Visit to download the full and correct content document: https://textbookfull.com/product/security-and-privacy-in-communication-networks-14th -international-conference-securecomm-2018-singapore-singapore-august-8-10-2018proceedings-part-ii-raheem-beyah/
More products digital (pdf, epub, mobi) instant download maybe you interests ...
Security and Privacy in Communication Networks 14th
International Conference SecureComm 2018 Singapore Singapore August 8 10 2018 Proceedings Part I Raheem Beyah
https://textbookfull.com/product/security-and-privacy-incommunication-networks-14th-international-conferencesecurecomm-2018-singapore-singapore-august-8-10-2018-proceedingspart-i-raheem-beyah/
Security and Privacy in Communication Networks 15th EAI
International Conference SecureComm 2019 Orlando FL USA October 23 25 2019 Proceedings Part II Songqing Chen
https://textbookfull.com/product/security-and-privacy-incommunication-networks-15th-eai-international-conferencesecurecomm-2019-orlando-fl-usa-october-23-25-2019-proceedingspart-ii-songqing-chen/
Security and Privacy in Communication Networks 16th EAI
International Conference SecureComm 2020 Washington DC USA October 21 23 2020 Proceedings Part II Noseong Park
https://textbookfull.com/product/security-and-privacy-incommunication-networks-16th-eai-international-conferencesecurecomm-2020-washington-dc-usa-october-21-23-2020-proceedingspart-ii-noseong-park/
Security and Privacy in Communication Networks 12th
International Conference SecureComm 2016 Guangzhou China October 10 12 2016 Proceedings 1st Edition Robert Deng
https://textbookfull.com/product/security-and-privacy-incommunication-networks-12th-international-conferencesecurecomm-2016-guangzhou-chinaoctober-10-12-2016-proceedings-1st-edition-robert-deng/
Cloud Computing and Security 4th International Conference ICCCS 2018 Haikou China June 8 10 2018
Revised Selected Papers Part II Xingming Sun
https://textbookfull.com/product/cloud-computing-andsecurity-4th-international-conference-icccs-2018-haikou-chinajune-8-10-2018-revised-selected-papers-part-ii-xingming-sun/
Security and Privacy in Communication Networks 16th EAI
International Conference SecureComm 2020 Washington DC USA October 21 23 2020 Proceedings Part I Noseong Park
https://textbookfull.com/product/security-and-privacy-incommunication-networks-16th-eai-international-conferencesecurecomm-2020-washington-dc-usa-october-21-23-2020-proceedingspart-i-noseong-park/
International Conference on Security and Privacy in Communication Networks 10th International ICST Conference SecureComm 2014 Beijing China September 24 26 2014 Revised Selected Papers Part II 1st Edition
Jing Tian https://textbookfull.com/product/international-conference-onsecurity-and-privacy-in-communication-networks-10thinternational-icst-conference-securecomm-2014-beijing-chinaseptember-24-26-2014-revised-selected-papers-part-ii-1st-edi/
Cloud Computing and Security 4th International Conference ICCCS 2018 Haikou China June 8 10 2018
Revised Selected Papers Part I Xingming Sun
https://textbookfull.com/product/cloud-computing-andsecurity-4th-international-conference-icccs-2018-haikou-chinajune-8-10-2018-revised-selected-papers-part-i-xingming-sun/
Cloud Computing and Security 4th International Conference ICCCS 2018 Haikou China June 8 10 2018
Revised Selected Papers Part VI Xingming Sun
https://textbookfull.com/product/cloud-computing-andsecurity-4th-international-conference-icccs-2018-haikou-chinajune-8-10-2018-revised-selected-papers-part-vi-xingming-sun/
Raheem Beyah
Bing Chang
Yingjiu Li
Sencun Zhu (Eds.)
Security and Privacy in Communication Networks 14th International Conference, SecureComm 2018 Singapore, Singapore, August 8–10, 2018
Proceedings, Part II
LectureNotesoftheInstitute forComputerSciences,SocialInformatics andTelecommunicationsEngineering255 EditorialBoard
OzgurAkan
MiddleEastTechnicalUniversity,Ankara,Turkey
PaoloBellavista
UniversityofBologna,Bologna,Italy
JiannongCao
HongKongPolytechnicUniversity,HongKong,HongKong
GeoffreyCoulson
LancasterUniversity,Lancaster,UK
FalkoDressler
UniversityofErlangen,Erlangen,Germany
DomenicoFerrari
Università CattolicaPiacenza,Piacenza,Italy
MarioGerla
UCLA,LosAngeles,USA
HisashiKobayashi
PrincetonUniversity,Princeton,USA
SergioPalazzo
UniversityofCatania,Catania,Italy
SartajSahni
UniversityofFlorida,Florida,USA
XueminShermanShen
UniversityofWaterloo,Waterloo,Canada
MirceaStan
UniversityofVirginia,Charlottesville,USA
JiaXiaohua
CityUniversityofHongKong,Kowloon,HongKong
AlbertY.Zomaya
UniversityofSydney,Sydney,Australia
Moreinformationaboutthisseriesat http://www.springer.com/series/8197
RaheemBeyah • BingChang
YingjiuLi • SencunZhu(Eds.)
SecurityandPrivacy inCommunication Networks 14thInternationalConference,SecureComm2018
Singapore,Singapore,August8–10,2018
Proceedings,PartII
Editors
RaheemBeyah
KlausAdvancedComputingBuilding
GeorgiaInstituteofTechnology
Atlanta,GA,USA
BingChang
SingaporeManagementUniversity
Singapore,Singapore
YingjiuLi
SchoolofInformationSystems
SingaporeManagementUniversity
Singapore,Singapore
SencunZhu
PennsylvaniaStateUniversity UniversityPark,PA,USA
ISSN1867-8211ISSN1867-822X(electronic)
LectureNotesoftheInstituteforComputerSciences,SocialInformatics andTelecommunicationsEngineering
ISBN978-3-030-01703-3ISBN978-3-030-01704-0(eBook) https://doi.org/10.1007/978-3-030-01704-0
LibraryofCongressControlNumber:2018940136
© ICSTInstituteforComputerSciences,SocialInformaticsandTelecommunicationsEngineering2018
Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartofthe materialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodologynow knownorhereafterdeveloped.
Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse.
Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbookare believedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsortheeditors giveawarranty,expressorimplied,withrespecttothematerialcontainedhereinorforanyerrorsor omissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictionalclaimsin publishedmapsandinstitutionalaffiliations.
ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSwitzerlandAG Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland
Preface Wearedelightedtointroducetheproceedingsofthe14thEuropeanAlliancefor Innovation(EAI)InternationalConferenceonSecurityandPrivacyinCommunication Networks(SecureComm2018),heldinSingapore,inAugust2018.SecureComm seekshigh-qualityresearchcontributionsintheformofwell-developedpapers.Topics ofinterestencompassresearchadvancesinallareasofsecurecommunicationsand networking.
