DOCSLIB.ORG

Self-Defense and Deterrence in Cyberspace

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Harvard Journal of Law & Technology Volume 25, Number 2 Spring 2012 MITIGATIVE COUNTERSTRIKING: SELF-DEFENSE 1 AND DETERRENCE IN CYBERSPACE Jay P. Kesan* and Carol M. Hayes** TABLE OF CONTENTS I. INTRODUCTION .............................................................................. 431 II. THE THREAT: CYBER INTRUSIONS AND POSSIBLE RESPONSES .................................................................................... 437 A. Attacks ...................................................................................... 438 1. What Is a Cyberattack? .......................................................... 439 A. Cyber-What? Attack or Exploitation? ............................... 439 B. Categories of Attackers ..................................................... 440 C. Categories of Attacks ........................................................ 442 i. Malicious Software Attacks ............................................. 442 ii. DoS and DDoS Attacks .................................................. 444 D. Effects of Cyberattacks ...................................................... 445 2. Recent Cyberattack Threats ................................................... 446 A. Frequency of Cyberattacks ................................................ 449 B. Potential Government Use of Cyberattacks and the Danger of Cyberwar ................................................. 450 i. Cyberwar and Warmaking Powers in the United States .................................................................. 452 ii. Cyberwar Preparations and the Private Sector ............... 456 C. Danger to Critical National Infrastructure ....................... 458 i. Federal Initiatives ............................................................ 460 ii. Public-Private Partnerships ............................................ 462 1. An earlier version of this work received an Honorable Mention Award in the National Research Council’s (“NRC”) Competition on Research and Scholarship in Cyberdeterrence. Jay P. Kesan & Carol M. Hayes, Thinking Through Active Defense in Cyberspace (Ill. Pub. Law and Legal Theory Research Papers Series, Working Paper No. 10-11, 2010), available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1691207. * Professor, H. Ross & Helen Workman Research Scholar, and Director of the Program in Intellectual Property & Technology Law, University of Illinois College of Law. ** Research Fellow, University of Illinois College of Law. After receiving her J.D. from the University of Illinois, Carol Hayes served as a Christine Mirzayan Science and Technol- ogy Policy Graduate Fellow at the National Academy of Sciences in Fall 2010. The authors wish to thank Herb Lin, Jack Goldsmith, and the many NRC workshop participants, whose guidance and suggestions greatly contributed to the direction of this Article. We also thank Morell E. Mullins for his assistance with earlier drafts. 430 Harvard Journal of Law & Technology [Vol. 25 B. Current Ways to Address Attacks ............................................. 464 1. Criminal Law Shortcomings .................................................. 467 2. Civil Law Shortcomings ........................................................ 469 3. Passive Defense Approaches ................................................. 471 III. ACTIVE DEFENSE AND MITIGATIVE COUNTERSTRIKING ............ 474 A. What Is Active Defense? ........................................................... 474 B. Different Parts of Active Defense ............................................. 478 1. Intrusion Detection Systems .................................................. 481 2. Traceback ............................................................................... 482 3. Responding to an Attack ....................................................... 483 C. A Need for More Advanced Technology .................................. 484 D. Socially Optimal Use of Active Defense .................................. 485 IV. ANALYZING ATTACKS AND COUNTERSTRIKES UNDER CURRENT LEGAL REGIMES ........................................................... 488 A. U.S. Law ................................................................................... 488 1. Statutes .................................................................................. 490 A. Computer Fraud and Abuse Act ........................................ 491 2. Common Law ........................................................................ 496 A. Intentional Tort .................................................................. 497 B. Negligence ......................................................................... 498 C. Defenses to Negligence Claims ......................................... 502 3. Presidential Authority ............................................................ 502 A. Applying Justice Jackson’s Test from Youngstown .......... 504 B. Voluntary Cooperation ...................................................... 506 C. National Defense Authorization Act .................................. 509 B. International Law ..................................................................... 510 1. The Law of War and the U.N. Charter .................................. 512 A. What Is a Use of Force? What Is an Armed Attack? ......... 515 2. European Convention on Cybercrime ................................... 518 V. LAW RELEVANT TO THE USE OF SELF-DEFENSE .......................... 520 A. U.S. Law ................................................................................... 520 B. International Law ..................................................................... 524 1. Self-Defense Under Article 51 of the U.N. Charter .............. 525 2. Anticipatory Self-Defense ..................................................... 527 3. Reprisals ................................................................................ 529 VI. POLICY CONCERNS RELATING TO MITIGATIVE COUNTERSTRIKING ........................................................................ 530 A. The When and Who of Active Defense and Mitigative Counterstriking ...................................................................... 530 1. Relevant Types of Intrusions ................................................. 530 2. Options for Control over Active Defense .............................. 532 A. Private Sector Participation .............................................. 532 B. Government Involvement ................................................... 533 No. 2] Mitigative Counterstriking 431 C. Public-Private Partnerships: An Alternative to Pure Government Control ................................................. 535 B. Potential Procedures for Mitigative Counterstriking .............. 537 C. Addressing the Effect of Mitigative Counterstriking on Third Parties .......................................................................... 538 VII. CONCLUSION ............................................................................. 541 I. INTRODUCTION IF WE DO NOT WISH TO FIGHT, WE CAN PREVENT THE ENEMY FROM ENGAGING US EVEN THOUGH THE LINES OF OUR ENCAMPMENT BE MERELY TRACED OUT ON THE GROUND. ALL WE NEED DO IS TO THROW SOMETHING ODD AND UNACCOUNTABLE IN HIS WAY.2 A STRANGE GAME. THE ONLY WINNING MOVE IS NOT TO PLAY.3 Ideas, computers, and intellectual property have become extreme- ly important in the modern Information Age. The Internet has become so essential to modern life that several countries have declared Inter- net access to be a fundamental right.4 But the importance of technolo- gy in the Information Age comes with a downside: the vulnerability of modern society and the global economy to minimally funded cyberat- tacks from remote corners of the world. In the 1950s, American school children were taught to “duck and cover” in the event of an atomic bomb explosion.5 A popular caution- ary film from 1951 warns that a flash of light brighter than the sun accompanies such an explosion and that the flash could cause an inju- 2. SUN TZU, THE ART OF WAR 25 (Lionel Giles trans., El Paso Norte Press 2005) (1910). 3. WARGAMES (United Artists 1983). WarGames is a Cold War-era action film about a sentient computer operated by the U.S. Government and programmed to play through nu- clear war scenarios to find an optimal outcome. The system is hacked by a teenage boy who unwittingly starts a simulation that brings the world to the brink of nuclear war. At the end of WarGames, the sentient computer controlling the U.S. nuclear arsenal finally learns one of the key tenets of deterrence during the Cold War: because of an opponent’s capacity to counterstrike, sometimes foregoing aggressive actions is the only path to an optimal result. See id. Similar principles of deterrence underlie this Article, as we posit that a formalized active defense regime would be more effective at discouraging cyber aggressions than the currently available passive defense methods and legal options under criminal and civil law. 4. See, e.g., COMM. ON OFFENSIVE INFO. WARFARE, NAT’L RESEARCH COUNCIL OF THE NAT’L ACADS., TECHNOLOGY, POLICY, LAW, AND ETHICS REGARDING U.S. ACQUISITION AND USE OF CYBERATTACK CAPABILITIES 38 (William A. Owens et al. eds., 2009) [hereinafter NRC REPORT] (noting Estonia’s adoption of this position); Internet Access Is ‘a Fundamental Right,’ BBC NEWS (Mar. 8, 2010), http://news.bbc.co.uk/2/hi/ 8548190.stm (noting that Finland and Estonia take this view); Marshall Kirkpatrick, Is Internet Access a Fundamental Human Right? France’s High Court Says Yes, READWRITEWEB (June 11, 2009,
Recommended publications
  • Identity Theft Literature Review

