Analysis of the Infection and the Injection Phases of the Telnet Botnets
Tomáš Bajtoš (Pavol Jozef Šafárik University, Slovakia)
Pavol Sokol (Pavol Jozef Šafárik University, Slovakia)
Andrej Gajdoš (Pavol Jozef Šafárik University, Slovakia)
Katarína Lučivjanská (Pavol Jozef Šafárik University, Slovakia)
Terézia Mézešová (Pavol Jozef Šafárik University, Slovakia)
Abstract: With the number of Internet of Things devices increasing, also the number of vulnerable devices connected to the Internet increases. These devices can become part of botnets and cause damage to the Internet infrastructure. In this paper we study telnet botnets and their behaviour in the first two stages of its lifecycle - initial infection, and secondary infection. The main objective of this paper is to determine specific attributes of their behavior during these stages and design a model for profiling threat agents into telnet botnets groups. We implemented a telnet honeynet and analyzed collected data. Also, we applied clustering methods for security incident profiling. We consider K-modes and PAM clustering algorithms. We found out that a number of sessions and credential guessing are easily collected and usable attributes for threat agents profiling.
Keywords: clustering, profiling, security, telnet honeypot, threat agent
Categories: D.4.6, I.5.3, K.6.5
|