ThetechnicalprogramofSecureComm2018consistedof33fullpapersand18short papersinthemainconferencesessions.Theconferencesessionswere:Session1,IoT Security;Session2,UserandDataPrivacy;Session3,MobileSecurityI;Session4, WirelessSecurity;Session5,SoftwareSecurity;Session6,CloudSecurityI;Session7, MobileSecurityII;Session8,SocialNetworkandEnterpriseSecurity;Session9, NetworkSecurityI;Session10,AppliedCryptography;Session11,NetworkSecurity II;Session12,CloudSecurityII;andSession13,WebSecurity.
Asidefromthehigh-qualitytechnicalpaperpresentations,thetechnicalprogram alsofeaturedtwokeynotespeechesandonetechnicalworkshop.Thetwokeynote speechesweregivenbyProf.RobertDengfromSingaporeManagementUniversity, Singapore,andProf.ZhiqiangLinfromOhioStateUniversity,USA.Theworkshop organizedwasthe6thInternationalWorkshoponApplicationsandTechniquesin CyberSecurity(ATCS2018).TheATCSworkshopfocusedonallaspectsoftechniquesandapplicationsincybersecurityresearch.ThepurposeofATCS2018wasto provideaforumforthepresentationanddiscussionofinnovativeideas,cutting-edge researchresults,andnoveltechniques,methods,andapplicationsonallaspectsof cybersecurityandmachinelearning.
CoordinationwiththeSteeringCommitteeco-chairs,ImrichChlamtacandGuofei Gu,wasessentialforthesuccessoftheconference.Wesincerelyappreciatetheir constantsupportandguidance.Itwasalsoagreatpleasuretoworkwithsuchan excellentOrganizingCommitteeteamfortheirhardworkinorganizingandsupporting theconference.Inparticular,wethanktheTechnicalProgramCommittee,ledbyour co-chairs,Dr.RaheemBeyahandDr.SencunZhu,whocompletedthepeer-review processoftechnicalpapersandcompiledahigh-qualitytechnicalprogram.Wearealso gratefultotheconferencecoordinator,DominikaBelisova,forhersupportandallthe authorswhosubmittedtheirpaperstotheSecureComm2018conferenceand workshops.
WestronglybelievethattheSecureCommconferenceprovidesagoodforumforall researchers,developers,andpractitionerstoexchangeideasinallareasofsecure communicationsandnetworking.WealsoexpectthatfutureSecureCommconferences willbesuccessfulandstimulating,asindicatedbythecontributionspresentedinthis volume.
BingChang
YingjiuLi
SencunZhu
Organization SteeringCommitteeCo-chairs
ImrichChlamtacUniversityofTrento,Italy GuofeiGuTexasA&MUniversity,USA
SteeringCommitteeMembers
KrishnaMoorthy Sivalingam IITMadras,India
PengLiuPennsylvaniaStateUniversity,USA
OrganizingCommittee
GeneralChair
YingjiuLiSingaporeManagementUniversity,Singapore
TechnicalProgramCommitteeCo-chairs
RaheemBeyahGeorgiaTech,USA
SencunZhuPennsylvaniaStateUniversity,USA
PublicationsChair
BingChangSingaporeManagementUniversity,Singapore
PublicityandSocialMediaCo-chairs
YangguangTianSingaporeManagementUniversity,Singapore ZhaoWangPekingUniversity,China SankardasRoyBowlingGreenStateUniversity,USA
WebChair
XimingLiuSingaporeManagementUniversity,Singapore
PanelsChair
MinSukKangNationalUniversityofSingapore,Singapore
LocalChair
LiTieyanShieldLab(Singapore),HuaweiTechnologiesCo., Ltd.,Singapore
ConferenceManager
DominikaBelisovaEAI-EuropeanAllianceforInnovation
TechnicalProgramCommittee ElisaBertinoPurdueUniversity,USA
AlvaroCardenasTheUniversityofTexasatDallas,USA
KaiChenInstituteofInformationEngineering,ChineseAcademy ofSciences,China
YuChenStateUniversityofNewYork – Binghamton,USA
ShermanS.M.ChowTheChineseUniversityofHongKong,SARChina JunDaiCaliforniaStateUniversity,Sacramento,USA MohanDhawanIBMResearch,India
BirhanuEsheteUniversityofIllinoisatChicago,USA
DebinGaoSingaporeManagementUniversity,Singapore LeGuanPennsylvaniaStateUniversity,USA YongGuanIowaStateUniversity,USA YongzhongHeBeijingJiaotongUniversity,China LinHuangQihoo360TechnologyCo.Ltd.,China
HeqingHuangIBMResearch,USA ShoulingJiZhejiangUniversity,China
YierJinUniversityofFlorida,USA
IssaKhalilQatarComputingResearchInstitute(QCRI),Qatar LeeLernerGeorgiaInstituteofTechnology,USA MingLiUniversityofArizona,USA
QinghuaLiUniversityofArkansas,USA QiLiTsinghuaUniversity,China XiaojingLiaoCollegeofWilliamandMary,USA Yue-HsunLinJD.com,USA
ZhiqiangLinTheOhioStateUniversity,USA YaoLiuUniversityofSouthFlorida,USA AnyiLiuOaklandUniversity,USA GiovanniLivragaUniversità degliStudidiMilano,Italy
JavierLopezUniversityofMalaga,Spain RongxingLuUniversityofNewBrunswick,Canada LiranMaTexasChristianUniversity,USA AzizMohaisenUniversityofCentralFlorida,USA
GoutamPaulIndianStatisticalInstitute,India RuiQiaoLinkedIn,USA
SankardasRoyBowlingGreenStateUniversity,USA PierangelaSamaratiUniversità degliStudidiMilano,Italy
SeungwonShinKAIST,SouthKorea
KapilSinghIBMResearch,USA
AnnaSquicciariniPennsylvaniaStateUniversity,USA MartinStrohmeierUniversityofOxford,UK
KunSunGeorgeMasonUniversity,USA A.SelcukUluagacFloridaInternationalUniversity,USA
ZhiguoWanShandongUniversity,China CongWangCityUniversityofHongKong,SARChina WeiWangBeijingJiaotongUniversity,China LanierWatkinsJohnsHopkinsUniversity,USA
EdgarWeipplSBAResearch,Austria DinghaoWuPennsylvaniaStateUniversity,USA JidongXiaoBoiseStateUniversity,USA KaiqiXiongUniversityofSouthFlorida,USA ZhiXuPaloAltoNetworks,USA ShouhuaiXuUniversityofTexasatSanAntonio,USA YiYangFontbonneUniversity,USA DanfengYaoVirginiaTech,USA
KaiZengGeorgeMasonUniversity,USA
ChaoZhangTsinghuaUniversity,China FengweiZhangWayneStateUniversity,USA YuqingZhangUniversityofChineseAcademyofSciences,China
JunjieZhangWrightStateUniversity,USA WenshengZhangIowaStateUniversity,USA YongjunZhaoTheChineseUniversityofHongKong,SARChina YunleiZhaoFudanUniversity,China CliffZouUniversityofCentralFlorida,USA
Contents – PartII SocialNetworkandEnterpriseSecurity
AMobileBotnetThatMeetsUpatTwitter........................3 YulongDong,JunDai,andXiaoyanSun
DetectingSuspiciousMembersinanOnlineEmotionalSupportService....22 YuLi,DaeWookKim,JunjieZhang,andDerekDoran
TowardsaReliableandAccountableCyberSupplyChaininEnergy DeliverySystemUsingBlockchain..............................43 XuepingLiang,SachinShetty,DeepakTosh,YafeiJi,andDanyiLi
SocialBotDetectionUsingTweetsSimilarity.......................63 YahanWang,ChunhuaWu,KangfengZheng,andXiujuanWang
