In this work, we presented a novel detection system, that is able to detect malicious connections over SSL, without inspecting the payload of the mes- sage. This solutions is able to respect the privacy of the users, and at the same time protect them detecting possible infections within the network. This detection system is able to detect zero day attacks (we detected an infected machine before than professional services like ThreatStop), since it was able to detect infected machines before professional services. This work is important for literature because it focus on a problem that was not faced before, and we proposed a potential solution for it. We have shown that it is also possible to create detection algorithms in a "black-box" manner, where the malware are not available (or even not known to exist) to be analyzed, therefore the detection system is not biased by the single characteristics of the malicious software, but it built upon important characteristics of the analyzed protocol. We have also confirmed some weaknesses (i.e. broken SSL handshake vulnerable to man-in-the-middle attacks) of the SSL proto- col that were previously highlighted in research. Moreover, we have detected malicious misbehaviors on SSL, that we believe could represent a botnet, that regards the SSL certificate of one of the most famous websites. This misbehavior has been reported directly to Amazon, that is going to take
[1] Alexa. The top 500 sites on the web - http://www.alexa.com/topsites.
[2] D Andriesse, C. Rossow, B. Stone-Gross, D. Plohmann, and H. Bos. Highly resilient peer-to-peer botnets are here: An analysis of gameover zeus. InMalicious and Un- wanted Software:" The Americas"(MALWARE), 2013 8th International Conference on, pages 116–123. IEEE, 2013.
[3] M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a dy- namic reputation system for dns. InProceedings of the 19th USENIX Conference on Security, pages 18–18, 2010.
[4] M. Antonakakis, R. Perdisci, Y. Nadji, Vasiloglou N., S. Abu-Nimeh, W. Lee, and D. Dagon. From throw-away traffic to bots: Detecting the rise of dga-based malware. InPresented as part of the 21st USENIX Security Symposium, pages 491–506, 2012. [5] D. Ariu, R. Tronci, and Giacinto. G. Hmmpayl: An intrusion detection system based on hidden markov models. InJMLR: Workshop and Conference Proceedings 11, pages 81–87, 2010.
[6] E. Athanasopoulos, A. Makridakis, S. Antonatos, D. Antoniades, S. Ioannidis, K. G. Anagnostakis, and E. P Markatos. Antisocial networks: Turning a social network into a botnet. InInformation security, pages 146–160. 2008.
[7] B. Bencsáth, G. Pék, L. Buttyán, and M. Félegyházi. Duqu: A stuxnet-like malware found in the wild. CrySyS Lab Technical Report, 14, 2011.
[8] L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. Exposure: Finding malicious domains using passive dns analysis. InNDSS, 2011.
[9] J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection. In Proceedings of the 2Nd Conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2, pages 7–7, 2006.
[10] H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang. On the analysis of the zeus botnet crimeware toolkit. InPrivacy Security and Trust (PST), 2010 Eighth Annual International Conference on, pages 31–38, 2010.
[11] J. Blasco, J. C. Hernandez-Castro, J. M. de Fuentes, and B. Ramos. A framework for avoiding steganography usage over http. Journal of Network and Computer Ap- plications, 35(1):491–501, 2012.
[12] R. R. Bouckaert, E. Frank, M. Hall, R. Kirkby, P. Reutemann, A. Seewald, and D. Scuse. Weka manual for version 3-7-8, 2013.
[13] P. Burghouwt, M. Spruit, and H. Sips. Detection of covert botnet command and control channels by causal analysis of traffic flows. InCyberspace Safety and Security, pages 117–131. 2013.
[14] L. Cavallaro, C. Kruegel, G. Vigna, F. Yu, M. Alkhalaf, T. Bultan, L. Cao, L. Yang, H. Zheng, and C. Cipriano. Mining the network behavior of bots. Technical report, 2009.
[15] J. P. Chapman, E. Gerhards-Padilla, and F. Govaers. Network traffic characteristics for detecting future botnets. InCommunications and Information Systems Confer- ence (MCC), 2012 Military, pages 1–10, 2012.
[16] M. J. Elhalabi, S. Manickam, L.B. Melhim, M. Anbar, and H. Alhalabi. A review of peer-to-peer botnet detection techniques. In Journal Computer Science, pages 169–177, 2014.
[17] M. Feily, A. Shahrestani, and S. Ramadass. A survey of botnet and botnet detection. InEmerging Security Information, Systems and Technologies, 2009. SECURWARE ’09. Third International Conference on, pages 268–273, 2009.
[18] J. François, S. Wang, and T. Engel. Bottrack: tracking botnets using netflow and pagerank. InNETWORKING 2011, pages 1–14, 2011.
