Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings

Research Article

Understanding Adversarial Strategies from Bot Recruitment to Scheduling

  • @INPROCEEDINGS{10.1007/978-3-319-78813-5_20,
        author={Wentao Chang and Aziz Mohaisen and An Wang and Songqing Chen},
        title={Understanding Adversarial Strategies from Bot Recruitment to Scheduling},
        proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings},
        proceedings_a={SECURECOMM},
        year={2018},
        month={4},
        keywords={Distributed denial of service Botnets Behavioral analysis},
        doi={10.1007/978-3-319-78813-5_20}
    }
    
  • Wentao Chang
    Aziz Mohaisen
    An Wang
    Songqing Chen
    Year: 2018
    Understanding Adversarial Strategies from Bot Recruitment to Scheduling
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-78813-5_20
Wentao Chang1,*, Aziz Mohaisen2,*, An Wang1,*, Songqing Chen1,*
  • 1: George Mason University
  • 2: The University of Central Florida
*Contact email: wchang7@gmu.edu, mohaisen@ucf.edu, awang10@gmu.edu, sqchen@gmu.edu

Abstract

Today botnets are still one of the most prevalent and devastating attacking platforms that cyber criminals rely on to launch large scale Internet attacks. Botmasters behind the scenes are becoming more agile and discreet, and some new and sophisticated strategies are adopted to recruit bots and schedule their activities to evade detection more effectively. In this paper, we conduct a measurement study of 23 active botnet families to uncover some new botmaster strategies based on an operational dataset collected over a period of seven months. Our analysis shows that different from the common perception that bots are randomly recruited in a best-effort manner, bots recruitment has strong geographical and organizational locality, offering defenses a direction and priority when attempting to shut down these botnets. Furthermore, our study to measure dynamics of botnet activity reveals that botmasters start to deliberately schedule their bots to hibernate and alternate in attacks so that the detection window becomes smaller and smaller.