C&C Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory
GUO Xiaojun①②③ CHENG Guang①③ HU Yifei①③ Dai Mian①③
①(School of Computer Science and Engineering, Southeast University, Nanjing 210096, China) ②(School of Information Engineering, Xizang Minzu University, Xianyang 712082, China) ③(Key Laboratory of Computer Network and Information Integration Ministry of Education, Southeast University, Nanjing 210096, China)
The bot must obtain the Command and Control (C&C) information covertly and securely, which is a necessary precondition to ensure botnet work correctly and normally. For the problem that how to covertly get and share C&C information between the same type bots in local network, a C&C Information Sharing scheme based on Link-Local Multicast Name Resolution (LLMNR) protocol and Evidential (CCISLE) theory is proposed. Firstly, for measuring bot performance, two metrics are defined: running time ratio and CPU utilization rate. Secondly, the same type bots will inform their own two metrics to each other via LLMNR query packets and utilize D-S evidential theory to vote BTL (Bot Temporary Leader). Then only BTL can be proved to communicate with C&C servers and C&C information can be obtained. Lastly, BTL will share the C&C information with other bots through LLMNR query packets. The experimental results show that CCISLE can help the same type bots achieve sharing C&C information successfully. The voting algorithm based on D-S evidential theory is able to elect BTL effectively with two proposed metrics and still present better robustness when in heavy network traffic. Moreover, the traffic produced during BTL voting process also has good covertness.
郭晓军,程光,胡一非,戴冕. 基于LLMNR协议与证据理论的本地网络C&C信息分享机制[J]. 电子与信息学报, 2017, 39(3): 525-531.
GUO Xiaojun, CHENG Guang, HU Yifei, Dai Mian. C&C Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory. JEIT, 2017, 39(3): 525-531.
WANG Tianzuo, WANG Huaimin, LIU Bo, et al. Some critical problems of Botnets[J]. Chinese Journal of Computers, 2012, 35(6): 1192-1208. doi: 10.3724/SP.J.1016.2012.01192.
[2]
CHEN P, DESMET L, and HUYGENS C. A study on advanced persistent threats[C]. Proceedings of the 15th IFIP TC 6/TC 11 International Conference on Communications and Multimedia Security, Aveiro, Portugal, 2014: 63-72. doi: 10.1007/978-3-662-44885-4_5.
[3]
JUELS A and TING F Y. Sherlock Holmes and the case of the advanced persistent threat[C]. Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2012: 2-6.
[4]
RAFAEL A R G, GABRIEL M F, and PEDRO G T. Survey and taxonomy of botnet research through life-cycle[J]. ACM Computing Surveys, 2013, 45(4): 1-33. doi: 10.1145/2501654. 2501659.
[5]
GU G F, ZHANG J, and LEE W. BotSniffer: detecting botnet command and control channels in network traffic[C]. Proceedings of the 15th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, 2008: 10-22.
[6]
STONE-GROSS B, COVA M, CAVALLARO L, et al. Your botnet is my botnet: Analysis of a botnet takeover[C]. Proceedings of the 16th ACM Conference on Computer and Communications Security, Hyatt Regency Chicago, IL, USA, 2009: 635-647. doi: 10.1145/1653662.1653738.
[7]
PORRAS P, SAIDI H, and YEGNESWARAN V. An analysis of the iKee.B iphone botnet[C]. Proceedings of the 2nd International ICST Conference on Security and Privacy in Mobile Information and Communication Systems, Catania, Sicily, Italy, 2010: 141-152. doi: 10.1007/978-3-642-17502- 2_12.
[8]
CHO C Y, CABALLERO J, GRIER C, et al. Insights from the inside: A view of botnet management from infiltration[C]. Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2010: 120-132.
[9]
BILGE L, BALZAROTTI D, ROBERTSON W, et al. Disclosure: detecting botnet command and control servers through large-scale netflow analysis[C]. Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA, 2012: 129-138. doi: 10.1145/2420950. 2420969.
[10]
ANDRIESSE D, ROSSOW C, STONE-GROSS B, et al. Highly resilient peer-to-peer botnets are here: an analysis of Gameover Zeus[C]. Proceedings of the 8th International Conference on Malicious and Unwanted Software: The Americas, Fajardo, Portugal, 2013: 116-123. doi: 10.1109/ MALWARE.2013.6703693.