NetworkSecurity
AMulti-protocolAuthenticationShibbolethFrameworkand ImplementationforIdentityFederation............................81 MengyiLi,Chi-HungChi,ChenDing,RaymondWong,andZhongShe
SDN-AssistedNetwork-BasedMitigationofSlowDDoSAttacks.........102 ThomasLukaseder,LisaMaile,BenjaminErb,andFrankKargl
AHolisticApproachTowardsPeer-to-PeerSecurityandWhyProof ofWorkWon’tDo.........................................122 BerndPrünster,DominikZiegler,ChrisitanKollmann,andBojanSuzic
ARobustIntrusionDetectionNetworkUsingThresholdlessTrust ManagementSystemwithIncentiveDesign........................139 AmirRezapourandWen-GueyTzeng
AMetapolicyFrameworkforEnhancingDomainExpressiveness ontheInternet............................................155 GauravVarshneyandPawelSzalachowski
AdaptiveDeterrenceofDNSCachePoisoning......................171 SzeYiuChau,OmarChowdhury,VictorGonsalves,HuangyiGe, WeiningYang,SoniaFahmy,andNinghuiLi
Mission-OrientedSecurityModel,IncorporatingSecurityRisk, CostandPayout...........................................192
SayedM.SaghaianN.E.,TomLaPorta,TrentJaeger,Z.BerkayCelik, andPatrickMcDaniel
OntheFeasibilityofFine-GrainedTLSSecurityConfigurations inWebBrowsersBasedontheRequestedDomainName..............213 EmanSalemAlashwaliandKasperRasmussen
AppliedCryptography
NeuralNetworkBasedMin-entropyEstimationforRandomNumber Generators...............................................231
JingYang,ShuangyiZhu,TianyuChen,YuanMa,NaLv, andJingqiangLin
ImprovedQuantumKeyDistributionNetworksBasedonBlom-Scheme....251 Ya-QiSongandLiYang
ImplementationofHighThroughputXTS-SM4ModuleforDataStorage Devices.................................................271
LiangZheng,ChangtingLi,ZongbinLiu,LingchenZhang, andCunqingMa
DetectingandDefendingAgainstCertificateAttackswithOrigin-Bound CAPTCHAs..............................................291
AdilAhmad,FaizanAhmad,LeiWei,VinodYegneswaran, andFareedZaffar
WebSecurity
FrameHanger :EvaluatingandClassifyingIframeInjection atLargeScale.............................................311
KeTian,ZhouLi,KevinD.Bowers,andDanfeng(Daphne)Yao
Xilara:AnXSSFilterBasedonHTMLTemplateRestoration...........332
KeitaroYamazaki,DaisukeKotani,andYasuoOkabe
LocalStorageonSteroids:AbusingWebBrowsersforHiddenContent StorageandDistribution......................................352
JuanD.ParraRodriguezandJoachimPosegga XIIContents – PartII
AReviewandCostingofLightweightAuthenticationSchemesforInternet ofThings(IoT): TowardsDesignofanAuthenticationArchitecture forSmartHomeApplications ..................................375 AttleeM.Gamundani,AmeliaPhillips,andHippolyteN.Muyingi
ASurveyofBigDataSecuritySolutionsinHealthcare................391 MusfiraSiddique,MuhammadAyzedMirza,MudassarAhmad, JunaidChaudhry,andRafiqulIslam
MalwareDetectionforHealthcareDataSecurity.....................407 MozammelChowdhury,SharminJahan,RafiqulIslam,andJunbinGao
SecureCommunicationonNoCBasedMPSoC......................417 GauravSharma,SoultanaEllinidou,VeronikaKuchta, RajeevAnandSahu,OlivierMarkowitch,andJean-MichelDricot
OnlineRadicalisationAlongaContinuum:FromWhenIndividualsExpress GrievancestoWhenTheyTransitionintoExtremism.................429 YeslamAl-Saggaf
AMultipleLinearRegressionBasedHigh-PerformanceErrorPrediction MethodforReversibleDataHiding..............................441 BinMa,XiaoyuWang,BingLi,andYunqingShi
ASecureAODVProtocolImprovementSchemeBasedonFuzzy NeuralNetwork...........................................453 TongyiXie,JiaweiMo,andBaohuaHuang
What’sinaDowngrade?ATaxonomyofDowngradeAttacks intheTLSProtocolandApplicationProtocolsUsingTLS..............468 EmanSalemAlashwaliandKasperRasmussen
AnApproachtoEnhanceUnderstandingofDigitalForensicsTechnical TermsinthePresentationPhaseofaDigitalInvestigationUsing MultimediaPresentations.....................................488
NikenDwiWahyuCahyani,BenMartini,Kim-KwangRaymondChoo, andHelenAshman
EventReconstructionofIndonesianE-BankingServicesonWindows PhoneDevices............................................507
NikenDwiWahyuCahyani,BenMartini,Kim-KwangRaymondChoo, andHelenAshman
AuthorIndex ............................................523
Contents – PartI IoTSecurity ASecureRemoteMonitoringFrameworkSupportingEfficient Fine-GrainedAccessControlandDataProcessinginIoT...............3 YaxingChen,WenhaiSun,NingZhang,QinghuaZheng, WenjingLou,andY.ThomasHou
SecuringtheSmartHomeviaaTwo-ModeSecurityFramework..........22 DevkishenSisodia,SamuelMergendahl,JunLi,andHasanCam
OutofKilter:HolisticExploitationofDenialofServiceinInternet ofThings................................................43 SuhasSetikere,VinaySachidananda,andYuvalElovici
AugmentedChainofOwnership:ConfiguringIoTDeviceswiththeHelp oftheBlockchain..........................................53 SophieDramé-Maigné,MarylineLaurent,LaurentCastillo, andHervé Ganem
UserandDataPrivacy SecureandEfficientMulti-PartyDirectoryPublication forPrivacy-PreservingDataSharing.............................71 KatchaguyAreekijseree,YuzheTang,JuChen,ShuangWang, ArunIyengar,andBalajiPalanisamy
AFormalLogicFrameworkfortheAutomationoftheRight toBeForgotten............................................95 AbhishekTiwari,FabianBendun,andChristianHammer
Privacy-PreservingBiometric-BasedRemoteUserAuthentication withLeakageResilience......................................112 YangguangTian,YingjiuLi,RongmaoChen,NanLi,XimengLiu, BingChang,andXingjieYu
DifferentiallyPrivateHigh-DimensionalDataPublication viaMarkovNetwork........................................133 FengqiongWei,WeiZhang,YunfangChen,andJingwenZhao
MobileSecurity
AutomatedIdentificationofSensitiveDataviaFlexibleUserRequirements...151 ZiqiYangandZhenkaiLiang
UnderstandingAndroidObfuscationTechniques:ALarge-Scale InvestigationintheWild.....................................172
ShuaikeDong,MenghaoLi,WenruiDiao,XiangyuLiu,JianLiu, ZhouLi,FenghaoXu,KaiChen,XiaoFengWang,andKehuanZhang
TransparentLow-LatencyNetworkAnonymisationforMobileDevices.....193
