TC: Small: Automatically Identifying Botnet Command and Control Infrastructures

TC：小型：自动识别僵尸网络命令和控制基础设施

• 批准号: 1116777
• 负责人: Engin Kirda
• 金额: $ 48.59万
• 依托单位: Northeastern University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-09-01 至 2015-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1116777&HistoricalAwards=false
• 关键词: TC; Small; Automatically; Identifying; Botnet

Unfortunately, cyber crime has become a business today. In contrast to the Internet security situation ten years ago, most of the significant Internet attacks today aim to make a financial profit. A popular and effective choice of criminals today for sending spam, stealing data, and launching attacks are so called bots -- a type of malware that is written with the intent of compromising and taking control of hosts on the Internet. The main distinguishing characteristic of a bot compared to other types of malware is that a bot is able to establish a command and control (C&C) channel.The goal of this project is to develop novel techniques and tools to detect malicious connections from compromised machines to the C&C servers of botnets. The key insight is that when looking at very large volumes of netflow and DNS data over an extended period of time, connection attempts to benign and malicious addresses should exhibit enough differences in behavior so that they can be automatically distinguished. A key challenge in this project is to identify behavioral features that will allow the detection of connections that exhibit botnet-like behavior.The ability to identify malicious C&C connections and to potentially block and disrupt the communication of the attackers with their bots presents rich opportunities for industrial and societal impact. Furthermore, the research will have a broad effect though education and outreach. The PI will seek broad dissemination of research results through both top publications and industry connections.

不幸的是，网络犯罪如今已成为一项业务。与十年前的互联网安全形势不同，今天大多数重大的互联网攻击都是为了谋取经济利益。如今，犯罪分子发送垃圾邮件、窃取数据和发动攻击的一个流行且有效的选择是所谓的机器人--一种旨在危害和控制互联网主机的恶意软件。与其他类型的恶意软件相比，僵尸程序的主要区别特征是能够建立命令和控制(C&amp；C)通道。该项目的目标是开发新的技术和工具来检测从受危害的机器到僵尸网络的C&amp；C服务器的恶意连接。关键的见解是，当在较长一段时间内查看非常大量的网络流量和DNS数据时，对良性地址和恶意地址的连接尝试应该表现出足够的行为差异，以便自动区分它们。该项目的一个关键挑战是识别行为特征，使其能够检测到表现出僵尸网络行为的连接。识别恶意C&A；C连接并可能阻止和中断攻击者与其僵尸程序的通信的能力，为行业和社会影响提供了丰富的机会。此外，这项研究将通过教育和推广产生广泛的影响。PPI将通过顶级出版物和行业关系寻求研究成果的广泛传播。