[11]
RAHIMIAN A, ZIARATI R, PREDA S, et al. On the reverse engineering of the citadel botnet[C]. Proceedings of the 6th International Symposium Foundations and Practice of Security, La Rochelle, France, 2014: 408-425. doi: 10.1007/ 978-3-319-05302-8_25.
[12]
GAÑÁN C, CETIN O, and VAN E M. An empirical analysis of ZeuS C&C lifetime[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 97-108. doi: 10.1145/2714576. 2714579.
[13]
CHOI H, LEE H, LEE H, et al. Botnet detection by monitoring group activities in DNS traffic[C]. Proceedings of the 7th IEEE International Conference on Computer and Information Technology, Aizu-Wakamatsu, Fukushima, Japan, 2007: 715-720. doi: 10.1109/CIT.2007.90.
[14]
STRAYER W T, LAPSELY D, WALSH R, et al. Botnet Detection Based on Network Behavior[M]. New York, USA, Springer Science Business Media, 2008: 1-24. doi: 10.1007 /978-0-387-68768-1_1.
[15]
SAAD S, TRAORE I, GHORBANI A, et al. Detecting P2P botnets through network behavior analysis and machine learning[C]. Proceedings of the 9th Annual International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada, 2011: 174-180. doi: 10.1109/PST.2011.5971980.
[16]
ZHAO D, TRAORE I, SAYED B, et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers & Security, 2013, 39(4): 2-16. doi: 10.1016/j.cose. 2013.04.007.
[17]
DIETRICH C J, ROSSOW C, and POHLMANN N. CoCoSpot: clustering and recognizing botnet command and control channels using traffic analysis[J]. Computer Networks, 2013, 57(2): 475-486. doi: 10.1016/j.comnet.2012.06.019.
[18]
JIANG H and SHAO X. Detecting P2P botnets by discovering flow dependency in C&C traffic[J]. Peer-to-Peer Networking and Applications, 2014, 7(4): 320-331. doi: 10.1007/s12083-012-0150-x.
[19]
BILGE L, SEN S, BALZAROTTI D, et al. EXPOSURE: a passive DNS analysis service to detect and report malicious domains[J]. ACM Transactions on Information and System Security, 2014, 16(4): 289-296. doi: 10.1145/2584679.
[20]
CHANG W, MOHAISEN A, WANG A, et al. Measuring botnets in the wild: Some new trends[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 645-650. doi: 10.1145/2714576.2714637.
[21]
LEVON E, BERNARD A, and DAVE T. Link-Local Multicast Name Resolution (LLMNR)[OL]. https://tools.ietf. org /html/rfc4795. 2015.
[22]
CAVALCANTE A P A, BOUDY J, ISTRATE D, et al. A dynamic evidential network for fall detection[J]. IEEE Journal of Biomedical and Health Informatics, 2014, 18(4): 1103-1113. doi: 10.1109/JBHI.2013.2283055.
[23]
Guo X J, Cheng G, Pan W B, et al. A novel search engine- based method for discovering command and control server[C]. Proceedings of the 15th International Conference On Algorithms and Architectures for Parallel Processing. Zhangjiajie, China, 2015: 311-322. doi: 10.1007/978-3-319- 27137-8_24.
[24]
YIN T, ZHANG Y, and LI S. DR-SNBot: a social network- based botnet with Strong Destroy-Resistance[C]. Proceedings of the 9th IEEE International Conference on Networking, Architecture, and Storage, Tianjin, China, 2014: 191-199. doi: 10.1109/NAS.2014.37.
[25]
PHILIPPE B. Scapy[OL]. http://www.secdev.org/projects/ scapy/, 2015.NLANR/DAST. iPerf[OL]. https://iperf.fr/, 2015.
[26]
NAJAM M, YOUNIS U, and RASOOL R. Speculative parallel pattern matching using stride-k DFA for deep packet inspection[J]. Journal of Network and Computer Applications, 2015, 54: 78-87. doi: 10.1016/j.jnca.2015.04.013.