MartinByrenheid,StefanKöpsell,AlexanderNaumenko, andThorstenStrufe
InferringUIStatesofMobileApplicationsThroughPowerSide ChannelExploitation........................................210
YaoGuo,JunmingMa,WenjunWu,andXiangqunChen
PoliteCamera:RespectingStrangers’ PrivacyinMobilePhotographing.....227 AngLi,WeiDu,andQinghuaLi
LexicalMiningofMaliciousURLsforClassifyingAndroidMalware......248 ShanshanWang,QibenYan,ZhenxiangChen,LinWang, RiccardoSpolaor,BoYang,andMauroConti
GranDroid:Graph-BasedDetectionofMaliciousNetworkBehaviors inAndroidApplications......................................264
ZhiqiangLi,JunSun,QibenYan,WitawasSrisa-an, andShakthiBachala
FGFDect:AFine-GrainedFeaturesClassificationModelforAndroid MalwareDetection.........................................281
ChaoLiu,JiananLi,MinYu,BoLuo,SongLi,KaiChen, WeiqingHuang,andBinLv
WirelessSecurity
AnAdaptivePrimaryUserEmulationAttackDetectionMechanism forCognitiveRadioNetworks.................................297
QiDong,YuChen,XiaohuaLi,KaiZeng,andRogerZimmermann
VeReMi:ADatasetforComparableEvaluationofMisbehaviorDetection inVANETs..............................................318
RensW.vanderHeijden,ThomasLukaseder,andFrankKargl
BirdsofaFeatherFlockTogether:FuzzyExtractorandGait-BasedRobust GroupSecretKeyGenerationforSmartWearables...................338 ChitraJavaliandGirishRevadigar
UnchainedIdentities:PuttingaPriceonSybilNodesinMobile AdHocNetworks..........................................358 ArneBochem,BenjaminLeiding,andDieterHogrefe
SoftwareSecurity
UnderstandingtheHiddenCostofSoftwareVulnerabilities:Measurements andPredictions............................................377 AfsahAnwar,AminollahKhormali,DaeHunNyang,andAzizMohaisen
Privacy-EnhancedFraudDetectionwithBloomFilters.................396 DanielArp,ErwinQuiring,TammoKrueger,StanimirDragiev, andKonradRieck
FriSM:MaliciousExploitKitDetectionviaFeature-Based String-SimilarityMatching....................................416 SungjinKimandBrentByungHoonKang
AMachineLearningFrameworkforStudyingDomainGeneration Algorithm(DGA)-BasedMalware...............................433 TommyChin,KaiqiXiong,ChengbinHu,andYiLi
CloudSecurity
Se-Lambda:SecuringPrivacy-SensitiveServerlessApplications UsingSGXEnclave........................................451 WeizhongQiang,ZezhaoDong,andHaiJin
CAVAS:NeutralizingApplicationandContainerSecurityVulnerabilities intheCloudNativeEra......................................471 KennedyA.Torkura,MuhammadI.H.Sukmana,FengCheng, andChristophMeinel
Shuffler:MitigateCross-VMSide-ChannelAttacks viaHypervisorScheduling....................................491 LiLiu,AnWang,WanYuZang,MengYu,MenbaiXiao, andSongqingChen
BuildingYourPrivateCloudStorageonPublicCloudService UsingEmbeddedGPUs......................................512 WangzhaoCheng,FangyuZheng,WuqiongPan,JingqiangLin, HuorongLi,andBingyuLi
SecureandEfficientOutsourcingofLarge-ScaleOverdeterminedSystems ofLinearEquations.........................................529 ShiranPan,Wen-TaoZhu,QiongxiaoWang,andBingChang
Privacy-PreservingMultipartyLearningforLogisticRegression..........549 WeiDu,AngLi,andQinghuaLi
Privacy-PreservingOutsourcingofLarge-ScaleNonlinearProgramming totheCloud..............................................569 AngLi,WeiDu,andQinghuaLi
AVerifiableandDynamicMulti-keywordRankedSearchScheme overEncryptedCloudDatawithAccuracyImprovement...............588 QiZhang,ShaojingFu,NanJia,andMingXu
AuthorIndex ............................................605
AMobileBotnetThatMeetsUp atTwitter YulongDong,JunDai(B) ,andXiaoyanSun
CaliforniaStateUniversity,Sacramento,6000JStreet,Sacramento,CA95819,USA {dong,jun.dai,xiaoyan.sun}@csus.edu
Abstract. Nowadaysonlinesocialnetworkingisbecomingoneofthe optionsforbotnetcommandandcontrol(C&C)communication,and QRcodeshavebeenwidelyusedintheareaofsoftwareautomation.In thispaper,weorchestrateQRcodes,Twitter,Tornetwork,anddomain generationalgorithmtobuildanewgenerationofbotnetwithhighrecoverycapabilityandstealthiness.Unlikethetraditionalcentralizedbotnet, ourdesignachievesdynamicC&Ccommunicationchannelswithnosinglepointoffailure.Inourdesign,nocryptographickeyishard-coded onbots.Instead,weexploitdomaingenerationalgorithmtoproduce dynamicsymmetrickeysandQRcodesasmediumtotransportdynamic asymmetrickeys.Byusingthisapproach,botnetC&Ccommunication payloadcanbeensuredintermsofrandomizationandconfidentiality.We implementourdesignviaTwitterandreal-worldTornetwork.According totheexperimentresults,ourdesigniscapabletodoC&CcommunicationwithlowdataandminimalCPUusage.Thegoalofourworkisto drawdefenders’attentionforthecyberabuseofonlinesocialnetworking andTornetwork;especially,thesearchingfeatureinonlinesocialnetworksprovidesacovertmeet-upchannel,andneedstobeinvestigated assoonaspossible.Finally,wediscussseveralpotentialcountermeasures todefeatourbotnetdesign.
Keywords: Mobilebotnet · Onlinesocialnetworking · QRcode
1Introduction Withthefastdevelopmentofmobileindustryandtechnology,thenumberof mobileusershasdramaticallyincreased.Asthemostpopularopen-sourcemobile platformintheworld,over2billionmonthlyAndroiddeviceswerefoundactive byMay,2017[1].Toturnthehugenumberofmobiledevicesintoanarmyto performattackslikeDistributedDenialofService(DDoS),SMSinterception, andspamming,attackersstartedtobuildmobilebotnets[2, 3].
Twocommoncommandandcontrol(C&C)topologiesarefoundintraditionalPC-basedbotnets:centralizedandPeer-to-Peer(P2P)-basedstructures. Incentralizedbotnets,theC&Ccommunicationlatencyisshortandthebotmastercanmonitorthenumberofavailablebotsusingsingleorlimitedamount
c ICSTInstituteforComputerSciences,SocialInformaticsandTelecommunicationsEngineering2018 R.Beyahetal.(Eds.):SecureComm2018,LNICST255,pp.3–21,2018. https://doi.org/10.1007/978-3-030-01704-0 1
ofC&Cservers[4].However,centralizedbotnetssufferfromsinglepointoffailure,i.e.thebotnetcanbeeasilydisabledbythedefendersviashuttingdownthe C&Cchannels.Moreover,thebotmasterisdirectlyexposedtodefenderswhen theC&Cchannelismonitored.
