vasilomanolakis, E.; Wolf, J.H.; Mühlhäuser, M. Autonomously detecting sensors in fully distributed botnets. Comput. Secur. 2019, 83, 1–13. [Google Scholar] [CrossRef]
- Salamatian, S.; Huleihel, W.; Beirami, A.; Cohen, A.; Médard, M. Why botnets work: Distributed brute-force attacks need no synchronisation. IEEE Trans. Inf. Forensics Secur. 2019, 14, 2288–2299. [Google Scholar] [CrossRef]
- Marupally, P.R.; Paruchuri, V. Comparative Analysis and Evaluation of Botnet Command and Control Models. In Proceedings of the 24th IEEE International Conference of Advanced Information Networking and Applications (AINA), Washington, DC, USA, 20–23 April 2010; pp. 82–89. [Google Scholar]
- Rossow, C.; Andriesse, D.; Werner, T.; Stone-Gross, B.; Plohmann, D.; Dietrich, C.J.; Bos, H. Sok: P2pwned-modeling and evaluating the resilience of peer-to-peer botnets. In Proceedings of the IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 19–22 May 2013; IEEE: Piscataway, NJ, USA, 2013; pp. 97–111. [Google Scholar]
- Xiao-Nan, L.; Yang, L.; Hua, Z. Peer-to-Peer botnets: Analysis and defense. In Proceedings of the 3rd IEEE International Conference on Communication Software and Networks (ICCSN), Xi’an, China, 27–29 May 2011; IEEE: Piscataway, NJ, USA, 2011; pp. 140–143. [Google Scholar]
- Xiang, C.; Lihua, Y.; Shuyuan, J.; Zhiyu, H.; Shuhao, L. Botnet Spoofing: Fighting Botnet with Itself. Secur. Commun. Netw. 2015, 8, 80–89. [Google Scholar] [CrossRef]
- Vormayr, G.; Zseby, T.; Fabini, J. Botnet Communication Patterns. IEEE Commun. Surv. Tutor. 2017, 19, 2768–2796. [Google Scholar] [CrossRef]
- Ogu, E.C.; Vrakas, N.; Ogu, C.; Ajose-Ismail, B.M. On the Internal Workings of Botnets: A Review. Int. J. Comput. Appl. 2016, 138, 39–43. [Google Scholar] [CrossRef]
- Peng, T.; Leckie, C.; Ramamohanarao, K. Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv. 2007, 39. [Google Scholar] [CrossRef]
- Beek, C. Necurs Botnet Leads the World in Sending Spam Traffic. Available online: https://securingtomorrow.mcafee.com/mcafee-labs/necurs-botnet-leads-the-world-in-sending-spam-traffic/ (accessed on 24 June 2018).
- Xie, Y.; Yu, F.; Achan, K.; Panigrahy, R.; Hulten, G.; Osipkov, I. Spamming botnets: Signatures and characteristics. ACM SIGCOMM Comput. Commun. Rev. 2008, 38, 171–182. [Google Scholar] [CrossRef]
- Antonakakis, M.; April, T.; Bailey, M.; Bernhard, M.; Bursztein, E.; Cochran, J.; Durumeric, Z.; Halderman, J.A.; Invernizzi, L.; Kallitsis, M.; et al. Understanding the Mirai Botnet. In Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, Canada, 16–18 August 2017; USENIX: Berkeley, CA, USA, 2017; pp. 1093–1110. [Google Scholar]
- Newman, L. What We Know about Friday’s Massive East CoastInternet Outage. WIRED. 21 October 2016. Available online: https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/ (accessed on 24 June 2018).
- Kolias, C.; Kambourakis, G.; Stavrou, A.; Voas, J. DDoS in the IoT: Mirai and other botnets. Computer 2017, 50, 80–84. [Google Scholar] [CrossRef]
- Kambourakis, G.; Kolias, C.; Stavrou, A. The Mirai botnet and the IoT zombie armies. In Proceedings of the MILCOM 2017–2017 IEEE Military Communications Conference (MILCOM), Baltimore, MD, USA, 23–25 October 2017; IEEE: Piscataway, NJ, USA, 2017; pp. 267–272. [Google Scholar] [CrossRef]
- Cimpanu, C. The Satori Botnet Is Mass-Scanning for Exposed Ethereum Mining Rigs. BLEEPINGCOMPUTER. 18 May 2018. Available online: https://www.bleepingcomputer.com/news/security/the-satori-botnet-is-mass-scanning-for-exposed-ethereum-mining-rigs/ (accessed on 24 June 2018).
- Ragan, S. ZBot Data Dump Discovered with over 74,000 FTP Credentials; The Tech Herald: Mumbai, India, 2009; Available online: http://www.thetechherald.com/article.php/200927/3960/ZBot-data-dump-discovered-with-over-74-000-FTP-credentials (accessed on 17 November 2009).
- Zetter, K. Hacker Lexicon: Botnets, the Zombie Computer Armies That Earn Hackers Millions. WIRED. 15 December 2015. Available online: https://www.wired.com/2015/12/hacker-lexicon-botnets-the-zombie-computer-armies-that-earn-hackers-millions/ (accessed on 24 June 2018).
- BBC. Botnet Steals ‘Millions of Dollars from Advertisers’; BBC: London, UK, 2013; Available online: http://www.bbc.com/news/technology-21860360 (accessed on 25 June 2018).
- Plohmann, D.; Gerhards-Padilla, E.; Leder, F. Botnets: Detection, Measurement, Disinfection & Defence; The European Network and Information Security Agency (ENISA): Heraklion, Greece, 2011. [Google Scholar]
- Kambourakis, G.; Anagnostopoulos, M.; Meng, W.; Zhou, P. Botnets: Architectures, Countermeasures, and Challenges; CRC Press: Boca Raton, FL, USA, 2019. [Google Scholar]
- Stone-Gross, B.; Cova, M.; Cavallaro, L.; Gilbert, B.; Szydlowski, M.; Kemmerer, R.; Kruegel, C.; Vigna, G. Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA, 9–13 November 2009; ACM: New York, NY, USA, 2009; pp. 635–647. [Google Scholar]
- Ianelli, N.; Hackworth, A. Botnets as a vehicle for online crime. Forensic Comput. Sci. IJoFCS 2005, 2, 19–39. [Google Scholar]
- Honeynet Project and Research Alliance. Know Your Enemy: Tracking Botnets. Available online: http://www. honeynet.org/papers/bots/ (accessed on 21 Ocotober 2019).
- Luo, H.; Chen, Z.; Li, J.; Vasilakos, A.V. Preventing distributed denial-of-service flooding attacks with dynamic path identifiers. IEEE Trans. Inf. Forensics Secur. 2017, 12, 1801–1815. [Google Scholar] [CrossRef]
- Alsaleem, S.; Manickam, S.; Anbar, M.; Alnajjar, A.; Saleh, E. A Rule-Based Mechanism for Detecting HTTP Denial of Service Attacks During Flash Crowd Event. Adv. Sci. Lett. 2017, 23, 5423–5425. [Google Scholar] [CrossRef]
- Saad, R.M.; Anbar, M.; Manickam, S. Rule-based detection technique for ICMPv6 anomalous behaviour. Neural Comput. Appl. 2017, 30, 1–10. [Google Scholar] [CrossRef]
- Jazi, H.H.; Gonzalez, H.; Stakhanova, N.; Ghorbani, A.A. Detecting HTTP-based application layer DoS attacks on web servers in the presence of sampling. Comput. Netw. 2017, 121, 25–36. [Google Scholar] [CrossRef]
- Behal, S.; Kumar, K.; Sachdeva, M. Characterizing DDoS attacks and flash events: Review, research gaps and future directions. Comput. Sci. Rev. 2017, 25, 101–114. [Google Scholar] [CrossRef]
- Lonea, A.M.; Popescu, D.E.; Tianfield, H. Detecting DDoS attacks in cloud computing environment. Int. J. Comput. Commun. Control 2013, 8, 70–78. [Google Scholar] [CrossRef]
- D’Cruze, H.; Wang, P.; Sbeit, R.O.; Ray, A. A Software-Defined Networking (SDN) Approach to Mitigating DDoS Attacks. In Information Technology-New Generations; Springer: Cham, Switzerland, 2018; pp. 141–145. [Google Scholar]
- He, Z.; Zhang, T.; Lee, R.B. Machine Learning Based DDoS Attack Detection from Source Side in Cloud. In Proceedings of the IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud), New York, NY, USA, 26–28 June 2017; IEEE: New York, NY, USA, 2017; pp. 114–120. [Google Scholar] [CrossRef]
- Nidhi, M.V.; Prasad, K.M. Detection of Anomaly Based Application Layer DDoS Attacks Using Machine Learning Approaches. i-Manag. J. Comput. Sci. 2016, 4, 6–13. [Google Scholar]
- Liu, B.; Bi, J.; Vasilakos, A.V. Toward incentivizing anti-spoofing deployment. IEEE Trans. Inf. Forensics Secur. 2014, 9, 436–450. [Google Scholar] [CrossRef]
