CC Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory

GUO Xiaojun; CHENG Guang; HU Yifei; Dai Mian

doi:10.11999/JEIT160410

Volume 39 Issue 3

Mar. 2017

Turn off MathJax

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2017 > 39(3): 525-531

GUO Xiaojun, CHENG Guang, HU Yifei, Dai Mian. CC Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory[J]. Journal of Electronics & Information Technology, 2017, 39(3): 525-531. doi: 10.11999/JEIT160410

Citation:

GUO Xiaojun, CHENG Guang, HU Yifei, Dai Mian. CC Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory[J]. Journal of Electronics & Information Technology, 2017, 39(3): 525-531. doi: 10.11999/JEIT160410

Citation:

PDF( 832 KB)

CC Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory

doi: 10.11999/JEIT160410

Funds:

The National 863 Program of China (2015AA 015603), Jiangsu Future Net-works Innovation Institute: Prospective Research Project on Future Networks (BY2013095- 5-03), Six Talent Peaks of High Level Talents Project of Jiangsu Province (2011-DZ024), The Scientific Research Innovation Projects for General University Graduate of Jiangsu Province (KYLX_0141)

Received Date: 2016-04-25
Rev Recd Date: 2016-09-09
Publish Date: 2017-03-19

Abstract

Abstract

The bot must obtain the Command and Control (CC) information covertly and securely, which is a necessary precondition to ensure botnet work correctly and normally. For the problem that how to covertly get and share CC information between the same type bots in local network, a CC Information Sharing scheme based on Link-Local Multicast Name Resolution (LLMNR) protocol and Evidential (CCISLE) theory is proposed. Firstly, for measuring bot performance, two metrics are defined: running time ratio and CPU utilization rate. Secondly, the same type bots will inform their own two metrics to each other via LLMNR query packets and utilize D-S evidential theory to vote BTL (Bot Temporary Leader). Then only BTL can be proved to communicate with CC servers and CC information can be obtained. Lastly, BTL will share the CC information with other bots through LLMNR query packets. The experimental results show that CCISLE can help the same type bots achieve sharing CC information successfully. The voting algorithm based on D-S evidential theory is able to elect BTL effectively with two proposed metrics and still present better robustness when in heavy network traffic. Moreover, the traffic produced during BTL voting process also has good covertness.
- Network security,
- Botnet,
- Command and control,
- D-S evidential theory,
- Link-Local Multicast Name Resolution (LLMNR) protocal

FullText(HTML)

References(26)

References

王天佐, 王怀民, 刘波, 等. 僵尸网络中的关键问题[J]. 计算机学报, 2012, 35(6): 1192-1208. doi: 10.3724/SP.J.1016.2012. 01192.

WANG Tianzuo, WANG Huaimin, LIU Bo, et al. Some critical problems of Botnets[J]. Chinese Journal of Computers, 2012, 35(6): 1192-1208. doi: 10.3724/SP.J.1016.2012.01192.

CHEN P, DESMET L, and HUYGENS C. A study on advanced persistent threats[C]. Proceedings of the 15th IFIP TC 6/TC 11 International Conference on Communications and Multimedia Security, Aveiro, Portugal, 2014: 63-72. doi: 10.1007/978-3-662-44885-4_5.

JUELS A and TING F Y. Sherlock Holmes and the case of the advanced persistent threat[C]. Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2012: 2-6.

RAFAEL A R G, GABRIEL M F, and PEDRO G T. Survey and taxonomy of botnet research through life-cycle[J]. ACM Computing Surveys, 2013, 45(4): 1-33. doi: 10.1145/2501654. 2501659.

GU G F, ZHANG J, and LEE W. BotSniffer: detecting botnet command and control channels in network traffic[C]. Proceedings of the 15th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, 2008: 10-22.

STONE-GROSS B, COVA M, CAVALLARO L, et al. Your botnet is my botnet: Analysis of a botnet takeover[C]. Proceedings of the 16th ACM Conference on Computer and Communications Security, Hyatt Regency Chicago, IL, USA, 2009: 635-647. doi: 10.1145/1653662.1653738.

PORRAS P, SAIDI H, and YEGNESWARAN V. An analysis of the iKee.B iphone botnet[C]. Proceedings of the 2nd International ICST Conference on Security and Privacy in Mobile Information and Communication Systems, Catania, Sicily, Italy, 2010: 141-152. doi: 10.1007/978-3-642-17502- 2_12.

CHO C Y, CABALLERO J, GRIER C, et al. Insights from the inside: A view of botnet management from infiltration[C]. Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2010: 120-132.

BILGE L, BALZAROTTI D, ROBERTSON W, et al. Disclosure: detecting botnet command and control servers through large-scale netflow analysis[C]. Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA, 2012: 129-138. doi: 10.1145/2420950. 2420969.

ANDRIESSE D, ROSSOW C, STONE-GROSS B, et al. Highly resilient peer-to-peer botnets are here: an analysis of Gameover Zeus[C]. Proceedings of the 8th International Conference on Malicious and Unwanted Software: The Americas, Fajardo, Portugal, 2013: 116-123. doi: 10.1109/ MALWARE.2013.6703693.

RAHIMIAN A, ZIARATI R, PREDA S, et al. On the reverse engineering of the citadel botnet[C]. Proceedings of the 6th International Symposium Foundations and Practice of Security, La Rochelle, France, 2014: 408-425. doi: 10.1007/ 978-3-319-05302-8_25.

GAN C, CETIN O, and VAN E M. An empirical analysis of ZeuS CC lifetime[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 97-108. doi: 10.1145/2714576. 2714579.

CHOI H, LEE H, LEE H, et al. Botnet detection by monitoring group activities in DNS traffic[C]. Proceedings of the 7th IEEE International Conference on Computer and Information Technology, Aizu-Wakamatsu, Fukushima, Japan, 2007: 715-720. doi: 10.1109/CIT.2007.90.

STRAYER W T, LAPSELY D, WALSH R, et al. Botnet Detection Based on Network Behavior[M]. New York, USA, Springer Science Business Media, 2008: 1-24. doi: 10.1007 /978-0-387-68768-1_1.

SAAD S, TRAORE I, GHORBANI A, et al. Detecting P2P botnets through network behavior analysis and machine learning[C]. Proceedings of the 9th Annual International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada, 2011: 174-180. doi: 10.1109/PST.2011.5971980.

ZHAO D, TRAORE I, SAYED B, et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers Security, 2013, 39(4): 2-16. doi: 10.1016/j.cose. 2013.04.007.

DIETRICH C J, ROSSOW C, and POHLMANN N. CoCoSpot: clustering and recognizing botnet command and control channels using traffic analysis[J]. Computer Networks, 2013, 57(2): 475-486. doi: 10.1016/j.comnet.2012.06.019.

JIANG H and SHAO X. Detecting P2P botnets by discovering flow dependency in CC traffic[J]. Peer-to-Peer Networking and Applications, 2014, 7(4): 320-331. doi: 10.1007/s12083-012-0150-x.

BILGE L, SEN S, BALZAROTTI D, et al. EXPOSURE: a passive DNS analysis service to detect and report malicious domains[J]. ACM Transactions on Information and System Security, 2014, 16(4): 289-296. doi: 10.1145/2584679.

CHANG W, MOHAISEN A, WANG A, et al. Measuring botnets in the wild: Some new trends[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 645-650. doi: 10.1145/2714576.2714637.

LEVON E, BERNARD A, and DAVE T. Link-Local Multicast Name Resolution (LLMNR)[OL]. https://tools.ietf. org /html/rfc4795. 2015.

CAVALCANTE A P A, BOUDY J, ISTRATE D, et al. A dynamic evidential network for fall detection[J]. IEEE Journal of Biomedical and Health Informatics, 2014, 18(4): 1103-1113. doi: 10.1109/JBHI.2013.2283055.

Guo X J, Cheng G, Pan W B, et al. A novel search engine- based method for discovering command and control server[C]. Proceedings of the 15th International Conference On Algorithms and Architectures for Parallel Processing. Zhangjiajie, China, 2015: 311-322. doi: 10.1007/978-3-319- 27137-8_24.

YIN T, ZHANG Y, and LI S. DR-SNBot: a social network- based botnet with Strong Destroy-Resistance[C]. Proceedings of the 9th IEEE International Conference on Networking, Architecture, and Storage, Tianjin, China, 2014: 191-199. doi: 10.1109/NAS.2014.37.

NAJAM M, YOUNIS U, and RASOOL R. Speculative parallel pattern matching using stride-k DFA for deep packet inspection[J]. Journal of Network and Computer Applications, 2015, 54: 78-87. doi: 10.1016/j.jnca.2015.04.013.

Relative Articles

Supplements(0)

Cited By

Proportional views