Memories from PhD: Everything That Has A Beginning Has An End.

Today, I am celebrating one year after I have finished my PhD in Computer Science. If you know how to read in Portuguese, you are more than welcome to send me a feedback. Title: Detecção de Redes de Serviço de Fluxo Rápido Baseada em Otimização por Colônia de Formiga. In English, something like Detecting Fast-Flux Services Network Using Ant Colony Optimization. You can find the download link here.

Abstract

Remote control and remote access of malicious code-enabled computers allow the network operator (botnet) to perform various fraudulent activities such as orchestrating distributed denial of service (DDoS) attacks or propagating malicious code such as virus and IT worms. To maintain control of these infected machines, it is necessary to use a robust communication mechanism against attempts to disrupt network services and to be able to evade intrusion detection systems. Such a mechanism is also known as Command and Control (C&C) channel. To do this, some malicious networks often adopt the Domain Name System (DNS) because of its global and distributed operation, allowing them to simulate legitimate network behaviors from techniques such as Round-Robin DNS (RRDNS) and Content Distribution Networks (CDN). Malicious networks that employ these strategies are called Fast Flow Service Networks, because they are able to modify their behavior to ensure the continuous operation of the services, as well as the Command and Control (C&C) channel. To identify such networks, current intrusion detection systems are constructed from models based on a fixed set of attributes observed at a given time point. However, the operators of these networks are able to subvert such detection models by modifying characteristics such as the number of IP addresses or the lifetime (TTL) of a domain name. For these reasons, this work presents a bioinspired model in the concept of Optimization by Colony of Ants for detection of botnets based on Fast Flow Service Networks. The main objective is to analyze a suspicious domain from different perspectives, because even if it is possible to manipulate certain features, the operator is unlikely to modify a of attributes to evade different classification models at the same time. The experimental results using a real database show that the model is able to generate classification rules that prioritize lower cost from the combination of different detection methods, obtaining an accuracy of more than 93%.

The main idea was to use Ant Colony Optimization to help administrators investigate a Botnet detection from multiple perspective. I mean, while many papers were focusing in a set of attributes and an algorithm to detect Fast-Flux Botnets, I realized that Botmasters are/were able to control certain attributes (features) and bypass.

Having that said, when I mention about multiple perspective, I am referring to different methods used to detect this kind of botnet. So, I understand that Botmasters might be able to counter-attack, invalidate, or poison a set of attributes to circumvent those approaches, however, it is not likely that they can manipulate a large set of attributes for different methods during for a long time of monitoring.

I need to thank my Advisor Prof D.Sc. Eduardo Souto for helping me during those years of intense research and discovery.

Note: In Brazil we don't have PhD degree, our PhD title/label is referred as Doctor of Science (D.Sc.).