Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security and Privacy in Communication Systems

SecureComm 2017: Security and Privacy in Communication Networks pp 397–417Cite as

Understanding Adversarial Strategies from Bot Recruitment to Scheduling

  • Conference paper
  • First Online:

Abstract

Today botnets are still one of the most prevalent and devastating attacking platforms that cyber criminals rely on to launch large scale Internet attacks. Botmasters behind the scenes are becoming more agile and discreet, and some new and sophisticated strategies are adopted to recruit bots and schedule their activities to evade detection more effectively. In this paper, we conduct a measurement study of 23 active botnet families to uncover some new botmaster strategies based on an operational dataset collected over a period of seven months. Our analysis shows that different from the common perception that bots are randomly recruited in a best-effort manner, bots recruitment has strong geographical and organizational locality, offering defenses a direction and priority when attempting to shut down these botnets. Furthermore, our study to measure dynamics of botnet activity reveals that botmasters start to deliberately schedule their bots to hibernate and alternate in attacks so that the detection window becomes smaller and smaller.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   143.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Wikipedia: Hacktivism (2014). http://bit.ly/1kM2Vos

  2. Wikipedia: Operation Israel (2014). http://bit.ly/1noDUlI

  3. Symantec Security Response: Four years of darkseoul cyberattacks against South Korea continue on anniversary of Korean war, June 2013. http://bit.ly/1fbGlFm

  4. Bank Info Security: Opusa threatens banks, government, May 2013. http://bit.ly/1kP3Urt

  5. McDougall, P.: Microsoft: Kelihos ring sold ‘botnet-as-a-service’, September 2011. http://ubm.io/MtCSr7

  6. Vicario, M.: Four ways cybercriminals profit from botnets, November 2010. http://bit.ly/1e1SIiP

  7. Wang, A., Mohaisen, A., Chang, W., Chen, S.: Delving into internet DDoS attacks by botnets. In: IEEE DSN 2015 (2015)

    Google Scholar 

  8. Ioannidis, J., Bellovin, S.: Implementing pushback: router-based defense against DDoS attacks (2002)

    Google Scholar 

  9. Chen, Y., Kwok, Y., Hwang, K.: MAFIC: adaptive packet dropping for cutting malicious flows to push back DDoS attacks. In: ICDCS 2005 (2005)

    Google Scholar 

  10. Kang, M., Gligor, V.D.: Routing bottlenecks in the internet: causes, exploits, and countermeasures. In: Proceedings of ACM SIGSAC 2014 (2014)

    Google Scholar 

  11. Wikipedia: Carna botnet (2014). http://bit.ly/1slx1E6

  12. Starr, M.: Fridge caught sending spam emails in botnet attack (2014). http://bit.ly/1j5Jac1

  13. Thomas, M., Mohaisen, A.: Kindred domains: detecting and clustering botnet domains using DNS traffic. In: Proceedings of WWW 2014 (2014)

    Google Scholar 

  14. Andrade, M., Vlajic, N.: Dirt jumper: a key player in today’s botnet-for-DDoS market. In: WorldCIS 2012 (2012)

    Google Scholar 

  15. Song, L., Jin, Z., Sun, G.: Modeling and analyzing of botnet interactions. Proc. Phys. A 390(2), 347–358 (2011)

    Google Scholar 

  16. Li, Z., Goyal, A., Chen, Y., Paxson, V.: Towards situational awareness of large-scale botnet probing events. IEEE TIFS 6(1), 175–188 (2011)

    Google Scholar 

  17. Wang, P., Sparks, S., Zou, C.: An advanced hybrid peer-to-peer botnet. TDSC (2010)

    Google Scholar 

  18. Cho, C., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the inside: a view of botnet management from infiltration. LEET (2010)

    Google Scholar 

  19. Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the Zeus botnet crimeware toolkit. In: IEEE PST 2010 (2010)

    Google Scholar 

  20. Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of ACM CCS 2009 (2009)