Ontheotherhand,P2P-basedbotnetshavenosinglepointoffailureand achievebetterstealthinessforthebotmaster.However,P2P-basedbotnetssuffer fromtheloosenessofnetworkstructure,lackmessagetransmissionguarantee, andtendtohavelongerlatencyformessagedelivery[4–6].Also,P2P-based botnetsrequirehighernetworkoverheadtokeepthebotnetsrobust[7, 8].
ComparedwithtraditionalPC-basedbotnets,mobilebotnetsareinherently restrictedbythefeaturesofmobileplatforms:lowCPUcapacity,smallnetwork bandwidth,limitedbatteryandexpensivedatausage.Giventheabovecomparativestudyaboutbotnettopology,acentralizedbotnetdesignismoredesirable forthemobileenvironment.However,thedrawbacksofcentralizeddesignneed tobeaddressedforrobustnessandstealthiness,especiallythesinglepointof failureproblem.
OurpaperisanefforttosolvetheseissuesbyexploitingtheautomationfeatureinQRcodesandtheTwittersearchenginetobuilddynamicC&Cchannels withhighrecoveryabilities.Thefollowingparagraphsintroducethetechniques thatareessentialforoursolution,aswellasrationalestoexploitthem.
QuickResponse(QR)code :QRcodeshavebeenwidelyusedinmobilesoftware automationinthepastfewyears.Comparedwithtraditionalmasqueradingtechniques,QRcodesaremorestealthysinceithasbeenwidelyusedindailylife forotherpurposesandcannotbedistinguishedbyhumanbeings.Researchers [9–11]reportthatQRcodeshavebeenusedinseveralattackingmethodssuchas phishingandsocialengineeringattacks.However,theautomaticdetectionand removalofmaliciousQRcodesforsecurityisstillafairlynewtopicinthearea.
OnlineSocialNetworking(OSN) :Asoneofthemostpopularpublicnetworking services,OSNdrawsattentionfromresearchers[12–14]touseitforbuildingC&C channels.ComparedwithotherbotnetC&Ccommunicationmediums,OSNhas severaladvantages,suchasthesimplicityinimplementation,theportability overmulti-platformenvironments,andthestealthiness.Nowadays,someOSN platformslikeTwitterandSinaBlog(apopularChineseOSNplatform)provide searchinginterfacetoallowuserstofindinterestedpostsbykeywords.Wefind thatthesearchfeatureprovidesapossibilitytobuilddynamicC&Cchannels insteadofstatic(i.e.hard-coded)ones.ThedynamicC&Cchannelscanhelp avoidsinglepointoffailure,andthusdeliverbetterrobustnessandhighrecovery capabilities.
DomainGenerationAlgorithm(DGA) :DGAfromConficker[15]in2008isa solutiontoavoidsinglepointoffailureinthecentralizedtopology.Ingeneral, DGAtakesoneormultipleseedsasinputstoproducerandomdomainnames. Basedontheactualimplementation,DGAmayhugelyincreasethedifficulty ofpredictingthenextgenerateddomainname,andmakeitcomputationally impossibletostoptheattackthroughbanningallpossibleDGAoutputs[16].In
ourbotnetdesign,wevaryDGAtoproducerandomstringsinsteadofdomain names.TheDGAgenerationresultsplayascountersigns(leftbythebotmaster) tohelpbotsfindthemeetupplaceatTwitter.
Tornetwork :Internetwasbornasapublicnetwork,whilethesecondgenerationonionrouter(Tor)[17]provisionsanidealtechniquetoachieveanonymity. Torwasinventedwithready-to-useclientproxyandwebbrowser.Itisnatural tothinkofTornetworktokeepbotmaster’sC&Ccommunicationanonymous. Today,Torhasbeenintegratedwiththemobileplatform,suchasOrbot[18] forAndroid.WiththeappearanceofOrbot,theimplementationcomplexityof Tor-basednetworkapplicationsonAndroidisdramaticallydecreased,andthe botmastercaneasilyusemobileAndroiddevicestoissuecommandstobotnet withfairstealthiness.
BycreativelyorchestratingQRcodes,OSN,DGAandTornetwork,our botnetdesignsuccessfullyenablesthefollowingfeaturestoovercomethenatural limitationintraditionalcentralizedandP2P-basedbotnets.
• ConstructinganewOSN-basedmobilebotnetwithnosinglepointoffailure.
• BuildingdynamicC&Cchannelswithhighrecoverycapabilitybasedonthe TwittersearchengineandQRcodes.
• UsingdynamicasymmetrickeypairsandDGAwithrandomseedstokeep theconfidentialityofC&Ccommunicationtraffic.
• UsingTornetworktohidetheidentityofbotmaster.
• SimpleimplementationandhugepotentialthreatstoallOSNsthatinclude searchingfeatures.
OurdesignisgenericforbothmobileandPCplatforms,whileourproof ofconceptandcorrespondinganalysisisconductedonAndroidplatform. To thebestofourknowledge,wearethefirsttouseQRcodesasC&C communicationmediuminOSN-basedbotnet
Therestofthepaperisconstructedasfollows:inSect. 2,weintroducethe relatedwork.InSect. 3,weelaborateourbotnetdesign.InSect. 4,wepresentthe proofofconcept,includingawalkthroughtodemonstrateourbotnetworkflow. InSect. 5,weevaluateourwork.InSect. 6,wediscusspotentialcountermeasures toourbotnetdesign.InSect. 7,weconcludethispaper.Moredesignrationales andimplementationdetailsarepresentedin[19],andtheprototypecodecanbe provideduponrequestforresearchpurposes.
2RelatedWork ResearchershaveproposedavarietyofapproachestobuildbotnetsonbothPC andmobileplatforms,eitherintraditionalcentralizedorP2P-basedtopologies. WeintroducerelatedbotnetresearchanddesignsinSect. 2.1,andsummarize ourliteraturereviewinTable 1.TherelatedQRcoderesearchisintroducedin Sect. 2.2.
Table1. Listofrelatedbotnetresearch&Designs
Research Year Platform Botnettopology C&Cchannel Masqueradetechnique
Huaetal.[20] 2011 Mobile P2P SMS N/A
Zengetal.[21] 2012 Mobile P2P SMS Plainencryptedtext
Faghanietal.[22] 2012 Mobile Centralized SMS/OSNs N/A
Nagarajaetal.[23] 2011 PC Centralized OSNs Steganography(JPEG)
Cuietal.[12] 2011 PC Centralized OSNs Steganography(JPG)
Singhetal.[13] 2013 PC Centralized OSNs N/A
Yinetal.[14] 2014 PC Centralized OSNs PlainencryptedText
Compagnoetal.[24] 2015 PC Centralized OSNs Unicodestenography
Koobface[25–27] 2010 PC Centralized OSNs/webserver Plainencryptedtext
Elirks[28] 2012 PC Centralized OSNs Plainencryptedtext
2.1BotnetResearchandDesign SinceShortMessageService(SMS)isacommontechnologyinmobileenvironments,severalresearcheshaveaddressedSMSasC&Cchannelinbotnetdesign. In2011,Huaetal.[20]builtabotnetwithSMSandfloodingalgorithm.Hua’s designsuccessfullyspreadsonecommandto90%of20,000botsin20minwith eachbotsendinglessthan4messages.However,Hua’sdesignsuffersfromthe naturallimitationoffloodingalgorithm,i.e.ifdefendersshutdownabotthat isveryclosetothefirstone,thebotmasterlosestherestofbotsintheflood.
