Detection of IP Gangs: Strategically Organized Bots

Zhao, Tianyue; Qiu, Xiaofeng

doi:10.1007/978-3-319-95786-9_19

Tianyue Zhao^14,16 &
Xiaofeng Qiu¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 10933))

Included in the following conference series:

Industrial Conference on Data Mining

1086 Accesses

Abstract

Botnets, groups of malware-infected computers (bots) that perform cybersecurity attacks on the Internet, pose one of the most serious cybersecurity threats to many industries, including smart infrastructure [9, 10], Internet based companies, [11] and Internet of Things (IoT) [8]. There are many unconventional methods of organizing bots that are potentially advantageous to attackers. “Botnet”, as a technical term, cannot effectively describe these methods. With the vast amounts of Internet traffic data collected by security appliances, it is possible to reveal novel behavior of bots using data analysis algorithms. In this paper, we propose a concept called IP Gang to describe groups of bots from the perspective of the attacker’s business – we define IP Gangs to be groups of bots that often perform attacks together during a period of time. Crucially, we developed a fast, high-compatibility detection algorithm that can be deployed in wide-scale, industrial applications to effectively defend against IP Gangs. The detection algorithm is inspired by single-linkage clustering and optimized for large quantities of data. A test on a month (1.5 GB) of real life DDoS log data detected 21 IP Gangs, with 13916 bots in total. To analyze the behavior of the Gangs, we visualized the activity of each Gang with diagrams named “attack fingerprints” and confirmed that 15 of the detected Gangs displayed behavior that the concept of “botnet” alone cannot describe.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: USENIX Security Symposium, vol. 5, no. 2, pp. 139–154 (2008)
Google Scholar
Khattak, S., Ramay, N.R., Khan, K.R., Syed, A.A., Khayam, S.A.: A taxonomy of botnet behavior, detection, and defense. IEEE Commun. Surv. Tutor. 16(2), 898–924 (2014)
Article Google Scholar
Vogt, R., Aycock, J., Jacobson, M.: Army of botnets. In: Proceedings of NDSS 2007 (2007)
Google Scholar
Arbor Networks: DDoS as a smokescreen for fraud and theft, 3 February 2016. https://www.arbornetworks.com/blog/insight/ddos-as-a-smokescreen-for-fraud-and-theft/
Kaspersky Lab: Research reveals hacker tactics: Cybercriminals use DDoS as smokescreen for other attacks on business, 22 November 2016. https://www.kaspersky.com/about/press-releases/2016_research-reveals-hacker-tactics-cybercriminals-use-ddos-as-smokescreen-for-other-attacks-on-business
Stanford Natural Language Processing Group: Single-link and complete-link clustering (n.d.). https://nlp.stanford.edu/IR-book/html/htmledition/single-link-and-complete-link-clustering-1.html
WeLiveSecurity: Spammed-out emails threaten websites with DDoS attack on September 30th, 25 September 2017. https://www.welivesecurity.com/2017/09/25/email-ddos-threat/
Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: mirai and other botnets. Computer 50(7), 80–84 (2017)
Article Google Scholar
Pultarova, T.: Cyber security - Ukraine grid hack is wake-up call for network operators. Eng. Technol. 11(1), 12–13 (2016)
Article Google Scholar
Khan, R., Maynard, P., McLaughlin, K., Laverty, D., Sezer, S.: Threat analysis of BlackEnergy malware for synchrophasor based real-time control and monitoring in smart grid. In: Janicke, H., Jones, K., Brandstetter, T. (eds.) 4th International Symposium for ICS & SCADA Cyber Security Research 2016, pp. 53–63 (2016)
Google Scholar
Kaspersky Lab: Attack on Dyn explained. https://www.kaspersky.com/blog/attack-on-dyn-explained/13325/

Download references

Author information

Authors and Affiliations

Henry M. Gunn High School, Palo Alto, CA, 94306, USA
Tianyue Zhao
Beijing University of Posts and Telecommunications, Beijing, China
Xiaofeng Qiu
NSFOCUS Inc., Santa Clara, CA, 95054, USA
Tianyue Zhao

Authors

Tianyue Zhao
View author publications
You can also search for this author in PubMed Google Scholar
Xiaofeng Qiu
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tianyue Zhao .

Editor information

Editors and Affiliations

Institute of Computer Vision and Applied Computer Sciences, Leipzig, Germany
Petra Perner

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Zhao, T., Qiu, X. (2018). Detection of IP Gangs: Strategically Organized Bots. In: Perner, P. (eds) Advances in Data Mining. Applications and Theoretical Aspects. ICDM 2018. Lecture Notes in Computer Science(), vol 10933. Springer, Cham. https://doi.org/10.1007/978-3-319-95786-9_19

Download citation

DOI: https://doi.org/10.1007/978-3-319-95786-9_19
Published: 04 July 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-95785-2
Online ISBN: 978-3-319-95786-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics