Tongxin xuebao (Jan 2017)
Modeling and countermeasures of a social network-based botnet with strong destroy-resistance
Abstract
To defeat botnets and ensure cyberspace security,a novel social network-based botnet with strong destroy-resistance (DR-SNbot),as well as its corresponding countermeasure,was proposed.DR-SNbot constructed command and control servers (C&C-Servers) based on social network.Each C&C-Server corresponded to a unique pseudo-random nickname.The botmaster issues commanded by hiding them in diaries using information hiding techniques,and then a novel C&C channel was established.When different proportions of C&C-Servers were invalid,DR-SNbot would send out different levels of alarms to inform attackers to construct new C&C-Servers.Then,DR-SNbot could automatically repair C&C communication to ensure its strong destroy-resistance.Under the experimental settings,DR-SNbot could resume the C&C communication in a short period of time to keep 100% of the control rate even if all the current C&C-Servers were invalid.Finally,a botnet nickname detecting method was proposed based on the difference of lexical features of legal nicknames and pseudo-random nicknames.Experimental results show that the proposed method can effectively (precision:96.88%,recall:93%) detect pseudo-random nicknames generated by social network-based botnets with customized algorithms.