- Liu, B.; Bi, J. On the Deployability of Inter-AS Spoofing Defenses. Network 2015, 29, 82–87. [Google Scholar] [CrossRef]
- Ying, W. Encrypted Botnet Detection Scheme. In Proceedings of the Ninth International Conference on P2P, Parallel, Grid, Cloud andInternet Computing (3PGCIC), Guangdong, China, 8–10 November 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 559–565. [Google Scholar]
- Zhang, H.; Papadopoulos, C.; Massey, D. Detecting encrypted botnet traffic. In Proceedings of the IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Turin, Italy, 14–19 April 2013; IEEE: Piscataway, NJ, USA, 2013; pp. 163–168. [Google Scholar]
- Zand, A.; Vigna, G.; Yan, X.; Kruegel, C. Extracting probable command and control signatures for detecting botnets. In Proceedings of the 29th Annual ACM Symposium on Applied Computing, Gyeongju, Korea, 24–28 March 2014; Association for Computing Machinery: New York, NY, USA, 2014; pp. 1657–1662. [Google Scholar]
- Bilge, L.; Balzarotti, D.; Robertson, W.; Kirda, E.; Kruegel, C. Disclosure: Detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA, 3–7 December 2012; Association for Computing Machinery: New York, NY, USA, 2012; pp. 129–138. [Google Scholar]
- Bhatia, J.S.; Sehgal, R.K.; Kumar, S. Honeynet based botnet detection using command signatures. In Advances in Wireless, Mobile Networks and Applications; Springer: Berlin/Heidelberg, Germany, 2011; pp. 69–78. [Google Scholar]
- Wang, K.; Huang, C.-Y.; Tsai, L.-Y.; Lin, Y.-D. Behaviour-based botnet detection in parallel. In Security and Communication Networks; John Wiley & Sons Ltd.: Hoboken, NJ, USA, 2014. [Google Scholar]
- Boukhtouta, A.; Lakhdari, N.E.; Mokhov, S.A.; Debbabi, M. Towards fingerprinting malicious traffic. Procedia Comput. Sci. 2013, 19, 548–555. Available online: http://www.sciencedirect.com/science/article/pii/S1877050913006819 (accessed on 21 Ocotober 2019). [CrossRef]
- Zhao, D.; Traore, I.; Sayed, B.; Lu, W.; Saad, S.; Ghorbani, A.; Garant, D. Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur. 2013, 39, 2–16. [Google Scholar] [CrossRef]
- Caglayan, A.; Toothaker, M.; Drapeau, D.; Burke, D.; Eaton, G. Behavioral analysis of botnets for threat intelligence. Inf. Syst. E-Bus. Manag. 2012, 10, 491–519. [Google Scholar] [CrossRef]
- Jia, Y.; Chen, Y.; Dong, X.; Saxena, P.; Mao, J.; Liang, Z. Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning. Comput. Secur. 2015, 55, 62–80. [Google Scholar] [CrossRef]
- Mathew, S.E.; Ali, A.; Stephen, J. Genetic algorithm based layered detection and defense of HTTP botnet. Int. J. Netw. Secur. 2014, 5, 50–61. [Google Scholar]
- Choi, J.; Choi, C.; Ko, B.; Kim, P. A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment. Soft Comput. 2014, 18, 1697–1703. [Google Scholar] [CrossRef]
- Eslahi, M.; Hashim, H.; Tahir, N.M. An efficient false alarm reduction approach in HTTP-based botnet detection. In Proceedings of the 2013 IEEE Symposium on Computers Informatics (ISCI), Langkawi, Malaysia, 7–9 April 2013; pp. 201–205. [Google Scholar]
- Seo, I.; Lee, H.; Han, S.C. Cylindrical Coordinates Security Visualisation for multiple domain command and control botnet detection. Comput. Secur. 2014, 46, 141–153. [Google Scholar] [CrossRef]
- Futai, Z.; Siyu, Z.; Weixiong, R. Hybrid detection and tracking of fast-flux botnet on domain name system traffic. Commun. China 2013, 10, 81–94. [Google Scholar] [CrossRef]
- Abdullah, R.S.; Mas’ ud, M.Z.; Abdollah, M.F.; Sahib, S.; Yusof, R. Recognizing P2P botnets characteristic through TCP distinctive behaviour. Int. J. Comput. Sci. Inf. Secur. 2011, 9, 7–11. [Google Scholar]
