Behavioral analysis of botnets for threat intelligence

Authors:
Alper Caglayan;Mike Toothaker;Dan Drapeau;Dustin Burke;Gerry Eaton
Affiliations:
Milcord, Waltham, USA 02451;Milcord, Waltham, USA 02451;Milcord, Waltham, USA 02451;Milcord, Waltham, USA 02451;Milcord, Waltham, USA 02451
Venue:
Information Systems and e-Business Management
Year:
2012

Citing 13
Cited 0

Beautiful Evidence

Beautiful Evidence
Revealing botnet membership using DNSBL counter-intelligence

SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
Examining the impact of website take-down on phishing

Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit
Behind phishing: an examination of phisher modi operandi

LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Passive Monitoring of DNS Anomalies

DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
FluXOR: Detecting and Monitoring Fast-Flux Service Networks

DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Spamalytics: an empirical analysis of spam marketing conversion

Proceedings of the 15th ACM conference on Computer and communications security
Real-Time Detection of Fast Flux Service Networks

CATCH '09 Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security
Dynamics of Online Scam Hosting Infrastructure

PAM '09 Proceedings of the 10th International Conference on Passive and Active Network Measurement
Behavioral analysis of fast flux service networks

Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
Phishing Infrastructure Fluxes All the Way

IEEE Security and Privacy
Botnet: classification, attacks, detection, tracing, and preventive measures

ICICIC '09 Proceedings of the 2009 Fourth International Conference on Innovative Computing, Information and Control
Behavioral Patterns of Fast Flux Service Networks

HICSS '10 Proceedings of the 2010 43rd Hawaii International Conference on System Sciences

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper examines the behavioral patterns of fast-flux botnets for threat intelligence. The Threat Intelligence infrastructure, which we have specifically developed for fast-flux botnet detection and monitoring, enables this analysis. Cyber criminals and attackers use botnets to conduct a wide range of operations including spam campaigns, phishing scams, malware delivery, denial of service attacks, and click fraud. The most advanced botnet operators use fast-flux infrastructure and DNS record manipulation techniques to make their networks more stealthy, scalable, and resilient. Our analysis shows that such networks share common lifecycle characteristics, and form clusters based on size, growth and type of malicious behavior. We introduce a social network connectivity metric, and show that command and control and malware botnets have similar scores with this metric while spam and phishing botnets have similar scores. We describe how a Guilt-by-Association approach and connectivity metric can be used to predict membership in particular botnet families. Finally, we discuss the intelligence utility of fast-flux botnet behavior analysis as a cyber defense tool against advanced persistent threats.