ConnSpoiler: Disrupting C&C Communication of IoT-Based Botnet Through Fast Detection of Anomalous Domain Queries

Yin Lihua; Luo Xi; Zhu Chunsheng; Wang Liming; Xu Zhen; Lu Hui

首页> 外文期刊>IEEE transactions on industrial informatics >ConnSpoiler: Disrupting C&C Communication of IoT-Based Botnet Through Fast Detection of Anomalous Domain Queries

【24h】

ConnSpoiler: Disrupting C&C Communication of IoT-Based Botnet Through Fast Detection of Anomalous Domain Queries

机译：ConnSpoiler：通过快速检测异常域查询来扰乱基于IOT的僵尸网络的C＆C通信

获取原文

获取原文并翻译 | 示例

掌桥外文数据库（机构版） >>

开具论文收录证明 >>

文献代查 >>

页面导航

摘要
著录项
相似文献
相关主题

摘要

The development of Internet of Things (IoT) dramatically facilitates the integration of computing systems with the physical world. However, as IoT devices are more easy to compromise than desktop computers, cybercriminals have founded IoT-based botnets to launch Distributed Denial of Service (DDoS) attacks with unprecedented traffic volume. To mitigate the damages associated with these attacks, the detection of IoT-based botnet has to preempt the command and control (C&C) communication to prevent the delivery of the attack codes. Motivated by the extensively implementation of domain generation algorithm in botnets, in this article, we propose ConnSpoiler, a lightweight system that detects IoT-based botnets by identifying the stream of algorithmically generated domains (AGDs) in a fast way. ConnSpoiler only needs negligible system resources to take effect and thus can execute well on the resource-restraint IoT devices. By outfitting a powerful statistical algorithm, i.e., threshold random walk, ConnSpoiler has a high probability (about 94%) of detecting infection before the compromised devices connect C&C servers, which can help to prevent the succeeding attacks. Moreover, ConnSpoiler only requires the benign domains to take effect and therefore does not need extra effort to label malicious samples for training phase. We evaluate ConnSpoiler based on real-world DNS traffics collected from two different large ISP networks and show that it accurately identifies devices that are compromised by unknown botnets.

机译：事物互联网（物联网）的发展显着促进了与物理世界的计算系统的整合。但是，由于IOT设备比桌面计算机更容易妥协，网络犯罪分子已创立基于IoT的僵尸网络，以推出具有前所未有的流量卷的分布式拒绝服务（DDOS）攻击。为了减轻与这些攻击相关的损害，基于IOT的僵尸网络的检测必须抢占命令和控制（C＆C）通信以防止攻击代码的传送。在本文中，通过僵尸网络中的域生成算法的广泛实现，我们提出了一种通过以快速方式识别算法生成的域（AGDS）流来检测基于IOT的僵尸网络的轻量级系统。 ConnSpoiler仅需要忽略不计的系统资源生效，因此可以在资源限制物联网设备上执行良好。通过推荐强大的统计算法，即阈值随机步道，ConnSpoiler在受损的设备连接C＆C服务器之前，ConnSpoiler具有高概率（约94％）检测感染，这有助于防止接下来的攻击。此外，ConnSpoiler仅需要良性域生效，因此不需要额外努力来标记恶意样本进行培训阶段。我们根据从两种不同的大型ISP网络收集的现实世界DNS流量来评估Connspoiler，并表明它准确地识别由未知Botnets受到损害的设备。

著录项

来源
《IEEE transactions on industrial informatics》 |2020年第2期|1373-1384|共12页
作者
Yin Lihua; Luo Xi; Zhu Chunsheng; Wang Liming; Xu Zhen; Lu Hui;
展开▼
作者单位

Guangzhou Univ Cyberspace Inst Adv Technol Guangzhou 510006 Peoples R China;

Guangzhou Univ Cyberspace Inst Adv Technol Guangzhou 510006 Peoples R China;

Southern Univ Sci & Technol SUSTech Inst Future Networks Shenzhen 518055 Peoples R China|PCL Res Ctr Networks & Commun Peng Cheng Lab Shenzhen 518055 Peoples R China;

Chinese Acad Sci Inst Informat Engn State Key Lab Informat Secur Beijing 100093 Peoples R China;

Chinese Acad Sci Inst Informat Engn State Key Lab Informat Secur Beijing 100093 Peoples R China;

Guangzhou Univ Cyberspace Inst Adv Technol Guangzhou 510006 Peoples R China;

展开▼
收录信息
原文格式 PDF
正文语种 eng
中图分类
关键词
Botnet; command and control (CC); domain generation algorithm (DGA); fast detection; Internet of Things (IoT); threshold random walk (TRW);

机译：僵尸网络;命令和控制（C＆C）;域生成算法（DGA）;快速检测;物联网（物联网）;阈值随机步行（TRW）;

相似文献

外文文献
中文文献
专利

1. Analysis of via-resolver DNS TXT queries and detection possibility of botnet communications [J] . Hikaru Ichise, Yong Jin, Katsuyoshi Iida IEICE Communications Express . 2016,第3期

机译：通孔解析器DNS TXT查询分析和僵尸网络通信的检测可能性
2. Detection of IRC Botnet C&C channels using the instruction syntax [J] . Hongli Zhang Consultant. . 2017,第9期

机译：使用指令语法检测IRC Botnet C＆C信道
3. Lightweight C&C based botnet detection using Aho-Corasick NFA [J] . Udhayan J, Anitha R, Hamsapriya T International Journal of Network Security & Its Applications . 2010,第4期

机译：使用Aho-Corasick NFA进行轻量级基于C＆C的僵尸网络检测
4. Analysis of via-resolver DNS TXT queries and detection possibility of botnet communications [C] . Ichise Hikaru, Yong Jin, Iida Katsuyoshi IEEE Pacific Rim Conference on Communications, Computers and Signal Processing . 2015

机译：通孔解析器DNS TXT查询分析和僵尸网络通信的检测可能性
5. UMUDGA: A dataset for profiling algorithmically generated domain names in botnet detection [O] . Mattia Zago, Manuel Gil Pérez, Gregorio Martínez Pérez 2020

机译：UMUDGA：用于在僵尸网络检测中概要分析算法生成的域名的数据集
6. Mentor: Positive DNS Reputation to Skim-Off Benign Domains in Botnet C&C Blacklists [O] . Kheir, Nizar, Tran, Frédéric, Caron, Pierre, 2014

机译：导师：积极的DNS声誉使僵尸网络C＆C黑名单中的良性域名脱颖而出

ConnSpoiler: Disrupting C&C Communication of IoT-Based Botnet Through Fast Detection of Anomalous Domain Queries

摘要

著录项

相似文献

相关主题

期刊订阅