Search Results (15)

This paper proposes a novel defense mechanism inspired by the bioimmune response to effectively eliminate botnets that repeatedly infect IoT networks and describes the development of an Immune-Based Botnet Defense System (iBDS), incorporating this mechanism. Focusing on the roles of antibodies and phagocytes in the immune response, the iBDS implements a multi-layered defense using two types of worms: antibody worms and phagocyte worms. When a malicious botnet infects a network, the resident phagocyte worms immediately infect and eliminate the bots and prevent the infection from spreading in its early stages. This provides an immediate response in a similar way to innate immunity. On the other hand, if a malicious botnet infects the network and the phagocyte worms are unable to infect the bots, the antibody worms, instead, infect the bots and change their vulnerabilities to help the phagocyte worms infect and eliminate them. This provides an adaptive response in a similar way to acquired immunity. In addition, when the same botnet is repeatedly infected, more antibody worms are used to produce a stronger response, similar to immune memory. The introduction of multi-layered defense and immune memory is an important novelty of this paper that is not found in traditional botnet defense system research. The experimental results from simulations and prototype implementations show that iBDS can effectively eliminate botnets that repeatedly infect IoT networks. Full article

Mirai, an IoT malware that emerged in 2016, has been used for large-scale DDoS attacks. The Mirai source code is publicly available and continues to be a threat with a variety of variants still in existence. In this paper, we propose an implementation system for malicious and white-hat worms created using the Mirai source code, as well as a general and detailed implementation method for white-hat worms that is not limited to the Mirai source code. The white-hat worms have the function of a secondary infection, in which the white-hat worm disinfects the malicious worm by infecting devices already infected by the malicious worm, and two parameters, the values of which can be changed to modify the rate at which the white-hat worms can spread their infection. The values of the parameters of the best white-hat worm for disinfection of the malicious botnet and the impact of the value of each parameter on the disinfection of the malicious botnet were analyzed in detail. The analysis revealed that for a white-hat worm to disinfect a malicious botnet, it must be able to infect at least 80% of all devices and maintain that situation for at least 300 s. Then, by tuning and optimizing the values of the white-hat worm’s parameters, we were able to successfully eliminate the malicious botnet, demonstrating the effectiveness of the white-hat botnet’s function of eliminating the malicious botnet. Full article

The proliferation of IoT services has spurred a surge in network attacks, heightening cybersecurity concerns. Essential to network defense, intrusion detection and prevention systems (IDPSs) identify malicious activities, including denial of service (DoS), distributed denial of service (DDoS), botnet, brute force, infiltration, and Heartbleed. This study focuses on leveraging unsupervised learning for training detection models to counter these threats effectively. The proposed method utilizes basic autoencoders (bAEs) for dimensionality reduction and encompasses a three-stage detection model: one-class support vector machine (OCSVM) and deep autoencoder (dAE) attack detection, complemented by density-based spatial clustering of applications with noise (DBSCAN) for attack clustering. Accurately delineated clusters aid in mapping attack tactics. The MITRE ATT&CK framework establishes a “Cyber Threat Repository”, cataloging attacks and tactics, enabling immediate response based on priority. Leveraging preprocessed and unlabeled normal network traffic data, this approach enables the identification of novel attacks while mitigating the impact of imbalanced training data on model performance. The autoencoder method utilizes reconstruction error, OCSVM employs a kernel function to establish a hyperplane for anomaly detection, while DBSCAN employs a density-based approach to identify clusters, manage noise, accommodate diverse shapes, automatically determining cluster count, ensuring scalability, and minimizing false positives and false negatives. Evaluated on standard datasets such as CIC-IDS2017 and CSECIC-IDS2018, the proposed model outperforms existing state of art methods. Our approach achieves accuracies exceeding 98% for the two datasets, thus confirming its efficacy and effectiveness for application in efficient intrusion detection systems. Full article

The widespread adoption of cloud-based and public legitimate services (CPLS) has inadvertently opened up new avenues for cyber attackers to establish covert and resilient command-and-control (C&C) communication channels. This abuse poses a significant cybersecurity threat, as it allows malicious traffic to blend seamlessly with legitimate network activities. Traditional detection systems are proving inadequate in accurately identifying such abuses, emphasizing the urgent need for more advanced detection techniques. In our study, we conducted an extensive systematic literature review (SLR) encompassing the academic and industrial literature from 2008 to July 2023. Our review provides a comprehensive categorization of the attack techniques employed in CPLS abuses and offers a detailed overview of the currently developed detection strategies. Our findings indicate a substantial increase in cloud-based abuses, facilitated by various attack techniques. Despite this alarming trend, the focus on developing detection strategies remains limited, with only 7 out of 91 studies addressing this concern. Our research serves as a comprehensive review of CPLS abuse for the C&C infrastructure. By examining the emerging techniques used in these attacks, we aim to make a significant contribution to the development of effective botnet defense strategies. Full article

