109

urn:lsid:arphahub.com:pub:3dc5f44e-8666-58db-bc76-a455210e8891

JUCS - Journal of Universal Computer Science

jucs

0948-695X 0948-6968

Journal of Universal Computer Science

10.3217/jucs-025-11-1417

22670

Research Article

D.4.6 - Security and Protection I.5.3 - Clustering K.6.5 - Security and Protection

Analysis of the Infection and the Injection Phases of the Telnet Botnets

Bajtoš

Tomáš

tomas.bajtos@upjs.sk 1 Sokol

Pavol

1 Gajdoš

Andrej

1 Lučivjanská

Katarína

1 Mézešová

Terézia

Pavol Jozef Šafárik University, Košice, Slovakia

Pavol Jozef Šafárik University

Košice

Slovakia

Corresponding author: Tomáš Bajtoš (tomas.bajtos@upjs.sk).

Academic editor:

2019

28 11 2019

25 11 1417 1436 324CFF29-7690-5D96-8D1F-0739B7726D1E 4840920 15 02 2019 26 07 2019

Tomáš Bajtoš, Pavol Sokol, Andrej Gajdoš, Katarína Lučivjanská, Terézia Mézešová

This article is freely available under the J.UCS Open Content License.

Abstract

With the number of Internet of Things devices increasing, also the number of vulnerable devices connected to the Internet increases. These devices can become part of botnets and cause damage to the Internet infrastructure. In this paper we study telnet botnets and their behaviour in the first two stages of its lifecycle - initial infection, and secondary infection. The main objective of this paper is to determine specific attributes of their behavior during these stages and design a model for profiling threat agents into telnet botnets groups. We implemented a telnet honeynet and analyzed collected data. Also, we applied clustering methods for security incident profiling. We consider K-modes and PAM clustering algorithms. We found out that a number of sessions and credential guessing are easily collected and United States of Americable attributes for threat agents profiling.