Date of Award

Spring 3-2019

Document Type

Dissertation

Degree Name

Doctor of Philosophy in Cyber Operations (PhDCO)

Department

Computer Science

First Advisor

Wayne Pauli

Second Advisor

Kyle Cronin

Third Advisor

Stefani K. Hobratsch

Fourth Advisor

Austin O'Brien

Fifth Advisor

Yong Wang

Abstract

The Mirai botnet deploys a distributed mechanism with each Bot continually scanning for a potential new Bot Victim. A Bot continually generates a random IP address to scan the network for discovering a potential new Bot Victim. The Bot establishes a connection with the potential new Bot Victim with a Transmission Control Protocol (TCP) handshake. The Mirai botnet has recruited hundreds of thousands of Bots. With 100,000 Bots, Mirai Distributed Denial of Service (DDoS) attacks on service provider Dyn in October 2016 triggered the inaccessibility to hundreds of websites in Europe and North America (Sinanović & Mrdovic, 2017). A month before the Dyn attack, the source code was released publicly on the Internet and Mirai spread to half a million bots. Hackers offered Mirai botnets for rent with 400,000 Bots. Recent research has suggested network signatures for Mirai detection. Network signatures are suggested to detect a Bot brute forcing a new Bot Victim with a factory default user-id and password. Research has not been focused on the Bot scanning mechanism. The focus of this research is performing experimentation to analyze the Bot scanning mechanism for when a Bot attempts to establish a connection to a potential new Bot Victim with a TCP handshake. The thesis is presented: it is possible to develop a solution that can analyze network traffic to identify a Bot scanning for a potential new Bot Victim. The three research questions are (a) Can the Bots be identified for summation? (b) Can the potential new Bot Victims be identified for summation? (c) Is it possible to monitor the Bot scanning mechanism over time? The research questions support the thesis. The Design Science Research (DSR) methodology is followed for designing and evaluating the solution presented in this study. The original Mirai Bot code is used as a research data source to perform a Bot scanner code review. A dataset containing Bot scanning network activity, recorded by the University of Southern California (USC), is utilized as the research data source for experimentation performed with the Mirai Bot Scanner Summation Prototype solution. The Bot scanner code review is performed to identify the Bot scanning functionality and network communications with a potential new Bot Victim. A sampling from the Bot scanning dataset is confirmed from the analysis performed by the code review. The solution created in this study, the Mirai Bot Scanner Summation Prototype, evaluates a Bot scanning dataset. Researchers can use the prototype to tabulate the number of Mirai Bots, the number of potential new Bot Victims, as well as the number of network packet types associated with a Bot attempting to connect to a potential new Bot Victim. Using a database, permanent storage is utilized for counting Bots, potential new Bot Victims, and network packet types. Reporting as well as line-graphs is provided for assessing the Bot scanning mechanism over a time period. Single case experimentation performed with the Mirai Bot Scanner Summation Prototype provides answers to the research questions (a) Bots are identified for summation; (b) Potential new Bot Victims are identified for summation; (c) the Bot scanner is monitored over time. A comparison to a NIDS solution highlights the advantages of the prototype for summating and assessing the Bot scanning dataset. Experimentation with the Mirai Bot Scanner Summation Prototype and NIDS verifies it is possible to develop a solution that can analyze network traffic to identify a Bot scanning for a potential new Bot Victim. Future research could include adding the additional functionality to the Bot Scanner Summation Prototype for evaluating a Bot scanner dataset for non-potential Bot Victims.

Download

Share

COinS