In fifth Generation (5G) networks, protection from internal attacks, external breaches, violation of confidentiality, and misuse of network vulnerabilities is a challenging task. Various approaches, especially deep-learning (DL) prototypes, have been adopted in order to counter such challenges. For 5G network defense, DL module are recommended here in order to symptomize suspicious NetFlow data. This module behaves as a virtual network function (VNF) and is placed along a 5G network. The DL module as a cyber threat-symptomizing (CTS) unit acts as a virtual security scanner along the 5G network data analytic function (NWDAF) to monitor the network data. When the data were found to be suspicious, causing network bottlenecks and let-downs of end-user services, they were labeled as “Anomalous”. For the best proactive and adaptive cyber defense system (PACDS), a logically organized modular approach has been followed to design the DL security module. In the application context, improvements have been made to input features dimension and computational complexity reduction with better response times and accuracy in outlier detection. Moreover, key performance indicators (KPIs) have been proposed for security module placement to secure interslice and intraslice communication channels from any internal or external attacks, also suggesting an adaptive defense mechanism and indicating its placement on a 5G network. Among the chosen DL models, the CNN model behaves as a stable model during behavior analysis in the results. The model classifies botnet-labeled data with 99.74% accuracy and higher precision. Full article

Self-propagating malware has been infecting thousands of IoT devices and causing security breaches worldwide. Mitigating and cleaning self-propagating malware is important but challenging because they propagate unpredictably. White-hat botnets have been used to combat self-propagating malware with the concept of fight fire-with-fire. However, white-hat botnets can also overpopulate and consume the resource of IoT devices. Later, lifespan was introduced as a self-destruct measure to restrain white-hat botnets’ overpopulation, but unable to change based on real-time situations. This paper proposes a method for diffusing white-hat botnets by controlling lifespan. The main contribution of this paper is that the method uses a dynamic lifespan that increases and decreases based on the congregation’s situation of the self-propagating malware and white-hat botnets. The method tackles the problem of overpopulation of white-hat botnets since they can self-propagate by controlling the ripple effect that widens the white-hat botnet’s diffusion area but suppresses the number of white-hat botnets to achieve a ’zero-botnet’ situation. The effectiveness in reducing the overpopulation rate was confirmed. The experiment result showed that the ripple effect could reduce the number of white-hat botnets in the network by around 80%, depending on different control parameters. Full article

This paper deals with the observability, controllability, and command and control strategy in the Botnet Defense System (BDS) that disinfects malicious botnets with white-hat botnets. The BDS defends an IoT system built over the Internet. The Internet is characterized by openness, but not all nodes are observable and controllable. We incorporated the concept of observability and controllability into the BDS design and theoretically clarified that the BDS can enhance its observability and controllability by utilizing its white-hat botnets. In addition, we proposed a Withdrawal strategy as a basic strategy to command and control white-hat botnets. Then, we modeled the BDS, adopted the Withdrawal strategy with agent-oriented Petri net PN² and confirmed the effect through the simulation of the model. The result shows that even if considering observability and controllability, the BDS wiped out the malicious bots and reduced the white-hat bots to less than 1% as long as the white-hat worms were sufficiently infectious. Full article

Due to emerging internet technologies that mostly depend on the decentralization concept, such as cryptocurrencies, cyber attackers also use the decentralization concept to develop P2P botnets. P2P botnets are considered one of the most serious and challenging threats to internet infrastructure security. Consequently, several open issues still need to be addressed, such as improving botnet intrusion detection systems, because botnet detection is essentially a confrontational problem. This paper presents PeerAmbush, a novel approach for detecting P2P botnets using, for the first time, one of the most effective deep learning techniques, which is the Multi-Layer Perceptron, with certain parameter settings to detect this type of botnet, unlike most current research, which is entirely based on machine learning techniques. The reason for employing machine learning/deep learning techniques, besides data analysis, is because the bots under the same botnet have a symmetrical behavior, and that makes them recognizable compared to benign network traffic. The PeerAmbush also takes the challenge of detecting P2P botnets with fewer selected features compared to the existing related works by proposing a novel feature engineering method based on Best First Union (BFU). The proposed approach showed considerable results, with a very high detection accuracy of 99.9%, with no FPR. The experimental results showed that PeerAmbush is a promising approach, and we look forward to building on it to develop better security defenses. Full article