    Google Scholar 

  21. Lee, C.P., Dagon, D., Gu, G., Lee, W.: A taxonomy of botnet structures. In: Proceedings of ACM ACSCA 2007 (2007)

    Google Scholar 

  22. Jing, L., Yang, X., Kaveh, G., Hongmei, D.: Botnet: classification, attacks, detection, tracing, and preventive measures. JWCN (2009)

    Google Scholar 

  23. Mohaisen, A., Alrawi, O.: AV-Meter: an evaluation of antivirus scans and labels. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 112–131. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08509-8_7

    Chapter  Google Scholar 

  24. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of ACM CCS 2009 (2009)

    Google Scholar 

  25. Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of USENIX Security 2008 (2008)

    Google Scholar 

  26. Digital Envoy: Digital element services. http://www.digitalenvoy.net/

  27. Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G., Osipkov, I.: Spamming botnets: signatures and characteristics. In: SIGCOMM 2008 (2008)

    Google Scholar 

  28. Maertens, M., Asghari, H., van Eeten, M., van Mieghem, P.: A time-dependent SIS-model for long-term computer worm evolution. In: Proceedings of IEEE CNS 2016 (2016)

    Google Scholar 

  29. Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. In: Proceedings of USENIX HotBots 2007 (2007)

    Google Scholar 

  30. Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How dynamic are IP addresses? In: ACM SIGCOMM CCR 2007 (2007)

    Article  Google Scholar 

  31. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: Proceedings of USENIX Security 2011 (2011)

    Google Scholar 

  32. Bacher, P., Holz, T., Kotter, M., Wicherski, G.: Know your enemy: tracking botnets (2005)

    Google Scholar 

  33. Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.: The nepenthes platform: an efficient approach to collect malware. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 165–184. Springer, Heidelberg (2006). https://doi.org/10.1007/11856214_9

    Chapter  Google Scholar 

  34. Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: IMC 2006 (2006)

    Google Scholar 

  35. Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: Proceedings of USENIX HotBots 2007 (2007)

    Google Scholar 

  36. Barford, P., Yegneswaran, V.: An inside look at botnets. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Proceedings of Malware Detection. ADIS, vol. 27, pp. 171–191. Springer, Heidelberg (2007). https://doi.org/10.1007/978-0-387-44599-1_8

  37. Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.C.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: USENIX LEET 2008 (2008)

    Google Scholar 

  38. Shin, S., Gu, G.: Conficker and beyond: a large-scale empirical study. In: Proceedings of ACM ACSAC 2010 (2010)

    Google Scholar 

  39. Chang, W., Mohaisen, A., Wang, A., Chen, S.: Measuring botnets in the wild: some new trends. In: ACM ASIACCS 2015 (2015)

    Google Scholar 

Download references

Acknowledgment

We appreciate constructive comments from anonymous referees. This work is partially supported by an ARO grant W911NF-15-1-0262, a NIST grant 70NANB16H166, and a NSF grant CNS-1524462.

Author information

Authors and Affiliations

  1. George Mason University, Fairfax, USA

    Wentao Chang, An Wang & Songqing Chen

  2. The University of Central Florida, Orlando, USA

    Aziz Mohaisen

Authors
  1. Wentao Chang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aziz Mohaisen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. An Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Songqing Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aziz Mohaisen .

Editor information

Editors and Affiliations

  1. Wilfrid Laurier University, Waterloo, Ontario, Canada

    Xiaodong Lin

  2. University of New Brunswick, Fredericton, New Brunswick, Canada

    Ali Ghorbani

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. Pennsylvania State University, Philadelphia, Pennsylvania, USA

    Sencun Zhu

  5. Anhui Normal University, Wuhu, China

    Aiqing Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chang, W., Mohaisen, A., Wang, A., Chen, S. (2018). Understanding Adversarial Strategies from Bot Recruitment to Scheduling. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-78813-5_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-78812-8

  • Online ISBN: 978-3-319-78813-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation