skip to main content
10.1145/2995272.2995280acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article
Public Access

A Moving Target Defense Approach to Disrupting Stealthy Botnets

Published: 24 October 2016 Publication History

Abstract

Botnets are increasingly being used for exfiltrating sensitive data from mission-critical systems. Research has shown that botnets have become extremely sophisticated and can operate in stealth mode by minimizing their host and network footprint. In order to defeat exfiltration by modern botnets, we propose a moving target defense approach for dynamically deploying detectors across a network. Specifically, we propose several strategies based on centrality measures to periodically change the placement of detectors. Our objective is to increase the attacker's effort and likelihood of detection by creating uncertainty about the location of detectors and forcing botmasters to perform additional actions in an attempt to create detector-free paths through the network. We present metrics to evaluate the proposed strategies and an algorithm to compute a lower bound on the detection probability. We validate our approach through simulations, and results confirm that the proposed solution effectively reduces the likelihood of successful exfiltration campaigns.

References

[1]
D. Andriesse and H. Bos. An analysis of the Zeus peer-to-peer protocol, 2013.
[2]
E. B. Beigi, H. H. Jazi, N. Stakhanova, and A. A. Ghorbani. Towards effective feature selection in machine learning-based botnet detection approaches. In Proceedings of the 2014 IEEE Conference on Communications and Network Security (CNS 2014), pages 247--255. IEEE, 2014.
[3]
M. P. Collins, T. J. Shimeall, S. Faber, J. Janies, R. Weaver, M. De Shon, and J. Kadane. Using uncleanliness to predict future botnet addresses. In Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, pages 93--104. ACM, 2007.
[4]
D. Dagon, G. Gu, C. P. Lee, and W. Lee. A taxonomy of botnet structures. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007), pages 325--339, 2007.
[5]
D. Dittrich. So you want to take over a botnet. In Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, pages 6--6. USENIX Association, 2012.
[6]
M. L. Fredman and R. E. Tarjan. Fibonacci heaps and their uses in improved network optimization algorithms. Journal of the ACM (JACM), 34(3):596--615, 1987.
[7]
G. Gu, R. Perdisci, J. Zhang, W. Lee, et al. BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In Proceedings of the 17th USENIX Security Symposium, volume 5, pages 139--154, 2008.
[8]
G. Gu, P. A. Porras, V. Yegneswaran, M. W. Fong, and W. Lee. BotHunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium, volume 7, pages 1--16, 2007.
[9]
D. T. Ha, G. Yan, S. Eidenbenz, and H. Q. Ngo. On the effectiveness of structural detection and defense against p2p-based botnets. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2009), pages 297--306, 2009.
[10]
A. Juels and T.-F. Yen. Sherlock Holmes and the case of the advanced persistent threat. In Proceedings of the 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2012.
[11]
Kaspersky Labs. Kaspersky lab and ITU research reveals new advanced cyber threat.small http://usa.kaspersky.com/about-us/press-center/press-releases/kaspersky-lab-and-itu-research-reveals-new-advanced-cyber-threat, May 2012.
[12]
D. Mcwhorter. APT1: Exposing one of china's cyber espionage units. http://intelreport.mandiant.com/, 2013.
[13]
A. Medina, A. Lakhina, I. Matta, and J. Byers. BRITE: An approach to universal topology generation. In Proceedings of the 9th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, pages 346--353. IEEE, 2001.
[14]
G. C. Moreira Moura. Internet Bad Neighborhoods. PhD thesis, University of Twente, The Netherlands, March 2013.
[15]
S. Nagaraja, P. Mittal, C. Hong, M. Caesar, and N. Borisov. BotGrep: Finding P2P bots with structured graph analysis. In Proceedings of the 19th USENIX Security Symposium, pages 95--110, 2010.
[16]
C. Rossow, D. Andriesse, T. Werner, B. Stone-Gross, D. Plohmann, C. J. Dietrich, and H. Bos. Sok: P2pwned-modeling and evaluating the resilience of peer-to-peer botnets. In Proceedings of the IEEE Symposium on Security and Privacy (SP 2013), pages 97--111. IEEE, 2013.
[17]
Y. Shinoda, K. Ikai, and M. Itoh. Vulnerabilities of passive internet threat monitors. In Proceedings of the 14th USENIX Security Symposium, pages 209--224, 2005.
[18]
V. Shmatikov and M.-H. Wang. Security against probe-response attacks in collaborative intrusion detection. In Proceedings of the 2007 Workshop on Large Scale Attack Defense, pages 129--136. ACM, 2007.
[19]
G. Sinclair, C. Nunnery, and B. B. Kang. The waledac protocol: The how and why. In Proceedings of the 4th International Conference on Malicious and Unwanted Software (MALWARE 2009), pages 69--77. IEEE, 2009.
[20]
N. Spring, R. Mahajan, and D. Wetherall. Measuring ISP topologies with Rocketfuel. In ACM SIGCOMM Computer Communication Review, volume 32, pages 133--145. ACM, 2002.
[21]
E. Stinson and J. C. Mitchell. Towards systematic evaluation of the evadability of bot/botnet detection methods. In Proceedings of the 2nd USENIX Workshop on Offensive Technologies, page 5. USENIX Association, 2008.
[22]
B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), pages 635--647. ACM, 2009.
[23]
P. Sweeney and G. Cybenko. Identifying and exploiting the cyber high ground for botnets. In Cyber Warfare, volume 56 of Advances in Information Security, pages 37--56. Springer, 2015.
[24]
P. J. Sweeney. Designing Effective And Stealthy Botnets for Cybet Espionage And Interdiction - Finding the Cyber High Ground. PhD thesis, Thayer School of Engineering, Darthmouth College, 2014.
[25]
S. Venkatesan, M. Albanese, and S. Jajodia. Disrupting stealthy botnets through strategic placement of detectors. In Proceedings of the 3rd IEEE Conference on Communications and Network Security (CNS 2015), pages 95--103. IEEE, 2015.
[26]
Y. Zeng, X. Hu, and K. G. Shin. Detection of botnets using combined host- and network-level information. In Proceedings of the the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2010), pages 291--300, June 2010.
[27]
J. Zhang, R. Perdisci, W. Lee, X. Luo, and U. Sarfraz. Building a scalable system for stealthy P2P-botnet detection. IEEE Transactions on Information Forensics and Security, 9(1):27--38, 2014.

Cited By

View all
  • (2025)Detector Placement StrategiesEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1769(631-634)Online publication date: 8-Jan-2025
  • (2024)Multi-Dimensional Moving Target Defense Method Based on Adaptive Simulated Annealing Genetic AlgorithmElectronics10.3390/electronics1303048713:3(487)Online publication date: 24-Jan-2024
  • (2024)Deep Learning Models as Moving Targets to Counter Modulation Classification AttacksIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621413(1601-1610)Online publication date: 20-May-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
MTD '16: Proceedings of the 2016 ACM Workshop on Moving Target Defense
October 2016
144 pages
ISBN:9781450345705
DOI:10.1145/2995272
  • Program Chairs:
  • Peng Liu,
  • Cliff Wang
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. botnets
  2. detector placement
  3. moving target defense

Qualifiers

  • Research-article

Funding Sources

Conference

CCS'16
Sponsor:

Acceptance Rates

MTD '16 Paper Acceptance Rate 9 of 26 submissions, 35%;
Overall Acceptance Rate 40 of 92 submissions, 43%

Upcoming Conference

ICSE 2025

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)85
  • Downloads (Last 6 weeks)8
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Detector Placement StrategiesEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1769(631-634)Online publication date: 8-Jan-2025
  • (2024)Multi-Dimensional Moving Target Defense Method Based on Adaptive Simulated Annealing Genetic AlgorithmElectronics10.3390/electronics1303048713:3(487)Online publication date: 24-Jan-2024
  • (2024)Deep Learning Models as Moving Targets to Counter Modulation Classification AttacksIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621413(1601-1610)Online publication date: 20-May-2024
  • (2024)Cost-Effective Defense Timing Selection for Moving Target Defense in Satellite Computing SystemsComputational Science – ICCS 202410.1007/978-3-031-63749-0_16(224-239)Online publication date: 28-Jun-2024
  • (2023)Information Protection in Complexes with Unmanned Aerial Vehicles Using Moving Target TechnologyInventions10.3390/inventions80100188:1(18)Online publication date: 11-Jan-2023
  • (2023)Tracking IoT P2P Botnet Loaders in the WildICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10279593(5916-5921)Online publication date: 28-May-2023
  • (2022)A Survey on Moving Target Defense for Networks: A Practical ViewElectronics10.3390/electronics1118288611:18(2886)Online publication date: 12-Sep-2022
  • (2022)Moving Target Defense-Based Denial-of-Service Mitigation in Cloud EnvironmentsSecurity and Communication Networks10.1155/2022/22230502022Online publication date: 1-Jan-2022
  • (2022)Robust End Hopping for Secure Satellite Communication in Moving Target DefenseIEEE Internet of Things Journal10.1109/JIOT.2022.31449719:18(16908-16916)Online publication date: 15-Sep-2022
  • (2022)Detector Placement StrategiesEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_1769-1(1-3)Online publication date: 14-Dec-2022
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media