- Wang, J.; Paschalidis, I.C. Botnet detection using social graph analysis. In Proceedings of the 52nd Annual Allerton Conference on Communication, Control, and Computing (Allerton), Monticello, IL, USA, 27–30 September 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 393–400. [Google Scholar] [Green Version]
- Zhang, J.; Xie, Y.; Yu, F.; Soukal, D.; Lee, W. Intention and Origination: An Inside Look at Large-Scale Bot Queries. In Proceedings of the 20th Annual Network & Distributed System Security Symposium, San Diego, CA, USA, 24–27 February 2013. [Google Scholar]
- Raghava, N.S.; Sahgal, D.; Chandna, S. Classification of botnet detection based on botnet architechture. In Proceedings of the International Conference on Communication Systems and Network Technologies (CSNT), Rajkot, India, 11–13 May 2012; IEEE: Piscataway, NJ, USA, 2012; pp. 569–572. [Google Scholar]
- Spitzner, L. Honeypots: Tracking Hackers; Addison Wesley Professional: Boston, MA, USA, 2003; Volume 1. [Google Scholar]
- Al-Hakbani, M.M.; Dahshan, M.H. Avoiding honeypot detection in peer-to-peer botnets. In Proceedings of the IEEE International Conference on Engineering and Technology (ICETECH), Liverpool, UK, 26–28 October 2015; IEEE: Piscataway, NJ, USA, 2015; pp. 1–7. [Google Scholar]
- Daniel, A.; Hongmei, C. An empirical study of botnets on university networks using low-interaction honeypots. In Proceedings of the 51st ACM Southeast Conference, Savannah, GA, USA, 4–6 April 2013; Association for Computing Machinery: Atlanta, GA, USA, 2013. [Google Scholar] [CrossRef]
- Moon, Y.H.; Kim, E.; Hur, S.M.; Kim, H.K. Detection of botnets before activation: An enhanced honeypot system for intentional infection and behavioral observation of malware. Secur. Commun. Netw. 2012, 5, 1094–1101. [Google Scholar] [CrossRef]
- Barfar, A.; Mohammadi, S. Honeypots: Intrusion deception. Inf. Syst. Secur. Assoc. J. 2015, 48, 15. [Google Scholar]
- Landecki, G. Detecting Botnets, Issue 177. Linux® Journal. 1 January 2009. Available online: http://www.linuxjournal.com/magazine/detecting-botnets (accessed on 17 Januuary 2018).
- Panimalar, P.; Rameshkumar, K. A review on taxonomy of botnet detection. In Proceedings of the International Conference on Advances in Engineering and Technology (ICAET), Singapore, 29–30 March 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 1–4. [Google Scholar]
- Seewald, A.K.; Gansterer, W.N. On the detection and identification of botnets. Comput. Secur. 2010, 29, 45–58. [Google Scholar] [CrossRef]
- Huang, C.Y. Effective bot host detection based on network failure models. Comput. Netw. 2013, 57, 514–525. [Google Scholar] [CrossRef]
- Narang, P.; Ray, S.; Hota, C.; Venkatakrishnan, V. Peershark: Detecting peer-to-peer botnets by tracking conversations. In Proceedings of the 2014 IEEE Security and Privacy Workshops (SPW)), San Jose, CA, USA, 17–18 May 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 108–115. [Google Scholar]
- Narang, P.; Hota, C.; Venkatakrishnan, V.N. PeerShark: Flow-clustering and conversation-generation for malicious peer-to-peer traffic identification. EURASIP J. Inf. Secur. 2014, 1, 1–12. [Google Scholar] [CrossRef]
- Watkins, L.; Kawka, C.; Corbett, C.; Robinson, W.H. Fighting banking botnets by exploiting inherent command and control vulnerabilities. In Proceedings of the 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), Fajardo, PR, USA, 28–30 October 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 93–100. [Google Scholar]
