Detection of IP Gangs: Strategically Organized Bots

Botnets, groups of malware-infected computers (bots) that perform cybersecurity attacks on the Internet, pose one of the most serious cybersecurity threats to many industries, including smart infrastructure [9, 10], Internet based companies, [11] and Internet of Things (IoT) [8]. There are many unconventional methods of organizing bots that are potentially advantageous to attackers. "Botnet", as a technical term, cannot effectively describe these methods. With the vast amounts of Internet traffic data collected by security appliances, it is possible to reveal novel behavior of bots using data analysis algorithms. In this paper, we propose a concept called IP Gang to describe groups of bots from the perspective of the attacker's business - we define IP Gangs to be groups of bots that often perform attacks together during a period of time. Crucially, we developed a fast, high-compatibility detection algorithm that can be deployed in wide-scale, industrial applications to effectively defend against IP Gangs. The detection algorithm is inspired by single-linkage clustering and optimized for large quantities of data. A test on a month (1.5 GB) of real life DDoS log data detected 21 IP Gangs, with 13916 bots in total. To analyze the behavior of the Gangs, we visualized the activity of each Gang with diagrams named "attack fingerprints" and confirmed that 15 of the detected Gangs displayed behavior that the concept of "botnet" alone cannot describe.