In2012,Zengetal.[21]proposedaSMSandP2P-basedbotnetdesign.Their researchconcludesthattheubiquitousnessofSMS,thesimplicityofaccommodatingofflinebots,andthecapabilityofhidingC&CcommandsmakeSMS suitableforC&Ccommunicationsinmobileenvironment.Howeverthemalicioustextmessagesintheirbotnetdesignisdirectlyexposedtophoneowners, andthemonetarycostofSMSmayattracttheowners’attentionevenwithout anti-malwarealerts.
Ontheotherhand,Faghanietal.[22]designedSocellbotwhichcompares SMSandOSNsascommunicationmediuminmobileenvironment.Basedon theirexperimentresults,OSNsexcelinlowernetworktrafficloadandfaster propagationspeed,andhencearemoresuitableformobileenvironmentthan SMS.
Nagarajaetal.[23]introducedabotnetdesignbycombiningsteganographyandOSNs.InNagarajia’sresearch,alltheC&Ccommunicationcommands arehiddeninJPEGimages.Thebotmasterandbotsusetwohard-codedOSN accountsasC&Cchannels.InNagaraja’sdesign,theC&Ctrafficisstealthy,but thebotnetsuffersfromsinglepointoffailure.Ifthehard-codedOSNaccounts aredetectedandbannedbydefenders,thebotmasterlosescontrolofthewhole botnet.
SimilartoNagaraja’sidea,Cuietal.[12]designedanOSN-basedbotnet calledAndbot.AndbotcombinesURL-flux(avariationofIP-flux),steganography,andMicrosoftblogtodecreasethethreatofsinglepointoffailureand increasethestealthinessofC&Ccommunication.Intheirdesign,theblogworks
asaC&Cchannel.Botsuseahard-codedDGAalgorithmtoassembleanURLto findtheblogbuiltbythebotmaster.Aftertheblogisconnected,botsdownload steganographicimagestoreceivethebotmaster’scommands.
FollowingupwithCui’sresearch,Yinetal.[14]reportedanewergeneration ofbotnetdesigncombiningSinablogandNicknameGenerationAlgorithm(a variationofDGA)tobuilddynamicC&Cchannels.InYin’sdesign,thebotnet hasnosinglepointoffailureandhighresistancetodestruction.However,thereis stillabottleneckthatthenetworkloadcapacityofeachC&Cchannelislimited. Inalargegroupofbots,botmasterneedstobuildmultipleC&Cchannelsinorder toallowallthebotstoretrievethecommands.Also,theidentityofbotmaster isdirectlyexposedtotheblogwebsitewithoutanyprotection.
Singhetal.[13]appliedTwitterastheC&Ccommunicationplatformfora centralizedbotnet.Intheirdesign,theytakeadvantageoftheOAuthmechanismprovidedbyTwittertoensuretheoriginofC&Ccommands.Thebotmaster postsC&CcommandsthroughitsTwitteraccount.Thedrawbackofthisdesign isthatitsuffersfromsinglepointoffailure.Ontheotherhand,alistofcommandsarehard-codedoneachbotwhichmaybepronetothedetectionofany anti-virussystems.
Inadditiontoimagestenography,Compagnoetal.[24]foundandproved Unicodeencodingcanbeusedasamasqueradingtechnique.Intheirresearch, thebotmastertakesadvantageofUnicodeandhidestheC&Ccommunication usinginvisibleUnicodecharacters.Compagno’sbotnetdesignisabletosurvive fromthetraditionalbotnetdetectionanddefensestrategies,butmaybecaptured bycharacterfilteringandstatisticalanalysisontheOSNposts.
Besidetheabovebotnetdesignsfromresearch,OSNsarealreadypractically observedinreal-worldmalware.Forexample,in2010Koobfacewasdetected andinvestigatedbyresearchers[25–27].Asanetworkworm,OSNsareused byKoobfacetodownloaddifferentpiecesofmaliciouscontent,anddoC&C communicationthroughseveralhard-codedOSNaccountsandwebservers.The specificOSNaccountscanbebanned,whichcausesKoobfacesufferfromsingle pointoffailure.
Researchers[28]alsocapturedandinvestigatedwildbotnetswiththeirC&C communicationmethods.AnOSN-basedbotnetcalledElirikswasdetectedbased ontheirobservation.InEliriks,thebotmasterpoststheinformationoftheC&C webserveronamicrobloggingservicecalledPlurk.FortheC&Cserver’sinformation,thebotmasterusesamodifiedTinyEncryptionAlgorithm(TEA)and modifiedBase-64encodingtofurthermasqueradetheC&Cserver’ssensitive information.ThedefenderswereabletosuccessfullyextractthePlurkaccounts usedbyElriksbythetimethatthecorrespondingpaperwaspublished.Inother words,Eliriksdidnotsurvivefromthethreatofsinglepointoffailure.
2.2QRCodeResearch In2010,Kiesebergetal.[10]didasecurityresearchonQRcodes.Basedontheir research,theautomationfeatureinQRcodesisvulnerabletoSQLinjection, commandinjection,fraud,phishing,andsocialengineeringattacks.Krombholz
etal.[9]listsseveralexperimentalexamplestoprovethatthethreatsfrom Kiesebergcanactuallybeimplementedinreal-worldenvironment.
Ontheotherhand,Kharrazetal.[11]investigated94,770QRcodesfrom 14.7millionuniquewebpagesin2014.Intheirreport,theyfound145real-world maliciousQRcodeswereusedinphishingandmalwaredistribution.
AlthoughthereisalreadyproofoftheexistenceofmaliciousQRcodes,the researchaboutQRcodesecurityisstillfallingbehind.Yaoetal.[29]didasecurityinvestigationon31commercialQRcodescanners.Basedontheirevaluation, onlytwoofthemincludesecuritywarningsafterusersscanaQRcode.Thisis duetolackofresearchonthedetectionofsuspiciousQRcodes.
Ourbotnetdesignhasfourfundamentaladvantagesincontrastwiththe aboverelatedwork.First,comparedwithotherOSN-basedbotnets,ourbotnetdesignleveragestheOSNsearchingfeaturetofurtherrandomizethelocationsthattheC&Caccountappears.Theoretically,thebotmastercoulduseany accountinOSNstopublishtheC&Ccommands.Second,beyondothermasqueradingtechniques,weuseQRcodestodisguisethebotnetC&Cpoststo ensuretheirstealthiness.Third,insteadofhard-codedkeys,weusedynamic symmetricandasymmetrickeystoensuretheconfidentialityofbotnetC&C communication.Fourth,Tornetworkissuccessfullyintegratedinourbotnet designtohidetheidentityofbotmaster.
3Methodology WeexploittheTwittersearchengine,DGA,andQRcodestoensurethebotnetrobustnessandstealthiness.Specifically,weleverageTor,RSA[30],and AdvancedEncryptionStandard(AES)[31]cryptographicalgorithmrespectively toachieveanonymity,integrity,andconfidentialityforthebotnetC&Ccommunication.
Nomatterhowthebotnettopologiesevolve,pushing,pulling,andlistening arethecommonoptionsforbotstodoC&Ccommunications.Inthissection,we firstgiveaoverviewofourbotnetdesign.Afterthat,fourmajorpartsofourbotnetdesignareintroducedinthefollowingsubsections:initialization,command pulling,informationcollection,andcommandpushing.
Inthispaper,theterminologiesaredenotedasfollows:theDGAisdenoted as DGA(),theDGAseedsas Seed1 , Seed2 ,...to Seedn ,thegeneratedresults fromDGAas S1 , S2 ,...to Sn ,theRSAkeypairas Keypub and Keypriv ,and aspecialtokenas Token.TheDGAalgorithmishard-codedonbots,withthe DGAseedsderivedfromtimestamps,forsynchronizationwiththebotmaster. Thespecialtokenisarandomstringconcatenated(withadelimiter)withits digitalsignaturesignedbythebotmaster,i.e.encryptedby Keypriv .Thetoken ishard-codedonallbotsforauthenticationpurpose.NoRSAkeypairsare hard-coded.
3.1BotnetDesignOverview AsshowninFig. 1,ourbotnetdesigninvolvesfivemajorparts:botmaster,Tor network,Twitter,bots,andamovablewebserverbuiltbybotmaster.Thebotmaster’sdutyistosetupthewebserver,prepareandpublishTwitterposts,and sendcommandstobots.Twitter’sroleistoholdaTwitterpostasatemporary C&CchannelthatallowsbotstopullaQRcodeimagefromthebotmaster.The Twitterpostcontainstwomajorsections:akeywordgeneratedfromDGAanda QRcodeimage.Thewebserverissetupbythebotmastertocollectinformation fromeachbot,suchasIPaddressanddeviceID.TheIPofthewebserveris propagatedtobotsaspartoftheQRcode,andthuscouldbedynamic.The combinationofthewebserverandTwitterpostsworksasC&Cchannelswhich allowbotstodocommandpullingandinformationuploading.Inaddition,every botsetsupaTCPserveronitsowndevice.Throughinformationuploading,bots encryptanduploadtheiridentify-sensitiveinformationtothewebserver.When thebotmasterwantstosendcommandstobots,itdownloadsanddecryptsthe botuploadeddatafromthewebserver,andthensendscommandstobotsvia Tornetwork.
Inourbotnetdesign,onlytheDGAalgorithmandaspecialtokenarehardcodedonbothbotmasterandbotsides.Thecurrentdate(i.e.timestamp)is usedasakeyfactortoproduceexactlythesameDGAseedsonbothbotmaster andbotsides.Basedontheactualimplementation,DGAcantakeanyformat ofseedsthatisgeneratedbythecurrentdate.AllbotnetC&Ccommunication isencryptedbyAESorRSA,andnokeyishard-codedonbots.Thesymmetric keysusedbyAESaregeneratedfromDGA,andthepublickeyusedbyRSA isspreadaspartoftheQRcodefrombotmaster’sTwitterpost.Thespecial tokenisusedtoverifytheidentityofbotmasterandvalidatethedatasource afterdecryption.
ThecommunicationbetweenthebotmasterandoutsidenetworksisviaTor. AsFig. 1 illustrates,therearefivestepsinourbotnetdesign.Step 1 servesasthe initializationprocessforthebotmastertoprepareandpublishtheTwitterpost. Step 2 isusedbybotstodownloaddatafromthebotmaster’sTwitterpost. Then,botsuploadtheirIPanddeviceinformationtothewebserverinStep 3
10Y.Dongetal.
ThebotmasterdownloadsbotdatafromthewebserverinStep 4 ,andusesthe downloadeddatatosendcommandstobotsviaTornetworkinStep 5 .Inour design,usingTCPasthecommunicationprotocolinStep 5 hastwoadvantages. First,itisareliablecommunicationprotocolwhichguaranteesmessagedelivery. Second,itmakesthedesigncompatiblewithTornetwork,whichonlysupports TCPorHTTPcommunication.
AwalkthroughispresentedinSect. 4 todemonstratetheabovebotnetworkflow.
3.2C&CCommunication Initialization. ThebotmasterneedstoperformafewinitializationproceduresbeforetheC&Ccommunicationstarts.First,thebotmastersetsupa webserver.Second,thebotmastergeneratestworandomstrings S1 and S2 from DGA(Seed1 )and DGA(Seed2 ).After S1 and S2 aregenerated,thebotmastercollectsthewebserver’saddressinformation,aswellasapre-generated RSAkeypair Keypub and Keypriv .Third,botmastercombinesthecurrentweb serveraddress,thehard-codedtoken Token,and Keypub asacommand,and thenencryptsthecombinedcommandwith S2 .Fourth,thebotmasterencodes thecombinedcommandintoaQRcodeimage.Finally,thebotmasterusesa randomTwitteraccounttopublishapost,whichcontains S1 andtheQRcode image.
CommandPulling. Botsregularlyconductscommandpulling,andsucceed wheneverthebotmaster’sTwitterpostisavailable.First,similartothebotmaster,botsgeneratetwostrings S3 and S4 from DGA(Seed3 ),and DGA(Seed4 ). Inourdesign,inordertoensurethesynchronizationbetweenthebotsandbotmaster, S3 mustbeequalto S1 and S4 mustbeequalto S2 .Thisisensuredby applyingthesamealgorithmstotimestampsforgettingequivalentseedsatboth botandbotmastersides,andthenusingthesameseedsforDGAalgorithms. Botsuse S3 asthe keywordtoquerytheTwittersearchengine tofind thepostfromthebotmaster.BotsdownloadtheQRcodeimagebasedonthe queryresponse.AftertheQRcodeimageisdownloaded,botsfirstdecodethe QRcodetoretrieverawdataanduse S4 tododecryption.Thebotmaster’s publickey Keypub andthespecial Token arecontainedinthedecrypteddata, andthebotscanuse Keypub toverifywhether Token isgeneratedbythereal botmasterusingthepaired Keypriv
InformationCollection. Thewebserverisimportanttomaintaintherobustnessofthebotnet,asallbotsareinstructedtouploadtheirrealIPanddevice IDtothewebserverafterIPspoofing.IPspoofinghelpsdisguisethebotidentitiesduringC&Ccommunications,incasetheyaretrackeddown.Inorderto keeptheiruploadeddatasafe,alldatafrombotsareencryptedby Keypub ,and remainscipheredindatabasestorageatthewebserver.Thisway,thebotmaster canmonitorandgettheinformationofavailablebotsinthebotnetviatheweb serversafely.