As an infrastructure platform for launching large-scale cyber attacks, botnets are one of the biggest threats to cyberspace security today. With the development of network technology and changes in the network environment, network attack intelligence has become a trend, and botnet designers are also committed to developing more destructive intelligent botnets. The feasibility of implementing distributed intelligent computing based on botnet node resources is analyzed with regard to the aspects of program size, communication traffic and resource occupancy. AIBot, a botnet model that can perform intelligent computation in a distributed manner, is proposed from the attacker’s perspective, which hierarchically deploys distributed neural network models in the botnet, thereby organizing nodes to collaboratively perform intelligent computation tasks. AIBot enables the distributed execution of intelligent computing tasks on a cluster of bot nodes by decomposing the computational load of a deep neural network model. A general algorithm for the distributed deployment of neural networks in AIBot is proposed, and the overall operational framework for AIBot is given. Two classical neural network models, CNN and RNN, are used as examples to illustrate specific schemes for deploying and running distributed intelligent computing in AIBot. Experimental scenarios were constructed to experimentally validate and briefly evaluate the performance of the two AIBot attack modes, and the overall efficiency of AIBot was evaluated in terms of execution time. This paper studies new forms of botnet attack techniques from a predictive perspective, aiming to increase defenders’ understanding of potential botnet threats, in order to propose effective defense strategies and improve the botnet defense system. Full article

Malicious botnets such as Mirai are a major threat to IoT networks regarding cyber security. The Botnet Defense System (BDS) is a network security system based on the concept of “fight fire with fire”, and it uses white-hat botnets to fight against malicious botnets. However, the existing white-hat Worm Launcher of the BDS decides the number of white-hat worms, but it does not consider the white-hat worms’ placement. This paper proposes a novel machine learning (ML)-based white-hat Worm Launcher for tactical response by zoning in the BDS. The concept of zoning is introduced to grasp the malicious botnet spread with bias over the IoT network. This enables the Launcher to divide the network into zones and make tactical responses for each zone. Three tactics for tactical responses for each zone are also proposed. Then, the BDS with the Launcher is modeled by using agent-oriented Petri nets, and the effect of the proposed Launcher is evaluated. The result shows that the proposed Launcher can reduce the number of infected IoT devices by about 30%. Full article

Cyber security has become increasingly challenging due to the proliferation of the Internet of things (IoT), where a massive number of tiny, smart devices push trillion bytes of data to the Internet. However, these devices possess various security flaws resulting from the lack of defense mechanisms and hardware security support, therefore making them vulnerable to cyber attacks. In addition, IoT gateways provide very limited security features to detect such threats, especially the absence of intrusion detection methods powered by deep learning. Indeed, deep learning models require high computational power that exceeds the capacity of these gateways. In this paper, we introduce Realguard, an DNN-based network intrusion detection system (NIDS) directly operated on local gateways to protect IoT devices within the network. The superiority of our proposal is that it can accurately detect multiple cyber attacks in real time with a small computational footprint. This is achieved by a lightweight feature extraction mechanism and an efficient attack detection model powered by deep neural networks. Our evaluations on practical datasets indicate that Realguard could detect ten types of attacks (e.g., port scan, Botnet, and FTP-Patator) in real time with an average accuracy of 99.57%, whereas the best of our competitors is 98.85%. Furthermore, our proposal effectively operates on resource-constraint gateways (Raspberry PI) at a high packet processing rate reported about 10.600 packets per second. Full article