- Yan, Z.; Kantola, R.; Shen, Y. Unwanted traffic control via hybrid trust management. In Proceedings of the IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Liverpool, UK, 25–27 June 2012; IEEE: Piscataway, NJ, USA, 2012; pp. 666–673. [Google Scholar]
- Hangxia, Z. Mitigating Peer-to-Peer Botnets by Sybil Attacks. In Proceedings of the International Conference on Innovative Computing & Communication, 2010 and Information Technology & Ocean Engineering and 2010 Asia-Pacific Conference on (CICC-ITOE), Macao, China, 30–31 January 2010; IEEE: Piscataway, NJ, USA, 2010; pp. 241–243. [Google Scholar]
- Lin, S.C.; Chen, P.S.; Chang, C.C. A novel method of mining network flow to detect P2P botnets. Peer Peer Netw. Appl. 2014, 7, 645–654. [Google Scholar] [CrossRef]
- Eskandari, M.; Raesi, H. Frequent sub-graph mining for intelligent malware detection. Secur. Commun. Netw. 2014, 7, 1872–1886. [Google Scholar] [CrossRef]
- Tsuruta, H.; Shoudai, T. Structure-based Data Mining and Screening for Network Traffic Data. In Proceedings of the IIAI International Conference on Advanced Applied Informatics (IIAIAAI), Matsue, Japan, 31 August–4 September 2013; IEEE: Piscataway, NJ, USA, 2013; pp. 152–157. [Google Scholar]
- Garant, D.; Lu, W. Mining Botnet Behaviors on the Large-Scale Web Application Community. In Proceedings of the 27th International Conference on Advanced Information Networking and Applications Workshops (WAINA), Barcelona, Spain, 25–28 March 2013; IEEE: Piscataway, NJ, USA, 2013; pp. 185–190. [Google Scholar]
- Ohrui, M.; Kikuchi, H.; Terada, M.; Rosyid, N.R. Apriori-PrefixSpan Hybrid Approach for Automated Detection of Botnet Coordinated Attacks. In Proceedings of the 14th International Conference on Network-Based Information Systems (NBiS), Tirana, Albania, 7–9 September 2011; IEEE: Piscataway, NJ, USA, 2011; pp. 92–97. [Google Scholar]
- Monshizadeh, M.; Yan, Z. Security Related Data Mining. In Proceedings of the IEEE International Conference on Computer and Information Technology (CIT), Xi’an, China, 11–13 Septeberm 2014; pp. 775–782. [Google Scholar]
- So-In, C.; Mongkonchai, N.; Aimtongkham, P.; Wijitsopon, K.; Rujirakul, K. An evaluation of data mining classification models for network intrusion detection. In Proceedings of the Fourth International Conference on Digital Information and Communication Technology and It’s Applications (DICTAP), Bangkok, Thailand, 6–8 May 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 90–94. [Google Scholar]
- Mtibaa, A.; Harras, K.A.; Alnuweiri, H. From botnets to MobiBots: A novel malicious communication paradigm for mobile botnets. IEEE Commun. Mag. 2015, 53, 61–67. [Google Scholar] [CrossRef]
- Anagnostopoulos, M.; Kambourakis, G.; Gritzalis, S. New facets of mobile botnet: Architecture and evaluation. Int. J. Inf. Secur. 2016, 15, 455–473. [Google Scholar] [CrossRef]
- Anagnostopoulos, M.; Kambourakis, G.; Drakatos, P.; Karavolos, M.; Kotsilitis, S.; Yau, D.K. Botnet Command and Control Architectures Revisited: Tor Hidden Services and Fluxing. In Proceedings of the International Conference on Web Information Systems Engineering, Moscow, Russia, 7–11 October 2017; Springer: Cham, Switzerland, 2017; pp. 517–527. [Google Scholar]
- Conti, M.; Mancini, L.V.; Spolaor, R.; Verde, N.V. Analyzing Android Encrypted Network Traffic to Identify User Actions. IEEE Trans. Inf. Forensics Secur. 2016, 11, 114–125. [Google Scholar] [CrossRef]
- Kadir, A.F.; Stakhanova, N.; Ghorbani, A.A. Android Botnets: What URLs are Telling Us. Network and System Security; Springer: Cham, Switzerland, 2015; pp. 78–91. [Google Scholar]
- Farina, P.; Cambiaso, E.; Papaleo, G.; Aiello, M. Understanding DDoS Attacks from Mobile Devices. In Proceedings of the 3rd International Conference on FutureInternet of Things and Cloud (FiCloud), Rome, Italy, 24–26 August 2015; IEEE: Piscataway, NJ, USA, 2015; pp. 614–619. [Google Scholar]
- Alzahrani, A.J.; Ghorbani, A.A. Real-time signature-based detection approach for SMS botnet. In Proceedings of the 13th Annual Conference on Privacy, Security and Trust (PST), Izmir, Turkey, 21–23 July 2015; IEEE: Piscataway, NJ, USA, 2015; pp. 157–164. [Google Scholar]
- Natarajan, V.; Sheen, S.; Anitha, R. Multilevel Analysis to Detect Covert Social Botnet in Multimedia Social Networks. Comput. J. 2015, 58, 679–687. [Google Scholar] [CrossRef]
- Liao, Q.; Li, Z. Portfolio optimisation of computer and mobile botnets. Int. J. Inf. Secur. 2014, 13, 1–14. [Google Scholar] [CrossRef]
- Eslahi, M.; Rostami, M.R.; Hashim, H.; Tahir, N.M.; Naseri, M.V. A data collection approach for Mobile Botnet analysis and detection. In Proceedings of the IEEE Symposium on Wireless Technology and Applications (ISWTA), Kota Kinabalu, Malaysia, 28 September–1 October 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 199–204. [Google Scholar]
- Mtibaa, A.; Alnuweiri, H.; Harras, K. Mobibots: Risk Assessment Of Collaborative Mobile-to-mobile Malicious Communication. In Proceedings of the Qatar Foundation Annual Research Conference, Doha, Qatar, 18–19 November 2014; p. ITPP1085. [Google Scholar]
- Abdullah, Z.; Saudi, M.M.; Anuar, N.B. Mobile botnet detection: Proof of concept. In Proceedings of the 5th IEEE Control and System Graduate Research Colloquium (ICSGRC), Shah Alam, Malaysia, 4–5 August 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 257–262. [Google Scholar]
- Hamon, V. Android botnets for multi-targeted attacks. J. Comput. Virol. Hacking Tech. 2014, 1–10. [Google Scholar] [CrossRef]
- Mtibaa, A. MobiBots: Towards detecting distributed mobile botnets. In Proceedings of the Qatar Foundation Annual Research Conference, Doha, Qatar, 24–25 November 2013; p. ICTO-05. [Google Scholar]
- Choi, B.; Choi, S.K.; Cho, K. Detection of mobile botnet using vpn. In Proceedings of the Seventh International Conference on Innovative Mobile andInternet Services in Ubiquitous Computing (IMIS), Taichung, Taiwan, 3–5 July 2013; IEEE: Piscataway, NJ, USA, 2013; pp. 142–148. [Google Scholar]
- Apvrille, A. Symbian worm Yxes: Towards mobile botnets? J. Comput. Virol. 2012, 8, 117–131. [Google Scholar] [CrossRef]
- Mtibaa, A.; Harras, K.; Alnuweiri, H. Malicious attacks in Mobile Device Clouds: A data driven risk assessment. In Proceedings of the 23rd International Conference on Computer Communication and Networks (ICCCN), Shanghai, China, 4–7 August 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 1–8. [Google Scholar]
- Li, Q.; Larsen, C.; van der Horst, T. IPv6: A Catalyst and Evasion Tool for Botnets and Malware Delivery Networks. Computer 2013, 46, 76–82. [Google Scholar] [CrossRef]
- Zhao, S.; Lee, P.P.; Lui, J.; Guan, X.; Ma, X.; Tao, J. Cloud-based push-styled mobile botnets: A case study of exploiting the cloud to device messaging service. In Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA, 3–7 December 2012; Association for Computing Machinery (ACM): New York, NY, USA, 2012; pp. 119–128. [Google Scholar]
- Badis, H.; Doyen, G.; Khatoun, R. A collaborative approach for a source based detection of botclouds. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management (IM), Ottawa, ON, Canada, 11–15 May 2015; IEEE: Piscataway, NJ, USA, 2015; pp. 906–909. [Google Scholar]
- Kebande, V.R.; Venter, H.S. A cognitive approach for botnet detection using Artificial Immune System in the cloud. In Proceedings of the Third International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), Beirut, Lebanon, 29 April–1 May 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 52–57. [Google Scholar]
- Alosaimi, W.; Zak, M.; Al-Begain, K.; Alroobaea, R.; Masud, M. Mitigation of Distributed Denial of Service Attacks in the Cloud. Cybern. Inf. Technol. 2017, 17, 32–51. [Google Scholar] [CrossRef] [Green Version]
- Wahab, O.A.; Bentahar, J.; Otrok, H.; Mourad, A. I Know You Are Watching Me: Stackelberg-Based Adaptive Intrusion Detection Strategy for Insider Attacks in the Cloud. In Proceedings of the IEEE International Conference on Web Services (ICWS), Honolulu, HI, USA, 25–30 June 2017; IEEE: Piscataway, NJ, USA, 2017; pp. 728–735. [Google Scholar]
- Daffu, P.; Kaur, A. Mitigation of DDoS attacks in cloud computing. In Proceedings of the 5th International Conference on Wireless Networks and Embedded Systems (WECON), Rajpura, India, 19–20 April 2016; IEEE: Piscataway, NJ, USA, 2016; pp. 1–5. [Google Scholar] [CrossRef]
- Chang, W.; Wang, A.; Mohaisen, A.; Chen, S. Characterizing botnets-as-a-service. In Proceedings of the 2014 ACM Conference on SIGCOMM, Chicago, IL, USA, 17–22 August 2014; Association for Computing Machinery (ACM): New York, NY, USA, 2014; pp. 585–586. [Google Scholar]
- Bottazzi, G.; Me, G. The Botnet Revenue Model. In Proceedings of the 7th International Conference on Security of Information and Networks, Glasgow, UK, 9–11 November 2014; ACM: New York, NY, USA, 2014; pp. 459–465. [Google Scholar]
- Vasilomanolakis, E.; Wolf, J.H.; Böck, L.; Karuppayah, S.; Mühlhäuser, M. I Trust my Zombies: A Trust-enabled Botnet. arXiv 2017, arXiv:1712.03713. [Google Scholar]
S/N | Characteristics | C&C Architectures | |||
---|---|---|---|---|---|
Direct | Centralised | P2P/Decentralised | Hybrid | ||
1 | Setup | Easiest | Easy | Fairly Difficult | Difficult (difficulty increases with hybridisation) |
2 | Administration | Difficult | Less Difficult | Easy | Easier |
3 | Resilience | Least | Fair | Moderate | High |
4 | Ease of takeout | Easiest | Easy | Moderately Difficult | Difficult |
5 | Ease and Accuracy of Traceback | Easiest | Easy | Difficult | Very Difficult |
6 | Command Dissemination Latency (the time it would take a command issued by the botmaster to travel through to the very last bot in the botnet) | Instant | Fast | Moderately Slow | Slow (speed of dissemination decreases further with depth and level of hybridisation) |
7 | Possibility of Botnet Failure | Instant | Easier | Easy | Difficult |
8 | Botnet Enumeration | Near Impossible | Easier | Easy | Difficult |
9 | Botnet Franchisement | Difficult | Easiest (and more structured) | Easier | Easy |
© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Ogu, E.C.; Ojesanmi, O.A.; Awodele, O.; Kuyoro, ‘S. A Botnets Circumspection: The Current Threat Landscape, and What We Know So Far. Information 2019, 10, 337. https://doi.org/10.3390/info10110337
Ogu EC, Ojesanmi OA, Awodele O, Kuyoro ‘S. A Botnets Circumspection: The Current Threat Landscape, and What We Know So Far. Information. 2019; 10(11):337. https://doi.org/10.3390/info10110337
Chicago/Turabian StyleOgu, Emmanuel C., Olusegun A. Ojesanmi, Oludele Awodele, and ‘Shade Kuyoro. 2019. "A Botnets Circumspection: The Current Threat Landscape, and What We Know So Far" Information 10, no. 11: 337. https://doi.org/10.3390/info10110337
APA StyleOgu, E. C., Ojesanmi, O. A., Awodele, O., & Kuyoro, ‘S. (2019). A Botnets Circumspection: The Current Threat Landscape, and What We Know So Far. Information, 10(11), 337. https://doi.org/10.3390/info10110337