[19] M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: validating ssl certificates in non-browser software. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 38–49. ACM, 2012.
[20] J. Goebel and T. Holz. Rishi: identify bot contaminated hosts by irc nickname evaluation. Inin HotBots’07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pages 8–8, 2007.
[21] Network Working Group. Internet x.509 public key infrastructure certificate and crl profile. www.ietf.org/rfc/rfc2459.txt.
[22] Network Working Group. The transport layer security (tls) protocol version 1.2. http://tools.ietf.org/html/rfc5246.
[23] G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: Clustering analysis of network traffic for protocol and structure-independent botnet detection. InProceedings of the 17th Conference on Security Symposium, pages 139–154, 2008.
[24] G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. InProceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), 2008.
[25] C. Hsu, C. Huang, and K. Chen. Fast-flux bot detection in real time. InRecent Advances in Intrusion Detection, pages 464–483, 2010.
[26] Websense Security LabsâĎć http://community.websense.com/blogs/securitylabs/archive/2014/06/19/zberp- is-there-anything-to fear.aspx. Zberp - is there anything to fear?
[27] Lin-Shung Huang, Alex Rice, Erling Ellingsen, and Collin Jackson. Analyzing forged ssl certificates in the wild.
[28] Internet Engineering Task Force (IETF). The secure sockets layer (ssl) protocol version 3.0. http://tools.ietf.org/html/rfc6101.
[29] Internet Engineering Task Force (IETF). Transport layer security (tls) extensions: Extension definitions. https://tools.ietf.org/html/rfc6066.
[30] E. J Kartaltepe, J. A. Morales, S. Xu, and R. Sandhu. Social network-based botnet command-and-control: emerging threats and countermeasures. In Applied Cryptog- raphy and Network Security, pages 511–528, 2010.
[31] R. Langner. Stuxnet: Dissecting a cyberwarfare weapon.Security & Privacy, IEEE, 9(3):49–51, 2011.
[32] W. Lu, G. Rammidi, and A. A. Ghorbani. Clustering botnet communication traffic based on n-gram feature selection.Computer Communications, 34(3):502 – 514, 2010. [33] D. Macdonald. Zeus: God of diy botnets.
http://www.fortiguard.com/legacy/analysis/zeusanalysis.html. [34] malwaredomainlist.com.
[35] J. Manuel. Another modified zeus variant seen in the wild. http://blog.trendmicro.com/trendlabs-security-intelligence/another-modified-zeus- variant-seen-in-the-wild/.
[36] J. Markey. Using decision tree analysis for intrusion detection: A how-to guide. 2011. [37] C. Mulliner and J. P. Seifert. Rise of the ibots: Owning a telco network. InMalicious and Unwanted Software (MALWARE), 2010 5th International Conference on, pages 71–80, 2010.
[38] S. Nagaraja, A. Houmansadr, P. Piyawongwisal, V. Singh, P. Agarwal, and N. Borisov. Stegobot: A covert social network botnet. InProceedings of the 13th International Conference on Information Hiding, pages 299–313, 2011.
[39] V. Natarajan, S. Sheen, and R. Anitha. Detection of stegobot: A covert social network botnet. InProceedings of the First International Conference on Security of Internet of Things, pages 36–41, 2012.
[40] J. Nazario. Twitter-based botnet command channel. http://www.arbornetworks.com/asert/2009/08/twitter-based-botnet-command- channel/.
[41] Inc Network Associates. How pgp works. http://www.pgpi.org/doc/pgpintro/. [42] Palo Alto Networks. The modern malware review.
[43] S. Noh, J. Oh, J. Lee, B. Noh, and H. Jeong. Detecting p2p botnets using a multi- phased flow model. InDigital Society, 2009. ICDS ’09. Third International Confer- ence on, pages 247–253, 2009.
[44] F. Ozturk and Subasi A. Comparison of decision tree methods for intrusion detection. 2010.
[45] Ruoming Pang, Vern Paxson, Robin Sommer, and Larry Peterson. binpac: A yacc for writing application protocol parsers. InProceedings of the 6th ACM SIGCOMM conference on Internet measurement, pages 289–300. ACM, 2006.
[46] V. Paxson. Bro: a system for detecting network intruders in real-time. Computer networks, pages 2435–2463, 1999.
[47] R. Perdisci, I. Corona, D. Dagon, and Wenke Lee. Detecting malicious flux service networks through passive analysis of recursive dns traces. In Computer Security Applications Conference, 2009. ACSAC ’09. Annual, pages 311–320, 2009.
[48] R. Perdisci, G. Gu, and W. Lee. Using an ensemble of one-class svm classifiers to harden payload-based anomaly detection systems. InData Mining, 2006. ICDM ’06. Sixth International Conference on, pages 488–498, 2006.
[49] R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. InProceedings of the 7th USENIX Conference on Networked Systems Design and Implementation, pages 26– 26, 2010.
[50] P. Porras, H. Saïdi, and V. Yegneswaran. A foray into conficker’s logic and rendezvous points. InProceedings of the 2Nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, pages 7–7, 2009.
[51] SDPY Google Project. http://en.wikipedia.org/wiki/spdy. [52] Tor Project. - https://www.torproject.org/.
[53] Tor Project. Tor network status - http://torstatus.blutmagie.de/.
[54] Christian Rossow and Christian J Dietrich. Provex: Detecting botnets with en- crypted command and control channels. InDetection of Intrusions and Malware, and Vulnerability Assessment, pages 21–40. 2013.
[55] A. Stewart and G. Timcang. A not-so civic duty: Asprox botnet campaign spreads court dates and malware - http://www.fireeye.com/blog/technical/malware- research/2014/06/a-not-so-civic-duty-asprox-botnet-campaign-spreads-court-dates- and-malware.html.
[56] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 635–647, 2009.
[57] W.T. Strayer, D. Lapsely, R. Walsh, and C. Livadas. Botnet detection based on network behavior. In Botnet Detection: Countering the Largest Security Threat, pages 1–24. 2008.
[58] SecureWorks Counter Threat Unit Research Team. Duqu trojan questions and an- swers, October 2011. http://www.secureworks.com/research/threats/duqu/. [59] S. Thaseen and C. Kumar. An analysis of supervised tree based classifiers for intru-
sion detection system. InPattern Recognition, Informatics and Mobile Engineering (PRIME), 2013 International Conference on, pages 294–299. IEEE, 2013.
[60] K. Thomas and D.M. Nicol. The koobface botnet and the rise of social malware. In Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on, pages 63–70, 2010.
[61] ThreatStop. Check an ip address - http://www.threatstop.com/checkip.
[62] R. Villamarin-Salomon and J.C. Brustoloni. Identifying botnets using anomaly detec- tion techniques applied to dns traffic. InConsumer Communications and Networking Conference, 2008. CCNC 2008. 5th IEEE, pages 476–481, 2008.
[63] K. Wang, J. J. Parekh, and S. J. Stolfo. In proceedings of the 9 th international symposium on recent advances in intrusion detection (raid). InRecent Advances in Intrusion Detection, pages 226–248, 2006.
[64] K. Wang and S. J Stolfo. Anomalous payload-based network intrusion detection. In Recent Advances in Intrusion Detection, pages 203–222. Springer, 2004.
[65] P. Wang, S. Sparks, and C.C. Zou. An advanced hybrid peer-to-peer botnet. De- pendable and Secure Computing, IEEE Transactions on, pages 113–127, 2010. [66] W. Wang, B. Fang, Z. Zhang, and C. Li. A novel approach to detect irc-based
botnets. In Networks Security, Wireless Communications and Trusted Computing, 2009. NSWCTC ’09. International Conference on, pages 408–411, 2009.
[67] M. Warmer. Detection of web based command & control channels, 2011. [68] G. Weidman. Transparent botnet control for smartphones over sms, 2011.
[69] C. Xiang, F. Binxing, Y. Lihua, L. Xiaoyi, and Z. Tianning. Andbot: towards advanced mobile botnets. In Proceedings of the 4th USENIX conference on Large- scale exploits and emergent threats, pages 11–11, 2011.
[70] H. Xiong, P. Malhotra, D. Stefan, C. Wu, and D. Yao. User-assisted host-based detec- tion of outbound malware traffic. InProceedings of the 11th International Conference on Information and Communications Security, pages 293–307, 2009.
[71] S. Yadav, A. K. K. Reddy, A. L. N. Reddy, and S. Ranjan. Detecting algorithmically generated malicious domain names. In Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pages 48–61, 2010.
[72] T. Yen and M.K. Reiter. Are your hosts trading or plotting? telling p2p file-sharing and bots apart. InDistributed Computing Systems (ICDCS), 2010 IEEE 30th Inter- national Conference on, pages 241–252, 2010.
[73] H.R. Zeidanloo, M.J.Z. Shooshtari, P.V. Amoli, M. Safari, and M. Zamani. A taxon- omy of botnet detection techniques. InComputer Science and Information Technology (ICCSIT), 2010 3rd IEEE International Conference on, pages 158–162, 2010. [74] zeustracker.abuse.ch. Zeus tracker. https://zeustracker.abuse.ch/.