As Internet of Things (IoT) networks expand globally with an annual increase of active devices, providing better safeguards to threats is becoming more prominent. An intrusion detection system (IDS) is the most viable solution that mitigates the threats of cyberattacks. Given the many constraints of the ever-changing network environment of IoT devices, an effective yet lightweight IDS is required to detect cyber anomalies and categorize various cyberattacks. Additionally, most publicly available datasets used for research do not reflect the recent network behaviors, nor are they made from IoT networks. To address these issues, in this paper, we have the following contributions: (1) we create a dataset from IoT networks, namely, the Center for Cyber Defense (CCD) IoT Network Intrusion Dataset V1 (CCD-INID-V1); (2) we propose a hybrid lightweight form of IDS—an embedded model (EM) for feature selection and a convolutional neural network (CNN) for attack detection and classification. The proposed method has two models: (a) RCNN: Random Forest (RF) is combined with CNN and (b) XCNN: eXtreme Gradient Boosting (XGBoost) is combined with CNN. RF and XGBoost are the embedded models to reduce less impactful features. (3) We attempt anomaly (binary) classifications and attack-based (multiclass) classifications on CCD-INID-V1 and two other IoT datasets, the detection_of_IoT_botnet_attacks_N_BaIoT dataset (Balot) and the CIRA-CIC-DoHBrw-2020 dataset (DoH20), to explore the effectiveness of these learning-based security models. Using RCNN, we achieved an Area under the Receiver Characteristic Operator (ROC) Curve (AUC) score of 0.956 with a runtime of 32.28 s on CCD-INID-V1, 0.999 with a runtime of 71.46 s on Balot, and 0.986 with a runtime of 35.45 s on DoH20. Using XCNN, we achieved an AUC score of 0.998 with a runtime of 51.38 s for CCD-INID-V1, 0.999 with a runtime of 72.12 s for Balot, and 0.999 with a runtime of 72.91 s for DoH20. Compared to KNN, XCNN required 86.98% less computational time, and RCNN required 91.74% less computational time to achieve equal or better accurate anomaly detections. We find XCNN and RCNN are consistently efficient and handle scalability well; in particular, 1000 times faster than KNN when dealing with a relatively larger dataset-Balot. Finally, we highlight RCNN and XCNN’s ability to accurately detect anomalies with a significant reduction in computational time. This advantage grants flexibility for the IDS placement strategy. Our IDS can be placed at a central server as well as resource-constrained edge devices. Our lightweight IDS requires low train time and hence decreases reaction time to zero-day attacks. Full article

This paper proposes a new kind of cyber-security system, named Botnet Defense System (BDS), which defends an Internet of Things (IoT) system against malicious botnets. The concept of BDS is “Fight fire with fire”. The distinguishing feature is that it uses white-hat botnets to fight malicious botnets. A BDS consists of four components: Monitor, Strategy Planner, Launcher, and Command and Control (C&C) server. The Monitor component watches over a target IoT system. If the component detects a malicious botnet, the Strategy Planner component makes a strategy against the botnet. Based on the planned strategy, the Launcher component sends white-hat worms into the IoT system and constructs a white-hat botnet. The C&C server component commands and controls the white-hat botnet to exterminate the malicious botnet. Strategy studies are essential to produce intended results. We proposed three basic strategies to launch white-hat worms: All-Out, Few-Elite, and Environment-Adaptive. We evaluated BDS and the proposed strategies through the simulation of agent-oriented Petri net model representing the battle between Mirai botnets and the white-hat botnets. This result shows that the Environment-Adaptive strategy is the best and reduced the number of needed white-hat worms to 38.5% almost without changing the extermination rate for Mirai bots. Full article

Adversarial attacks represent a critical issue that prevents the reliable integration of machine learning methods into cyber defense systems. Past work has shown that even proficient detectors are highly affected just by small perturbations to malicious samples, and that existing countermeasures are immature. We address this problem by presenting AppCon, an original approach to harden intrusion detectors against adversarial evasion attacks. Our proposal leverages the integration of ensemble learning to realistic network environments, by combining layers of detectors devoted to monitor the behavior of the applications employed by the organization. Our proposal is validated through extensive experiments performed in heterogeneous network settings simulating botnet detection scenarios, and consider detectors based on distinct machine- and deep-learning algorithms. The results demonstrate the effectiveness of AppCon in mitigating the dangerous threat of adversarial attacks in over 75% of the considered evasion attempts, while not being affected by the limitations of existing countermeasures, such as performance degradation in non-adversarial settings. For these reasons, our proposal represents a valuable contribution to the development of more secure cyber defense platforms. Full article

Recently, the development of smart home technologies has played a crucial role in enhancing several real-life smart applications. They help improve the quality of life through systems designed to enhance convenience, comfort, entertainment, health of the householders, and security. Note, however, that malware attacks on smart home devices are increasing in frequency and volume. As people seek to improve and optimize comfort in their home and minimize their daily home responsibilities at the same time, this makes them attractive targets for a malware attack. Thus, attacks on smart home-based devices have emerged. The goals of this paper are to analyze the different aspects of cyber-physical threats on the smart home from a security perspective, discuss the types of attacks including advanced cyber-attacks and cyber-physical system attacks, and evaluate the impact on a smart home system in daily life. We have come up with a taxonomy focusing on cyber threat attacks that can also have potential impact on a smart home system and identify some key issues about VPNFilter malware that constitutes large-scale Internet of Things (IoT)-based botnet malware infection. We also discuss the defense mechanism against this threat and mention the most infected routers. The specific objective of this paper is to provide efficient task management and knowledge related to VPNFilter malware attack. Full article