Modeling and countermeasures of a social network-based botnet with strong destroy-resistance

To defeat botnets and ensure cyberspace security,a novel social network-based botnet with strong destroy-resistance (DR-SNbot),as well as its corresponding countermeasure,was proposed.DR-SNbot constructed command and control servers (C＆C-Servers) based on social network.Each C＆C-Server corresponded to a unique pseudo-random nickname.The botmaster issues commanded by hiding them in diaries using information hiding techniques,and then a novel C＆C channel was established.When different proportions of C＆C-Servers were invalid,DR-SNbot would send out different levels of alarms to inform attackers to construct new C＆C-Servers.Then,DR-SNbot could automatically repair C＆C communication to ensure its strong destroy-resistance.Under the experimental settings,DR-SNbot could resume the C＆C communication in a short period of time to keep 100% of the control rate even if all the current C＆C-Servers were invalid.Finally,a botnet nickname detecting method was proposed based on the difference of lexical features of legal nicknames and pseudo-random nicknames.Experimental results show that the proposed method can effectively (precision:96.88%,recall:93%) detect pseudo-random nicknames generated by social network-based botnets with customized algorithms.