Wang Huanran, He Hui, Zhang Weizhe, Liu Wenmao, Liu Peng, Javadpour Amir
School of Cyberspace Science, Harbin Institute of Technology, Harbin, China.
Cyberspace Security Research Center, Peng Cheng Laboratory, Shenzhen, China.
Comput Electr Eng. 2022 Sep;102:108212. doi: 10.1016/j.compeleceng.2022.108212. Epub 2022 Jul 8.
Corona Virus Disease 2019 (COVID-19) has led to an increase in attacks targeting widespread smart devices. A vulnerable device can join multiple botnets simultaneously or sequentially. When different attack patterns are mixed with attack records, the security analyst produces an inaccurate report. There are numerous studies on botnet detection, but there is no publicly available solution to classify attack patterns based on the control periods. To fill this gap, we propose a novel data-driven method based on an intuitive hypothesis: bots tend to show time-related attack patterns within the same botnet control period. We deploy 462 honeypots in 22 countries to capture real-world attack activities and propose an algorithm to identify control periods. Experiments have demonstrated our method's efficacy. Besides, we present eight interesting findings that will help the security community better understand and fight botnet attacks now and in the future.
2019冠状病毒病(COVID-19)导致针对广泛使用的智能设备的攻击有所增加。一个易受攻击的设备可以同时或相继加入多个僵尸网络。当不同的攻击模式与攻击记录混合在一起时,安全分析师会生成一份不准确的报告。关于僵尸网络检测有大量研究,但尚无基于控制期对攻击模式进行分类的公开可用解决方案。为了填补这一空白,我们基于一个直观的假设提出了一种新颖的数据驱动方法:僵尸程序在同一僵尸网络控制期内倾向于表现出与时间相关的攻击模式。我们在22个国家部署了462个蜜罐来捕获现实世界中的攻击活动,并提出了一种识别控制期的算法。实验证明了我们方法的有效性。此外,我们还展示了八项有趣的发现,这将有助于安全社区更好地理解并在现在和未来对抗僵尸网络攻击。