    Identity Theft Literature Review

    The author(s) shown below used Federal funds provided by the U.S. Department of Justice and prepared the following final report: Document Title: Identity Theft Literature Review Author(s): Graeme R. Newman, Megan M. McNally Document No.: 210459 Date Received: July 2005 Award Number: 2005-TO-008 This report has not been published by the U.S. Department of Justice. To provide better customer service, NCJRS has made this Federally- funded grant final report available electronically in addition to traditional paper copies. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. This document is a research report submitted to the U.S. Department of Justice. This report has not been published by the Department. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. IDENTITY THEFT LITERATURE REVIEW Prepared for presentation and discussion at the National Institute of Justice Focus Group Meeting to develop a research agenda to identify the most effective avenues of research that will impact on prevention, harm reduction and enforcement January 27-28, 2005 Graeme R. Newman School of Criminal Justice, University at Albany Megan M. McNally School of Criminal Justice, Rutgers University, Newark This project was supported by Contract #2005-TO-008 awarded by the National Institute of Justice, Office of Justice Programs, U.S. Department of Justice. Points of view in this document are those of the author and do not necessarily represent the official position or policies of the U.S.
  • Military Law Max Schoetz Jr

    Military Law Max Schoetz Jr

    Marquette Law Review Volume 3 Article 5 Issue 1 Volume 3, Issue 1 (1918) Military Law Max Schoetz Jr. Follow this and additional works at: http://scholarship.law.marquette.edu/mulr Part of the Law Commons Repository Citation Max Schoetz Jr., Military Law, 3 Marq. L. Rev. 26 (1918). Available at: http://scholarship.law.marquette.edu/mulr/vol3/iss1/5 This Article is brought to you for free and open access by the Journals at Marquette Law Scholarly Commons. It has been accepted for inclusion in Marquette Law Review by an authorized administrator of Marquette Law Scholarly Commons. For more information, please contact [email protected]. MILITARY LAW MAX SCHOETZ, JR., B.A., L.L.B., DEAN MARQUETTE UNIVERSITY COLLEGE Ov LAW, PROFESSOR OV MILITARY LAW S. A. T. C. Military Law' is a well defined branch of jurisprudence. It is the body of rules and regulations that have been prescribed for the government of the army and navy and for the militia when called into active service. It applies to and includes such rules of action and conduct as are imposed by a state upon persons in its military service with a view to the establishment and mainte- nance of military discipline. It is distinguished from martial law in that (I) military law applies only to persons in the land and naval forces while martial law applies to all persons and property within the district subject to it. (2) Military law is a permanent code applicable alike in peace and war while martial law is only temporary and ceases with the necessity which brought it into existence.
  • Are the Current Computer Crime Laws Sufficient Or Should the Writing of Virus Code Be Prohibited?

    Are the Current Computer Crime Laws Sufficient Or Should the Writing of Virus Code Be Prohibited?

    Fordham Intellectual Property, Media and Entertainment Law Journal Volume 18 Volume XVIII Number 3 Volume XVIII Book 3 Article 8 2008 Are the Current Computer Crime Laws Sufficient or Should the Writing of Virus Code Be Prohibited? Robert J. Kroczynski Fordham University School of Law Follow this and additional works at: https://ir.lawnet.fordham.edu/iplj Part of the Entertainment, Arts, and Sports Law Commons, and the Intellectual Property Law Commons Recommended Citation Robert J. Kroczynski, Are the Current Computer Crime Laws Sufficient or Should theriting W of Virus Code Be Prohibited?, 18 Fordham Intell. Prop. Media & Ent. L.J. 817 (2008). Available at: https://ir.lawnet.fordham.edu/iplj/vol18/iss3/8 This Note is brought to you for free and open access by FLASH: The Fordham Law Archive of Scholarship and History. It has been accepted for inclusion in Fordham Intellectual Property, Media and Entertainment Law Journal by an authorized editor of FLASH: The Fordham Law Archive of Scholarship and History. For more information, please contact [email protected]. Are the Current Computer Crime Laws Sufficient or Should theriting W of Virus Code Be Prohibited? Cover Page Footnote Alexander Southwell, Shari Sckolnick This note is available in Fordham Intellectual Property, Media and Entertainment Law Journal: https://ir.lawnet.fordham.edu/iplj/vol18/iss3/8 KROCZYNSKI_022508_FINAL 2/25/2008 7:20:52 PM Are the Current Computer Crime Laws Sufficient or Should the Writing of Virus Code Be Prohibited? Robert J. Kroczynski* INTRODUCTION .............................................................................818 I. BACKGROUND OF CYBERCRIME AND VIRUSES........................820 A. DEFINITION OF VIRUSES AND TECHNICAL DESCRIPTIONS ....822 1.
  • Analysis of Malware and Domain Name System Traffic

    Analysis of Malware and Domain Name System Traffic

    Analysis of Malware and Domain Name System Traffic Hamad Mohammed Binsalleeh A Thesis in The Department of Computer Science and Software Engineering Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy at Concordia University Montréal, Québec, Canada July 2014 c Hamad Mohammed Binsalleeh, 2014 CONCORDIA UNIVERSITY Division of Graduate Studies This is to certify that the thesis prepared By: Hamad Mohammed Binsalleeh Entitled: Analysis of Malware and Domain Name System Traffic and submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy complies with the regulations of this University and meets the accepted standards with respect to originality and quality. Signed by the final examining committee: Chair Dr. Christian Moreau External Examiner Dr. Nadia Tawbi Examiner to Program Dr. Lingyu Wang Examiner Dr. Peter Grogono Examiner Dr. Olga Ormandjieva Thesis Co-Supervisor Dr. Mourad Debbabi Thesis Co-Supervisor Dr. Amr Youssef Approved by Chair of the CSE Department 2014 Dean of Engineering ABSTRACT Analysis of Malware and Domain Name System Traffic Hamad Mohammed Binsalleeh Concordia University, 2014 Malicious domains host Command and Control servers that are used to instruct in- fected machines to perpetuate malicious activities such as sending spam, stealing creden- tials, and launching denial of service attacks. Both static and dynamic analysis of malware as well as monitoring Domain Name System (DNS) traffic provide valuable insight into such malicious activities and help security experts detect and protect against many cyber attacks. Advanced crimeware toolkits were responsible for many recent cyber attacks. In order to understand the inner workings of such toolkits, we present a detailed reverse en- gineering analysis of the Zeus crimeware toolkit to unveil its underlying architecture and enable its mitigation.
  • Stuxnet Under the Microscope

    Stuxnet Under the Microscope

    Stuxnet Under the Microscope Revision 1.31 Aleksandr Matrosov, Senior Virus Researcher Eugene Rodionov, Rootkit Analyst David Harley, Senior Research Fellow Juraj Malcho, Head of Virus Laboratory 2 Contents 1 INTRODUCTION ................................................................................................................................. 5 1.1 TARGETED ATTACKS ............................................................................................................................. 5 1.2 STUXNET VERSUS AURORA ..................................................................................................................... 7 1.3 STUXNET REVEALED............................................................................................................................ 11 1.4 STATISTICS ON THE SPREAD OF THE STUXNET WORM ................................................................................ 15 2 MICROSOFT, MALWARE AND THE MEDIA ....................................................................................... 17 2.1 SCADA, SIEMENS AND STUXNET .......................................................................................................... 17 2.2 STUXNET TIMELINE............................................................................................................................. 19 3 DISTRIBUTION ................................................................................................................................. 24 3.1 THE LNK EXPLOIT .............................................................................................................................
  • Applying a Framework to Assess Deterrence of Gray Zone Aggression for More Information on This Publication, Visit

    Applying a Framework to Assess Deterrence of Gray Zone Aggression for More Information on This Publication, Visit

    C O R P O R A T I O N MICHAEL J. MAZARR, JOE CHERAVITCH, JEFFREY W. HORNUNG, STEPHANIE PEZARD What Deters and Why Applying a Framework to Assess Deterrence of Gray Zone Aggression For more information on this publication, visit www.rand.org/t/RR3142 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0397-1 Published by the RAND Corporation, Santa Monica, Calif. © 2021 RAND Corporation R® is a registered trademark. Cover: REUTERS/Kyodo Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface This report documents research and analysis conducted as part of a project entitled What Deters and Why: North Korea and Russia, sponsored by the Office of the Deputy Chief of Staff, G-3/5/7, U.S.
  • Martial Law and National Emergency

    Martial Law and National Emergency

    Order Code RS21024 Updated January 7, 2005 CRS Report for Congress Received through the CRS Web Martial Law and National Emergency Harold C. Relyea Specialist in American National Government Government and Finance Division Summary Crises in public order, both real and potential, often evoke comments concerning a resort to martial law. While some ambiguity exists regarding the conditions of a martial law setting, such a prospect, nonetheless, is disturbing to many Americans who cherish their liberties, expect civilian law enforcement to prevail, and support civilian control of military authority. An overview of the concept of, exercise of, and authority underlying martial law is provided in this report, which will be updated as events warrant. Occasionally, when some national emergency or crisis threatens public order in the United States, the comment is made that the President may ultimately resort to imposing martial law in order to preserve discipline and good behavior. Such was the case when it was thought that year 2000 (Y2K) technology problems might result in situations threatening life, property, or the general welfare in American society. The almost flawless transition to the year 2000, of course, rendered such an action unnecessary. More recently, at least one newspaper erroneously reported that the September 14, 2001, declaration of a national emergency by President George W. Bush in response to terrorist attacks in New York City and Washington, DC, “activated some 500 dormant legal provisions, including those allowing him to impose censorship and martial law.”1 In accordance with the requirements of the National Emergencies Act, the President’s declaration actually activated nine selective provisions of statutory law, identified in his proclamation, pertaining to military and Coast Guard personnel.2 Such comments, nonetheless, suggest a consideration of what martial law constitutes, as well as when and how it might be invoked.
  • The Militarization of US Government Response to COVID-19 and What We Can Do About It About Face: Veterans Against the War March 23, 2020

    The Militarization of US Government Response to COVID-19 and What We Can Do About It About Face: Veterans Against the War March 23, 2020

    National Guard troops stand by as people wait to be tested for coronavirus in New Rochelle, New York, on March 13, 2020. Timothy A. Clary/AFP via Getty Images. The Militarization of US Government Response to COVID-19 and What We Can Do About It About Face: Veterans Against the War March 23, 2020 This statement was written by Drake Logan, a civilian ally to About Face, with input on content by About Face veteran members Lisa Ling, Krystal Two Bulls, Maggie Martin, Erica Manley, Shawn Fischer, Jovanni Reyes, Matt W. Howard, Derek S. Matthews, and Ramon Mejía. Editorial guidance was provided by Clare Bayard, civilian ally to About Face. Authorship is always collective. Summary: This document outlines six broad areas of current political need and opportunity as the US government ramps up the militarization of its response to the coronavirus epidemic. About Face is an organization of post-9/11 service-members and veterans who organize to end a foreign policy of permanent war and the use of military weapons, tactics, and values in communities across the United States. We present this statement in order to generate further conversation on these points both within and beyond our organization, as well as to enter the national media conversation on coronavirus response. Please reach out to About Face if you are a member or civilian who would like to be 1 involved in media work on these issues, or if you would like to help create further independent media. We need to begin by tackling these six areas of political need and opportunity in the time of coronavirus: (1) We need to engage in and spread praxes of community-based defense instead of militarized security.
  • An Analysis of the Asprox Botnet

    An Analysis of the Asprox Botnet

    An Analysis of the Asprox Botnet Ravishankar Borgaonkar Technical University of Berlin Email: [email protected] Abstract—The presence of large pools of compromised com- motives. Exploitable vulnerabilities may exist in the Internet puters, also known as botnets, or zombie armies, represents a infrastructure, in the clients and servers, in the people, and in very serious threat to Internet security. This paper describes the way money is controlled and transferred from the Internet the architecture of a contemporary advanced bot commonly known as Asprox. Asprox is a type of malware that combines into traditional cash. Many security firms and researchers are the two threat vectors of forming a botnet and of generating working on developing new methods to fight botnets and to SQL injection attacks. The main features of the Asprox botnet mitigate against threats from botnets [7], [8], [9]. are the use of centralized command and control structure, HTTP based communication, use of advanced double fast-flux service Unfortunately, there are still many questions that need to networks, use of SQL injection attacks for recruiting new bots be addressed to find effective ways of protecting against the and social engineering tricks to spread malware binaries. The threats from botnets. In order to fight against botnets in future, objective of this paper is to contribute to a deeper understanding of Asprox in particular and a better understanding of modern it is not enough to study the botnets of past. Botnets are botnet designs in general. This knowledge can be used to develop constantly evolving, and we need to understand the design more effective methods for detecting botnets, and stopping the and structure of the emerging advanced botnets.
  • For More Information Support RAND

    For More Information Support RAND

    CHILDREN AND FAMILIES The RAND Corporation is a nonprofit institution that helps improve policy and EDUCATION AND THE ARTS decisionmaking through research and analysis. ENERGY AND ENVIRONMENT HEALTH AND HEALTH CARE This electronic document was made available from www.rand.org as a public service INFRASTRUCTURE AND of the RAND Corporation. TRANSPORTATION INTERNATIONAL AFFAIRS LAW AND BUSINESS Skip all front matter: Jump to Page 16 NATIONAL SECURITY POPULATION AND AGING PUBLIC SAFETY Support RAND SCIENCE AND TECHNOLOGY Browse Reports & Bookstore TERRORISM AND Make a charitable contribution HOMELAND SECURITY For More Information Visit RAND at www.rand.org Explore the RAND National Security Research Division View document details Limited Electronic Distribution Rights This document and trademark(s) contained herein are protected by law as indicated in a notice appearing later in this work. This electronic representation of RAND intellectual property is provided for non- commercial use only. Unauthorized posting of RAND electronic documents to a non-RAND website is prohibited. RAND electronic documents are protected under copyright law. Permission is required from RAND to reproduce, or reuse in another form, any of our research documents for commercial use. For information on reprint and linking permissions, please see RAND Permissions. This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity. C O R P O R A T I O N Markets for Cybercrime Tools and Stolen Data Hackers’ Bazaar Lillian Ablon, Martin C.
  • Society's Genome.Indb

    Society's Genome.Indb

    Society’s Genome Genetic Diversity’s Role in Digital Preservation By Nathan Thompson with Bob Cone and John Kranz Copyright © 2016 by Spectra Logic Corporation All rights reserved. No part of this book may be reproduced in any form or by any electronic or mechanical means, including storage and retrieval systems—except in the case of brief quotations embodied in critical articles or reviews—without permission in writing from Spectra Logic Corporation. All product names, logos, and brands mentioned in this book are the property of their respective owners. Neither the authors nor publisher claim any right of ownership to such names, logos, and brands. Cover design by Kristen Coats Back cover image: Detail of “Ptolemy World Map,” from Ptolemy’s the Geography, redrawn by Francesco di Antonio del Chierco (15th century). Housed in the British Library, London. Image retrieved from https:// commons.wikimedia.org/wiki/File:PtolemyWorldMap.jpg. Published by Spectra Logic Corporation 6285 Lookout Road Boulder, Colorado 80301-3580 Tel.: 1.800.833.1132 Fax: 1.303.939.8844 www.spectralogic.com ISBN: 978-0-9975644-0-2 Second Printing Printed and bound in the United States of America 10 9 8 7 6 5 4 3 2 1 This book is printed on acid-free paper. “We are survival machines—robot vehicles blindly programmed to preserve the selfish molecules known as genes. This is a truth that still fills me with astonishment.” —Richard Dawkins, The Selfish Gene Chapter 6 Wolves at the Door Just a few years after the 9/11 attacks, the digital world began showing signs of sudden, profound change.
  • Detecting Botnets Using File System Indicators

    Detecting Botnets Using File System Indicators

    Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research.