CommandPushing. Thebotmastercansendcommandstobotsatanytime. Forcommandpushing,allavailablebotshavetheircurrentIPaddressesstored onthewebserver.Whencommandpushingisneeded,thebotmasterfirstgenerated S5 from DGA(Seed5 ).Then,thebotmastercombinesthecommandfor botsand Token asonestring,andencryptsthecombinedstringwith S5 .The botmasterqueriesthewebservertocollecteachbot’sIPaddressanddecrypt theresultusing Keypriv .Afterthat,thebotmasterextractstheIPaddresses ofbotsandbroadcaststheencryptedcommandviaTCP-basedTornetwork. AfterTCPpackagesarereceived,botsgenerate S6 from DGA(Seed6 ).Similar toStep 1 and 2 , Seed6 isset(viasynchronizedtimestamps)equalto Seed5 toensurethebotscandecrypttheTCPpayload.Aftercheckingtheexistence of Token forvalidityofthecommandoriginasbotmasterornot,botsperform tasksincludedinthecommand.
Throughouttheabovecommunications, onlytheDGAalgorithmand thespecialtokenarehard-coded onbothbotmasterandbotsides.The rationaleforhard-codingthespecialtokenwillbeelaboratedinSect. 3.3.The variousseedsforDGAaresynchronizedbetweenthebotmasterandbotsby applyingthesamecomputingalgorithmstowardsthedate/timestampinformation.Toavoidsinglepointoffailure,our Twitterpostaccountandtheweb serveraredynamic.EachtimethebotmasterpublishesanewTwitterpost, theQRcodecontainstheinformationtoredirectbotstothenewaddressofthe webserver.IftheTwitterpostisbannedbydefenders,thebotmastercanpublishanotherpostfromadifferentandunpredictableaccount.Ifthewebserveris banned,thebotmastersetsitupinanewaddressandgeneratesanewQRcode imagewhichcontainsthenewserveraddress.Thus,nomatterhowdefenders destroytheC&Cchannels,thebotmasteralwayshasawaytoreconstructthe botnet.
3.3CryptographyandBotnetRobustness Aswementionedearilier,alltheC&Ccommunicationinourbotnetdesignis encryptedeitherbyAESorRSA.Step 1 , 2 and 5 areprotectedbyAES.Step 3 and 4 areprotectedbyRSA.It’sfullyunderstoodthatRSArequiresmore resourcesthanAESforcomputing.However,AESwillrequirehardcodingof symmetrickeysforStep 3 and 4 ,whileRSAcanavoidthis.Takinganextreme example,whenabotfallsintoahoneynet,defendersmayeasilytrackdownthe webserveraddressoncethebotisdetected.Ifdefendersfurthermanagetoget alltheencrypteddatafromthewebserveranddecipherthemwithcryptanalysis,otherbotsinthesamebotnetmaygettheirIPaddressesanddeviceIDs directlyexposedtodefenders.UsingtheRSAastheencryptionalgorithmcan dramaticallydecreasetheriskofsuchsituation.
Inadditiontostrengtheningthedataencryptionincommunicationandstorage,usingtheRSAalgorithmhelpsthebotsauthenticatetheconnectionsand commandsfromthebotmaster.Forexample,ifthedefensesidesucceedsin reverseengineeringthebotsamplesandobtainingthehard-codedtokenwith botnetworkflowinformation,thebotmasteridentitymaybefakedtohijack
theownershipofthebotnet.Thiscanbedefeatedbyusingtheasymmetric encryption,i.e.theRSAalgorithm.Specifically,thespecial Token includesthe digitalsignaturegeneratedbyusingthe Keypriv ,whichisonlyownedbythe realbotmaster.Hence,onlytherealbotmastercouldinitiatetheauthenticC&C communication,asnobodyelsecouldprovidethecorresponding Keypub toverify thesignaturesassociatedwithin Token.It’spossiblethatthereverseengineer defendersuseanintercepted Keypub tofakeasabotmastertoissueabogusweb serveraddresstobots.Butagain,thankstoRSAalgorithmusedinStep 3 to encryptalluploaddata,thefakedbotmasterwillnotbeabletodecipherthe botconnectioninformationforfurtheractions.Defenderscouldnottrackdown thebotaddressesaswell,asStep 3 enforcesbotstouploaddatabasedonIP spoofing.Decipheringtheuploadeddataonthewebserveristheonlychanceto pushcommandstobots,andonlytheauthenticbotmastercanachievethat.
4ProofofConcept Tofurtherillustrateourbotnetdesign,inthissectionwepresentaquick walk-throughwithessentialimplementationdetailsofourbotnetprototype. TodemonstrateourbotnetdesigninSect. 3,weuseandrun10Genymotion emulatorsonourworkstation,oneGoogleNexus6phone,theTornetwork, onerandomlygeneratedTwitteraccount,oneapacheserver,andoneMySQL databaseinanorchestratedway.Inourdemonstration,eachemulatoractsas oneinfectedbotandtheNexusphoneactsasthebotmaster.
Inordertoemulateanattack,webuildavictimwebsitetoletbotstoperform DDoSattackafterStep 5 .AsFig. 2 shows,aftereachbotprocessesallthe stepsforcommandpulling,informationcollection,andcommandpushing,the botmasterpushesacommandtobotstocoordinatethemtoconductaDDoS attackagainstavictimwebserver.TheTCPpayloadinStep 5 containsan encryptedcommandwhichincludestheinformationof Token,thelengthofthe attack,thefrequencyoftheattack,andtheIPaddressofthevictimwebsite.We presentsomecommandconstructiondetailsinSect. 4.2.Inourdemonstration, thebotmaster’swebserverforinformationcollectionandthevictimwebsiteare bothrunningbasedonapache.TheemulatorsinFig. 2 areperformingaDDoS attacktothevictimwebsite.Afullvideodemonstrationisavailableat[33].
4.1BotnetWorkflow
Initialization. Inourbotnetimplementation,weconfigurethebotmasterto processtheinitializationondailybase.Allthebotmaster’scommunications withthepublicnetwork(i.e.thecommunicationswithTwitterandInternet) arethroughTornetwork.Inourexperiments,thebotmastergeneratesnewQR codesandDGAstringseverysingleday.Dependingonthebotmaster’schoice, itcanalsobehourlyormonthlytoupdatetheQRcodesandTwitterthem accordingly.NomatterhowoftentheTwitterpostsarepublished,thecurrent timestampisusedasakeyfactorforDGAsynchronizationacrossthebotsand
botmaster.Wheneverneeded,thebotmastercanchoosetorenewtheaddressof thewebserverandletthebotsknowthechangethroughanewQRcodeTwitter post.Thebotmasteralsohastheoptiontochoosewhethertouseastandard oramodifiedQRcodeencodinganddecodinglibrary.AftertheQRcodeand DGAstringsareready,asFig. 3 illustrates,thebotmastercouldpostthemwith any(unpredictable)Twitteraccount.Inourexperiments,theTwitterpoststays publicuntilthenextoneispublishedbybotmaster.TheTwitteraccountsused toposttheQRcodecanvaryeveryday.
Fig.2. DemonstrationofbotnetDDoSattack
Fig.3. PublishingaTwitterpost
Another random document with no related content on Scribd:
